AWS bedrock-agentcore medium security documentation change
Summary
Updated namespace examples to include trailing slashes and modified IAM policy example to use StringLike condition with namespace prefix
Security assessment
The change modifies IAM policy examples to demonstrate proper namespace prefix matching using StringLike instead of StringEquals. This prevents overly permissive access by ensuring policies only grant access to intended namespace hierarchies, addressing potential authorization vulnerabilities.
Diff
diff --git a/bedrock-agentcore/latest/devguide/specify-long-term-memory-organization.md b/bedrock-agentcore/latest/devguide/specify-long-term-memory-organization.md index 7b23ac30f..dfe69119e 100644 --- a//bedrock-agentcore/latest/devguide/specify-long-term-memory-organization.md +++ b//bedrock-agentcore/latest/devguide/specify-long-term-memory-organization.md @@ -27 +27 @@ For example, if you define the following namespace as the input to your strategy - /strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId} + /strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}/ @@ -38 +38 @@ A namespace can have different levels of granularity: -`/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}` +`/strategy/{memoryStrategyId}/actor/{actorId}/session/{sessionId}/` @@ -42 +42 @@ A namespace can have different levels of granularity: -`/strategy/{memoryStrategyId}/actor/{actorId}` +`/strategy/{memoryStrategyId}/actor/{actorId}/` @@ -46 +46 @@ A namespace can have different levels of granularity: -`/strategy/{memoryStrategyId}` +`/strategy/{memoryStrategyId}/` @@ -56 +56 @@ For example code, see [Enable long-term memory](./long-term-enabling-long-term-m -You can create IAM policies to restrict memory access by the scopes you define, such as actor, session, and namespace. Use the scopes as context keys in your IAM polices. +You can create IAM policies to restrict memory access by the scopes you define, such as actor, session, and namespace. Use the scopes as context keys in your IAM policies. @@ -58 +58 @@ You can create IAM policies to restrict memory access by the scopes you define, -The following policy restricts access to retrieving memories from a specific namespace. +The following policy restricts access to retrieving memories to a specific namespace prefix. In this example, the policy allows access only to memories in namespaces starting with `summaries/agent1/`, such as `summaries/agent1/session1/` or `summaries/agent1/session2/`. @@ -78,2 +78,2 @@ JSON - "StringEquals": { - "bedrock-agentcore:namespace": "summaries/agent1" + "StringLike": { + "bedrock-agentcore:namespace": "summaries/agent1/"