AWS bedrock-agentcore high security documentation change
Summary
Added explicit trust policy requirements for Web Bot Auth execution role with source account/ARN conditions
Security assessment
The change introduces stricter IAM trust policy requirements with explicit source account and ARN conditions, which directly impacts security by enforcing least privilege access. This prevents potential privilege escalation via role assumption.
Diff
diff --git a/bedrock-agentcore/latest/devguide/browser-web-bot-auth.md b/bedrock-agentcore/latest/devguide/browser-web-bot-auth.md index bd7d8607d..9dcc817a0 100644 --- a//bedrock-agentcore/latest/devguide/browser-web-bot-auth.md +++ b//bedrock-agentcore/latest/devguide/browser-web-bot-auth.md @@ -137 +137,31 @@ Console -Web Bot Auth requires an execution role with appropriate permissions. The feature is disabled by default and must be explicitly enabled during browser creation. +Web Bot Auth requires an execution role with a trust policy, but does not require any managed or inline policies. The feature is disabled by default and must be explicitly enabled during browser creation. + +You should add the following trust policy to the execution role: + +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [{ + "Sid": "BedrockAgentCoreBuiltInTools", + "Effect": "Allow", + "Principal": { + "Service": "bedrock-agentcore.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "111122223333" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:111122223333:*" + } + } + }] + } +