AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2025-12-07 · Security-related high

File: bedrock-agentcore/latest/devguide/browser-web-bot-auth.md

Summary

Added explicit trust policy requirements for Web Bot Auth execution role with source account/ARN conditions

Security assessment

The change introduces stricter IAM trust policy requirements with explicit source account and ARN conditions, which directly impacts security by enforcing least privilege access. This prevents potential privilege escalation via role assumption.

Diff

diff --git a/bedrock-agentcore/latest/devguide/browser-web-bot-auth.md b/bedrock-agentcore/latest/devguide/browser-web-bot-auth.md
index bd7d8607d..9dcc817a0 100644
--- a//bedrock-agentcore/latest/devguide/browser-web-bot-auth.md
+++ b//bedrock-agentcore/latest/devguide/browser-web-bot-auth.md
@@ -137 +137,31 @@ Console
-Web Bot Auth requires an execution role with appropriate permissions. The feature is disabled by default and must be explicitly enabled during browser creation.
+Web Bot Auth requires an execution role with a trust policy, but does not require any managed or inline policies. The feature is disabled by default and must be explicitly enabled during browser creation.
+
+You should add the following trust policy to the execution role:
+
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version":"2012-10-17",		 	 	 
+        "Statement": [{
+            "Sid": "BedrockAgentCoreBuiltInTools",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "bedrock-agentcore.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceAccount": "111122223333"
+                },
+                "ArnLike": {
+                    "aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:111122223333:*"
+                }
+            }
+        }]
+    }
+