AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-01-31 · Documentation low

File: bedrock-agentcore/latest/devguide/security-vpc-condition.md

Summary

Updated documentation for VPC condition keys with improved clarity, combined subnet/security group examples, and corrected policy syntax

Security assessment

The changes enhance documentation about security features (VPC condition keys) but show no evidence of addressing a specific vulnerability. Improvements include combining subnet/security group examples and fixing policy syntax, which helps users implement proper network isolation but doesn't indicate a resolved security flaw.

Diff

diff --git a/bedrock-agentcore/latest/devguide/security-vpc-condition.md b/bedrock-agentcore/latest/devguide/security-vpc-condition.md
index 6dcf3634c..daaf8db28 100644
--- a//bedrock-agentcore/latest/devguide/security-vpc-condition.md
+++ b//bedrock-agentcore/latest/devguide/security-vpc-condition.md
@@ -9 +9 @@ Example policies with condition keys for VPC settings
-You can use AgentCore-specific condition keys for VPC settings to provide additional permission controls for your AgentCore Runtime and built-in tools. For example, you can require that all runtimes in your organization are connected to a VPC. You can also specify the subnets and security groups that users of the AgentCore Runtime can and can't use.
+Use AgentCore-specific condition keys for VPC settings to provide additional permission controls for your AgentCore Runtime and built-in tools. For example, require that all runtimes in your organization are connected to a VPC. Specify the subnets and security groups that AgentCore Runtime users can and cannot use.
@@ -24 +24 @@ The AgentCore Control Plane API operations `CreateAgentRuntime`, `UpdateAgentRun
-The following examples demonstrate how to use condition keys for VPC settings. After you create a policy statement with the desired restrictions, attach the policy statement to the target user or role.
+The following examples demonstrate how to use condition keys for VPC settings. Create a policy statement with the desired restrictions, then attach the policy statement to the target user or role.
@@ -28 +28 @@ The following examples demonstrate how to use condition keys for VPC settings. A
-To require that all users deploy only VPC-connected AgentCore Runtime and built-in tools, you can deny runtime and tool create and update operations that don't include valid subnets and security groups.
+To require that all users deploy only VPC-connected AgentCore Runtime and built-in tools, deny runtime and tool create and update operations that don't include valid subnets and security groups.
@@ -51 +51 @@ To require that all users deploy only VPC-connected AgentCore Runtime and built-
-To enforce that users use only specific approved subnets, use the `ForAnyValue` set operator with `StringNotEquals` to check the value of the `bedrock-agentcore:subnets` condition. The condition returns true if any one of the context key values in the request does not match the context key values in the policy, denying requests that include any unapproved values. The following example enforces that users can only use `subnet-0123456789abcdef0` and `subnet-0123456789abcdef1`.
+To enforce that users use only specific approved subnets and security groups, use the `ForAnyValue` set operator with `StringNotEquals`. The condition returns true if any one of the context key values in the request does not match the context key values in the policy, denying requests that include any unapproved values. The following example enforces that users can only use `subnet-0123456789abcdef0` and `subnet-0123456789abcdef1` for subnets, and `sg-0123456789abcdef0` and `sg-0123456789abcdef1` for security groups.
@@ -53,0 +54 @@ To enforce that users use only specific approved subnets, use the `ForAnyValue`
+    [
@@ -69,5 +70 @@ To enforce that users use only specific approved subnets, use the `ForAnyValue`
-    }
-
-To enforce that users use only specific approved security groups, use the `ForAnyValue` set operator with `StringNotEquals` to check the value of the `bedrock-agentcore:securityGroups` condition. The condition returns true if any one of the context key values in the request does not match the context key values in the policy, denying requests that include any unapproved values. The following example enforces that users can only use `sg-0123456789abcdef0` and `sg-0123456789abcdef1`.
-    
-    
+      },
@@ -89,0 +87 @@ To enforce that users use only specific approved security groups, use the `ForAn
+    ]
@@ -93 +91 @@ To enforce that users use only specific approved security groups, use the `ForAn
-To deny users access to specific subnets, use the `ForAnyValue` set operator to check the value of the `bedrock-agentcore:subnets` condition. The condition returns true if any one of the context key values in the request matches any one of the context key values in the policy. The following example denies users access to `subnet-0123456789abcdef0` and `subnet-0123456789abcdef1`.
+To deny users access to specific subnets and security groups, use the `ForAnyValue` set operator with `StringEquals`. The condition returns true if any one of the context key values in the request matches any one of the context key values in the policy. The following example denies users access to `subnet-0123456789abcdef0` and `subnet-0123456789abcdef1` for subnets, and `sg-0123456789abcdef0` and `sg-0123456789abcdef1` for security groups.
@@ -95,0 +94 @@ To deny users access to specific subnets, use the `ForAnyValue` set operator to
+    [
@@ -111,5 +110 @@ To deny users access to specific subnets, use the `ForAnyValue` set operator to
-    }
-
-To deny users access to specific security groups, use the `ForAnyValue` set operator to check the value of the `bedrock-agentcore:securityGroups` condition. The condition returns true if any one of the context key values in the request matches any one of the context key values in the policy. The following example denies users access to `sg-0123456789abcdef0` and `sg-0123456789abcdef1`.
-    
-    
+      },
@@ -131,0 +127 @@ To deny users access to specific security groups, use the `ForAnyValue` set oper
+    ]