AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-08-28 · Security-related medium

File: bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md

Summary

Removed IAM policy and Lambda resource policy examples for gateway integration

Security assessment

Deleted policies enforced account/ARN validation for Lambda invocations. Removal could lead to insecure cross-account access or overly permissive function invocation if equivalent controls aren't implemented.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md b/bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md
index c468bc574..1ee22e04e 100644
--- a//bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md
+++ b//bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md
@@ -41,30 +40,0 @@ For Lambda function targets, your Gateway's execution role needs the `lambda:Inv
-JSON
-    
-
-****
-    
-    
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "AmazonBedrockAgentCoreGatewayLambdaProd",
-          "Effect": "Allow",
-          "Action": [
-            "lambda:InvokeFunction"
-          ],
-          "Resource": [
-            "arn:aws:lambda:{{region}}:{{accountId}}:function:[[functionName]]:*"
-          ],
-          "Condition": {
-            "StringEquals": {
-              "aws:ResourceAccount": "{{accountId}}"
-            }
-          }
-        }
-      ]
-    }
-            
-    
-
@@ -73,23 +42,0 @@ JSON
-JSON
-    
-
-****
-    
-    
-    
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::{{accountId}}:role/{{GatewayExecutionRoleName}}"
-          },
-          "Action": "lambda:InvokeFunction",
-          "Resource": "arn:aws:lambda:{{region}}:{{accountId}}:function:{{functionName}}"
-        }
-      ]
-    }
-            
-    
-