AWS bedrock-agentcore high security documentation change
Summary
Updated action namespaces from 'bedrock:' to 'bedrock-agentcore:', added new WebSocket stream actions, modified policy examples to use specific principals, and updated CLI commands/resource ARNs
Security assessment
The change replaces wildcard principals ('*') with specific IAM role ARNs in policy examples, which directly addresses security best practices by preventing overly permissive access. The namespace updates and new action definitions help clarify security boundaries. The updated CLI commands and resource ARNs reflect more secure service segmentation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/resource-based-policies.md b/bedrock-agentcore/latest/devguide/resource-based-policies.md index 742e6081c..a9b94b9fb 100644 --- a//bedrock-agentcore/latest/devguide/resource-based-policies.md +++ b//bedrock-agentcore/latest/devguide/resource-based-policies.md @@ -117 +117 @@ A resource-based policy is a JSON document with the following structure: - "Action": "bedrock:ActionName", + "Action": "bedrock-agentcore:ActionName", @@ -132 +132 @@ A resource-based policy is a JSON document with the following structure: - * `bedrock:InvokeAgentRuntime` \- Invoke an agent runtime + * `bedrock-agentcore:InvokeAgentRuntime` \- Invoke an agent runtime @@ -134 +134 @@ A resource-based policy is a JSON document with the following structure: - * `bedrock:InvokeAgentRuntimeForUser` \- Invoke an agent runtime endpoint with X-Amzn-Bedrock-AgentCore-Runtime-User-Id header + * `bedrock-agentcore:InvokeAgentRuntimeForUser` \- Invoke an agent runtime endpoint with X-Amzn-Bedrock-AgentCore-Runtime-User-Id header @@ -136 +136 @@ A resource-based policy is a JSON document with the following structure: - * `bedrock:StopRuntimeSession` \- Stop an active runtime session + * `bedrock-agentcore:InvokeAgentRuntimeWithWebSocketStream` \- Invoke an agent runtime with WebSocket stream @@ -138 +138,5 @@ A resource-based policy is a JSON document with the following structure: - * `bedrock:GetAgentCard` \- Retrieve agent card information + * `bedrock-agentcore:InvokeAgentRuntimeWithWebSocketStreamForUser` \- Invoke an agent runtime with WebSocket stream with X-Amzn-Bedrock-AgentCore-Runtime-User-Id header + + * `bedrock-agentcore:StopRuntimeSession` \- Stop an active runtime session + + * `bedrock-agentcore:GetAgentCard` \- Retrieve agent card information @@ -145 +149 @@ A resource-based policy is a JSON document with the following structure: - * `bedrock:InvokeGateway` \- Invoke a gateway + * `bedrock-agentcore:InvokeGateway` \- Invoke a gateway @@ -174 +178 @@ Grant API access to specific roles in a different AWS account: - "Action": "bedrock:InvokeAgentRuntime", + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -190,2 +194,4 @@ Block incoming traffic from specific IP address ranges: - "Principal": "*", - "Action": "bedrock:InvokeAgentRuntime", + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/ApplicationRole" + }, + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -196,2 +202,4 @@ Block incoming traffic from specific IP address ranges: - "Principal": "*", - "Action": "bedrock:InvokeAgentRuntime", + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/ApplicationRole" + }, + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -221,2 +229,4 @@ Restrict access to requests from a specific VPC: - "Principal": "*", - "Action": "bedrock:InvokeAgentRuntime", + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/ApplicationRole" + }, + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -227,2 +237,4 @@ Restrict access to requests from a specific VPC: - "Principal": "*", - "Action": "bedrock:InvokeAgentRuntime", + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/ApplicationRole" + }, + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -251 +263 @@ When your Agent Runtime or Gateway is configured with OAuth authentication, you - "Action": "bedrock:InvokeAgentRuntime", + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -289,2 +301,2 @@ Use the `put-resource-policy` command: - aws bedrock-agent put-resource-policy \ - --resource-arn arn:aws:bedrock:us-west-2:111122223333:agent/AGENTID \ + aws bedrock-agentcore-control put-resource-policy \ + --resource-arn arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID \ @@ -298,2 +310,2 @@ Use the `get-resource-policy` command: - aws bedrock-agent get-resource-policy \ - --resource-arn arn:aws:bedrock:us-west-2:111122223333:agent/AGENTID + aws bedrock-agentcore-control get-resource-policy \ + --resource-arn arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -306,2 +318,2 @@ Use the `delete-resource-policy` command: - aws bedrock-agent delete-resource-policy \ - --resource-arn arn:aws:bedrock:us-west-2:111122223333:agent/AGENTID + aws bedrock-agentcore-control delete-resource-policy \ + --resource-arn arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -318 +330 @@ The following examples show how to manage resource policies using the AWS Python - client = boto3.client('bedrock-agent', region_name='us-west-2') + client = boto3.client('bedrock-agentcore-control', region_name='us-west-2') @@ -327 +339 @@ The following examples show how to manage resource policies using the AWS Python - "Action": "bedrock:InvokeAgentRuntime", + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -334 +346 @@ The following examples show how to manage resource policies using the AWS Python - resourceArn='arn:aws:bedrock:us-west-2:111122223333:agent/AGENTID', + resourceArn='arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID', @@ -340 +352 @@ The following examples show how to manage resource policies using the AWS Python - resourceArn='arn:aws:bedrock:us-west-2:111122223333:agent/AGENTID' + resourceArn='arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID' @@ -346 +358 @@ The following examples show how to manage resource policies using the AWS Python - resourceArn='arn:aws:bedrock:us-west-2:111122223333:agent/AGENTID' + resourceArn='arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID' @@ -364 +376 @@ Grant only the minimum permissions necessary for your use case: - "Action": "bedrock:InvokeAgentRuntime", + "Action": "bedrock-agentcore:InvokeAgentRuntime", @@ -383 +395 @@ Always use condition keys when granting access to AWS services: - "Action": "bedrock:InvokeGateway", + "Action": "bedrock-agentcore:InvokeGateway", @@ -409 +421 @@ Use explicit deny statements for security-critical restrictions: - "Action": "bedrock:*", + "Action": "bedrock-agentcore:InvokeAgentRuntime",