AWS bedrock-agentcore medium security documentation change
Summary
Removed IAM policy and Lambda resource policy examples for gateway integration
Security assessment
Deleted policies enforced account/ARN validation for Lambda invocations. Removal could lead to insecure cross-account access or overly permissive function invocation if equivalent controls aren't implemented.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md b/bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md index c468bc574..1ee22e04e 100644 --- a//bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md +++ b//bedrock-agentcore/latest/devguide/gateway-add-target-lambda.md @@ -41,30 +40,0 @@ For Lambda function targets, your Gateway's execution role needs the `lambda:Inv -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AmazonBedrockAgentCoreGatewayLambdaProd", - "Effect": "Allow", - "Action": [ - "lambda:InvokeFunction" - ], - "Resource": [ - "arn:aws:lambda:{{region}}:{{accountId}}:function:[[functionName]]:*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "{{accountId}}" - } - } - } - ] - } - - - @@ -73,23 +42,0 @@ JSON -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::{{accountId}}:role/{{GatewayExecutionRoleName}}" - }, - "Action": "lambda:InvokeFunction", - "Resource": "arn:aws:lambda:{{region}}:{{accountId}}:function:{{functionName}}" - } - ] - } - - -