AWS bedrock-agentcore high security documentation change
Summary
Added detailed documentation about JWT claim-based condition keys for API access control and removed preview notice
Security assessment
The change introduces multiple IAM condition keys (e.g., bedrock-agentcore:InboundJwtClaim/iss, sub, aud) that enable granular access control based on JWT claims. This directly impacts security by allowing stricter authorization policies for sensitive operations like GetWorkloadAccessTokenForJwt. The documentation explicitly describes security controls for API access.
Diff
diff --git a/bedrock-agentcore/latest/devguide/security_iam_service-with-iam.md b/bedrock-agentcore/latest/devguide/security_iam_service-with-iam.md index c18620926..78806f2e3 100644 --- a//bedrock-agentcore/latest/devguide/security_iam_service-with-iam.md +++ b//bedrock-agentcore/latest/devguide/security_iam_service-with-iam.md @@ -7,2 +6,0 @@ Identity-based policiesResource-based policiesPolicy actionsPolicy resourcesPoli -Amazon Bedrock AgentCore is in preview release and is subject to change. - @@ -108,0 +107,17 @@ To see a list of AgentCore condition keys, see [Condition Keys for Amazon Bedroc +The following condition keys are especially useful when working with Amazon Bedrock AgentCore: + + * `bedrock-agentcore:InboundJwtClaim/iss` \- You can use this condition key to restrict access to APIs that accept a JWT representing an enduser to work with specific issuer (iss) claim values present in the JWT passed in the request. You can apply this condition key to the `GetWorkloadAccessTokenForJwt` and `CompleteResourceTokenAuth` operations. + + * `bedrock-agentcore:InboundJwtClaim/sub` \- You can use this condition key to restrict access to APIs that accept a JWT to work with specific subject (sub) claim values present in the JWT passed in the request. You can apply this condition key to the `GetWorkloadAccessTokenForJwt` and `CompleteResourceTokenAuth` operations. + + * `bedrock-agentcore:InboundJwtClaim/aud` \- You can use this condition key to restrict access to APIs that accept a JWT to work with specific audience (aud) claim values present in the JWT passed in the request. You can apply this condition key to the `GetWorkloadAccessTokenForJwt` and `CompleteResourceTokenAuth` operations. + + * `bedrock-agentcore:userid` \- You can use this condition key to restrict access to APIs that accept a static user ID to work only with the defined user ID values in your policy statement. You can apply this condition key to the `GetWorkloadAccessTokenForUserId` and `CompleteResourceTokenAuth` operations. + + * `bedrock-agentcore:InboundJwtClaim/scope` \- You can use this condition key to restrict access based on the scope claim in the JWT passed in the request. + + * `bedrock-agentcore:InboundJwtClaim/client_id` \- You can use this condition key to restrict access to APIs that accept a JWT to work with specific `client_id` claim values present in the JWT passed in the request. This key is only available when the JWT has the `client_id` claim exactly and is not available when the information is communicated in other similar claims. You can apply this condition key to the `GetWorkloadAccessTokenForJwt` and `CompleteResourceTokenAuth` operations. + + + +