AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-08-28 · Security-related medium

File: bedrock-agentcore/latest/devguide/browser-resource-session-management.md

Summary

Removed IAM policy and trust policy examples for Browser resource management

Security assessment

Deleted policies controlled critical session management permissions and role assumption conditions. Removal could lead to overprivileged access to browser automation resources if equivalent policies aren't implemented.

Diff

diff --git a/bedrock-agentcore/latest/devguide/browser-resource-session-management.md b/bedrock-agentcore/latest/devguide/browser-resource-session-management.md
index 1b03dd3bc..98ef54d28 100644
--- a//bedrock-agentcore/latest/devguide/browser-resource-session-management.md
+++ b//bedrock-agentcore/latest/devguide/browser-resource-session-management.md
@@ -17,32 +16,0 @@ To use the Amazon Bedrock AgentCore Browser, you need the following permissions
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "BedrockAgentCoreInBuiltToolsFullAccess",
-                "Effect": "Allow",
-                "Action": [
-                    "bedrock-agentcore:CreateBrowser",
-                    "bedrock-agentcore:ListBrowsers",
-                    "bedrock-agentcore:GetBrowser",
-                    "bedrock-agentcore:DeleteBrowser",
-                    "bedrock-agentcore:StartBrowserSession",
-                    "bedrock-agentcore:ListBrowserSessions",
-                    "bedrock-agentcore:GetBrowserSession",
-                    "bedrock-agentcore:StopBrowserSession",
-                    "bedrock-agentcore:UpdateBrowserStream",
-                    "bedrock-agentcore:ConnectBrowserAutomationStream",
-                    "bedrock-agentcore:ConnectBrowserLiveViewStream"
-                ],
-                "Resource": "arn:aws:bedrock-agentcore:*"
-            }
-        ]
-    }
-    
-
@@ -70,28 +37,0 @@ You should also add the following trust policy to the execution role:
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [{
-            "Sid": "BedrockAgentCoreBuiltInTools",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "bedrock-agentcore.amazonaws.com"
-            },
-            "Action": "sts:AssumeRole",
-            "Condition": {
-                "StringEquals": {
-                    "aws:SourceAccount": "{{accountId}}"
-                },
-                "ArnLike": {
-                    "aws:SourceArn": "arn:aws:bedrock-agentcore:{{region}}:{{accountId}}:*"
-                }
-            }
-        }]
-    }
-    
-