AWS bedrock-agentcore medium security documentation change
Summary
Added trailing slash requirement to prevent namespace collisions and updated IAM policy example
Security assessment
Explicitly states trailing slashes prevent prefix collisions in multi-tenant systems (security concern). Updates IAM policy to demonstrate namespace-based access control, directly improving security documentation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/memory-organization.md b/bedrock-agentcore/latest/devguide/memory-organization.md index 602fc211a..2a59b3027 100644 --- a//bedrock-agentcore/latest/devguide/memory-organization.md +++ b//bedrock-agentcore/latest/devguide/memory-organization.md @@ -30 +30 @@ When you [create](./memory-create-a-memory-store.html) or update an AgentCore Me -Every time AgentCore Memory extracts a new long-term memory with a memory strategy, the long-term memory is saved under the namespace you set. This means that all long-term memories are scoped to their specific namespace, keeping them organized and preventing any conflicts with other users or sessions. You should use a hierarchical format separated by forward slashes `/`. This helps keep memories organized clearly. As needed, you can use the following pre-defined variables within braces in the namespace based on your application's organization needs: +Every time AgentCore Memory extracts a new long-term memory with a memory strategy, the long-term memory is saved under the namespace you set. This means that all long-term memories are scoped to their specific namespace, keeping them organized and preventing any conflicts with other users or sessions. You should use a hierarchical format separated by forward slashes `/`, ending with a trailing slash. The trailing slash prevents prefix collisions in multi-tenant applications—for example, use `/actors/Alice/` instead of `/actors/Alice`. As needed, you can use the following pre-defined variables within braces in the namespace based on your application's organization needs: @@ -44 +44 @@ For example, if you define the following namespace as the input to your strategy - /strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId} + /strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}/ @@ -49 +49 @@ After memory creation, this namespace might look like: - /strategy/summarization-93483043/actor/actor-9830m2w3/session/session-9330sds8 + /strategy/summarization-93483043/actor/actor-9830m2w3/session/session-9330sds8/ @@ -55 +55 @@ A namespace can have different levels of granularity: -`/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}` +`/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}/` @@ -59 +59 @@ A namespace can have different levels of granularity: -`/strategy/{memoryStrategyId}/actor/{actorId}` +`/strategy/{memoryStrategyId}/actor/{actorId}/` @@ -63 +63 @@ A namespace can have different levels of granularity: -`/strategy/{memoryStrategyId}` +`/strategy/{memoryStrategyId}/` @@ -75 +75 @@ You can create IAM policies to restrict memory access by the scopes you define, -The following policy restricts access to retrieving memories from a specific namespace. +The following policy restricts access to retrieving memories to a specific namespace prefix. In this example, the policy allows access only to memories in namespaces starting with `summaries/agent1/`, such as `summaries/agent1/session1/` or `summaries/agent1/session2/`. @@ -95,2 +95,2 @@ JSON - "StringEquals": { - "bedrock-agentcore:namespace": "summaries/agent1" + "StringLike": { + "bedrock-agentcore:namespace": "summaries/agent1/"