AWS bedrock-agentcore medium security documentation change
Summary
Removed IAM policy and Lambda resource policy examples for gateway authentication
Security assessment
Deleted policies provided critical guidance for securing Lambda integrations, including account validation and principal restrictions. Removal increases risk of unauthorized API gateway access to backend services.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md index 3b0387bc3..3b1aa9c13 100644 --- a//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md +++ b//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md @@ -89,32 +88,0 @@ The execution role must have permissions to access the respective resource. For -JSON - -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AmazonBedrockAgentCoreGatewayLambdaProd", - "Effect": "Allow", - "Action": [ - "lambda:InvokeFunction" - ], - "Resource": [ - "arn:aws:lambda:{{region}}:{{accountId}}:function:[[functionName]]:*" - ], - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "{{accountId}}" - } - } - } - ] - } - - - @@ -123,25 +90,0 @@ Additionally, your Lambda function needs a resource-based policy that allows the -JSON - -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::{{accountId}}:role/{{GatewayExecutionRoleName}}" - }, - "Action": "lambda:InvokeFunction", - "Resource": "arn:aws:lambda:{{region}}:{{accountId}}:function:{{functionName}}" - } - ] - } - - -