AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2026-01-31 · Security-related medium

File: bedrock-agentcore/latest/devguide/memory-organization.md

Summary

Added trailing slash requirement to prevent namespace collisions and updated IAM policy example

Security assessment

Explicitly states trailing slashes prevent prefix collisions in multi-tenant systems (security concern). Updates IAM policy to demonstrate namespace-based access control, directly improving security documentation.

Diff

diff --git a/bedrock-agentcore/latest/devguide/memory-organization.md b/bedrock-agentcore/latest/devguide/memory-organization.md
index 602fc211a..2a59b3027 100644
--- a//bedrock-agentcore/latest/devguide/memory-organization.md
+++ b//bedrock-agentcore/latest/devguide/memory-organization.md
@@ -30 +30 @@ When you [create](./memory-create-a-memory-store.html) or update an AgentCore Me
-Every time AgentCore Memory extracts a new long-term memory with a memory strategy, the long-term memory is saved under the namespace you set. This means that all long-term memories are scoped to their specific namespace, keeping them organized and preventing any conflicts with other users or sessions. You should use a hierarchical format separated by forward slashes `/`. This helps keep memories organized clearly. As needed, you can use the following pre-defined variables within braces in the namespace based on your application's organization needs:
+Every time AgentCore Memory extracts a new long-term memory with a memory strategy, the long-term memory is saved under the namespace you set. This means that all long-term memories are scoped to their specific namespace, keeping them organized and preventing any conflicts with other users or sessions. You should use a hierarchical format separated by forward slashes `/`, ending with a trailing slash. The trailing slash prevents prefix collisions in multi-tenant applications—for example, use `/actors/Alice/` instead of `/actors/Alice`. As needed, you can use the following pre-defined variables within braces in the namespace based on your application's organization needs:
@@ -44 +44 @@ For example, if you define the following namespace as the input to your strategy
-    /strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}
+    /strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}/
@@ -49 +49 @@ After memory creation, this namespace might look like:
-    /strategy/summarization-93483043/actor/actor-9830m2w3/session/session-9330sds8
+    /strategy/summarization-93483043/actor/actor-9830m2w3/session/session-9330sds8/
@@ -55 +55 @@ A namespace can have different levels of granularity:
-`/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}`
+`/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}/`
@@ -59 +59 @@ A namespace can have different levels of granularity:
-`/strategy/{memoryStrategyId}/actor/{actorId}`
+`/strategy/{memoryStrategyId}/actor/{actorId}/`
@@ -63 +63 @@ A namespace can have different levels of granularity:
-`/strategy/{memoryStrategyId}`
+`/strategy/{memoryStrategyId}/`
@@ -75 +75 @@ You can create IAM policies to restrict memory access by the scopes you define,
-The following policy restricts access to retrieving memories from a specific namespace.
+The following policy restricts access to retrieving memories to a specific namespace prefix. In this example, the policy allows access only to memories in namespaces starting with `summaries/agent1/`, such as `summaries/agent1/session1/` or `summaries/agent1/session2/`.
@@ -95,2 +95,2 @@ JSON
-            "StringEquals": {
-              "bedrock-agentcore:namespace": "summaries/agent1"
+            "StringLike": {
+              "bedrock-agentcore:namespace": "summaries/agent1/"