AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2025-10-16 · Documentation medium

File: bedrock-agentcore/latest/devguide/scope-credential-provider-access.md

Summary

Updated IAM policy documentation for credential provider access control with formatting changes and clarified workflow steps

Security assessment

Enhanced documentation about IAM policies for credential provider access control mechanisms (workload identity restrictions, resource-level permissions). While security-related features are documented, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/bedrock-agentcore/latest/devguide/scope-credential-provider-access.md b/bedrock-agentcore/latest/devguide/scope-credential-provider-access.md
index a8e5af33b..7120770a2 100644
--- a//bedrock-agentcore/latest/devguide/scope-credential-provider-access.md
+++ b//bedrock-agentcore/latest/devguide/scope-credential-provider-access.md
@@ -7,2 +6,0 @@ IAM policy examplesImplementation steps
-Amazon Bedrock AgentCore is in preview release and is subject to change. 
-
@@ -13 +11 @@ You can use IAM policies to control which workload identities have access to spe
-**Access control mechanisms:**
+**Access control mechanisms**
@@ -15 +13 @@ You can use IAM policies to control which workload identities have access to spe
-  * **Workload identity-based restrictions:** Limit credential provider access to specific workload identities
+  * **Workload identity-based restrictions** – Limit credential provider access to specific workload identities
@@ -17 +15 @@ You can use IAM policies to control which workload identities have access to spe
-  * **Resource-level permissions:** Control access to individual credential providers using ARN-based policies
+  * **Resource-level permissions** – Control access to individual credential providers using ARN-based policies
@@ -19 +17 @@ You can use IAM policies to control which workload identities have access to spe
-  * **Directory-level controls:** Manage access at the workload identity directory level
+  * **Directory-level controls** – Manage access at the workload identity directory level
@@ -37 +35 @@ The following examples demonstrate how to create IAM policies that restrict cred
-**Restrict API key provider access:**
+**Restrict API key provider access**
@@ -58 +56 @@ The following examples demonstrate how to create IAM policies that restrict cred
-**Restrict OAuth2 credential provider access:**
+**Restrict OAuth2 credential provider access**
@@ -79 +77 @@ The following examples demonstrate how to create IAM policies that restrict cred
-**Allow multiple workload identities access to a credential provider:**
+**Allow multiple workload identities access to a credential provider**
@@ -106 +104 @@ To implement workload identity-based access control for credential providers:
-  1. **Identify your workload identities:** Use `aws bedrock-agentcore-control list-workload-identities` to list all workload identities in your account. For information about creating and managing workload identities, see [Manage workload identities with AgentCore Identity](./identity-manage-agent-ids.html).
+  1. **Identify your workload identities** – Use `aws bedrock-agentcore-control list-workload-identities` to list all workload identities in your account. For information about creating and managing workload identities, see [Manage workload identities with AgentCore Identity](./identity-manage-agent-ids.html).
@@ -108 +106 @@ To implement workload identity-based access control for credential providers:
-  2. **Determine credential provider ARNs:** Identify the specific credential providers you want to control access to
+  2. **Determine credential provider ARNs** – Identify the specific credential providers you want to control access to
@@ -110 +108 @@ To implement workload identity-based access control for credential providers:
-  3. **Create IAM policies:** Write IAM policies that specify which workload identities can access which credential providers
+  3. **Create IAM policies** – Write IAM policies that specify which workload identities can access which credential providers
@@ -112 +110 @@ To implement workload identity-based access control for credential providers:
-  4. **Attach policies to roles:** Attach the policies to the IAM roles used by your agents or applications
+  4. **Attach policies to roles** – Attach the policies to the IAM roles used by your agents or applications
@@ -114 +112 @@ To implement workload identity-based access control for credential providers:
-  5. **Test access controls:** Verify that only authorized workload identities can access the specified credential providers
+  5. **Test access controls** – Verify that only authorized workload identities can access the specified credential providers
@@ -119 +117 @@ To implement workload identity-based access control for credential providers:
-**Best practices:**
+**Best practices**
@@ -138 +136 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Obtain access token
+OAuth 2.0 authorization URL session binding