AWS cli medium security documentation change
Summary
Added clarification about required permissions when invoking agent runtime on behalf of users
Security assessment
Explicitly documents required permissions for user delegation scenarios, addressing potential authorization gaps in previous documentation. This change helps prevent privilege escalation by clarifying necessary permissions for user-based invocations.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md b/cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md index 5d7db4191..b59c625da 100644 --- a//cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md +++ b//cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md @@ -15 +15 @@ - * [AWS CLI 2.31.10 Command Reference](../../index.html) » + * [AWS CLI 2.31.13 Command Reference](../../index.html) » @@ -69 +69 @@ If you’re integrating your agent with OAuth, you can’t use the Amazon Web Se -To use this operation, you must have the `bedrock-agentcore:InvokeAgentRuntime` permission. +To use this operation, you must have the `bedrock-agentcore:InvokeAgentRuntime` permission. If you are making a call to `InvokeAgentRuntime` on behalf of a user ID with the `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header, You require permissions to both actions (`bedrock-agentcore:InvokeAgentRuntime` and `bedrock-agentcore:InvokeAgentRuntimeForUser` ). @@ -405 +405 @@ statusCode -> (integer) - * [AWS CLI 2.31.10 Command Reference](../../index.html) » + * [AWS CLI 2.31.13 Command Reference](../../index.html) »