AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-10-13 · Security-related medium

File: cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md

Summary

Added clarification about required permissions when invoking agent runtime on behalf of users

Security assessment

Explicitly documents required permissions for user delegation scenarios, addressing potential authorization gaps in previous documentation. This change helps prevent privilege escalation by clarifying necessary permissions for user-based invocations.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md b/cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md
index 5d7db4191..b59c625da 100644
--- a//cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md
+++ b//cli/latest/reference/bedrock-agentcore/invoke-agent-runtime.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.10 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.13 Command Reference](../../index.html) »
@@ -69 +69 @@ If you’re integrating your agent with OAuth, you can’t use the Amazon Web Se
-To use this operation, you must have the `bedrock-agentcore:InvokeAgentRuntime` permission.
+To use this operation, you must have the `bedrock-agentcore:InvokeAgentRuntime` permission. If you are making a call to `InvokeAgentRuntime` on behalf of a user ID with the `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header, You require permissions to both actions (`bedrock-agentcore:InvokeAgentRuntime` and `bedrock-agentcore:InvokeAgentRuntimeForUser` ).
@@ -405 +405 @@ statusCode -> (integer)
-  * [AWS CLI 2.31.10 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.13 Command Reference](../../index.html) »