AWS bedrock-agentcore medium security documentation change
Summary
Removed IAM policy and trust policy examples for Browser resource management
Security assessment
Deleted policies controlled critical session management permissions and role assumption conditions. Removal could lead to overprivileged access to browser automation resources if equivalent policies aren't implemented.
Diff
diff --git a/bedrock-agentcore/latest/devguide/browser-resource-session-management.md b/bedrock-agentcore/latest/devguide/browser-resource-session-management.md index 1b03dd3bc..98ef54d28 100644 --- a//bedrock-agentcore/latest/devguide/browser-resource-session-management.md +++ b//bedrock-agentcore/latest/devguide/browser-resource-session-management.md @@ -17,32 +16,0 @@ To use the Amazon Bedrock AgentCore Browser, you need the following permissions -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "BedrockAgentCoreInBuiltToolsFullAccess", - "Effect": "Allow", - "Action": [ - "bedrock-agentcore:CreateBrowser", - "bedrock-agentcore:ListBrowsers", - "bedrock-agentcore:GetBrowser", - "bedrock-agentcore:DeleteBrowser", - "bedrock-agentcore:StartBrowserSession", - "bedrock-agentcore:ListBrowserSessions", - "bedrock-agentcore:GetBrowserSession", - "bedrock-agentcore:StopBrowserSession", - "bedrock-agentcore:UpdateBrowserStream", - "bedrock-agentcore:ConnectBrowserAutomationStream", - "bedrock-agentcore:ConnectBrowserLiveViewStream" - ], - "Resource": "arn:aws:bedrock-agentcore:*" - } - ] - } - - @@ -70,28 +37,0 @@ You should also add the following trust policy to the execution role: -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [{ - "Sid": "BedrockAgentCoreBuiltInTools", - "Effect": "Allow", - "Principal": { - "Service": "bedrock-agentcore.amazonaws.com" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "{{accountId}}" - }, - "ArnLike": { - "aws:SourceArn": "arn:aws:bedrock-agentcore:{{region}}:{{accountId}}:*" - } - } - }] - } - -