AWS bedrock-agentcore medium security documentation change
Summary
Removed IAM trust policy example for Bedrock AgentCore Browser observability role
Security assessment
Deleted policy enforced source account/ARN validation for service principal assumption. Removal eliminates guidance for proper role delegation security, potentially allowing broader role assumption if not properly configured.
Diff
diff --git a/bedrock-agentcore/latest/devguide/browser-observability.md b/bedrock-agentcore/latest/devguide/browser-observability.md index 0f2b3b631..e4bd5095e 100644 --- a//bedrock-agentcore/latest/devguide/browser-observability.md +++ b//bedrock-agentcore/latest/devguide/browser-observability.md @@ -96,28 +95,0 @@ Following is the trust policy for the role ARN. -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "BedrockAgentCoreBuiltInTools", - "Effect": "Allow", - "Principal": { - "Service": "bedrock-agentcore.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "{{accountId}}" - }, - "ArnLike": { - "aws:SourceArn": "arn:aws:bedrock-agentcore:{{region}}:{{accountId}}:*" - } - } - }] - } - -