AWS bedrock-agentcore high security documentation change
Summary
Updated resource-based policy examples to enforce explicit ARN usage instead of wildcard resources. Added validation requirements and modified all policy examples to use specific resource ARNs.
Security assessment
The changes enforce least-privilege access by replacing permissive wildcard ('*') resource policies with explicit ARNs. This prevents potential over-permission issues where wildcards could grant unintended access. The added validation note explicitly states wildcards are unsupported, indicating this addresses a security misconfiguration risk.
Diff
diff --git a/bedrock-agentcore/latest/devguide/resource-based-policies.md b/bedrock-agentcore/latest/devguide/resource-based-policies.md index 744d18c43..cfad973fb 100644 --- a//bedrock-agentcore/latest/devguide/resource-based-policies.md +++ b//bedrock-agentcore/latest/devguide/resource-based-policies.md @@ -107 +107 @@ Example: Granting cross-account access requires policies on both resources: - // Policy for Agent Runtime + // Policy for Agent Runtime (attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID) @@ -117 +117 @@ Example: Granting cross-account access requires policies on both resources: - "Resource": "*" + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID" @@ -122 +122 @@ Example: Granting cross-account access requires policies on both resources: - // Policy for Agent Endpoint (for the endpoint that points to this runtime) + // Policy for Agent Endpoint (attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID/endpoint/ENDPOINTID) @@ -132 +132 @@ Example: Granting cross-account access requires policies on both resources: - "Resource": "*" + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID/endpoint/ENDPOINTID" @@ -170 +170 @@ A resource-based policy is a JSON document with the following structure: - "Resource": "*", + "Resource": "arn:aws:bedrock-agentcore:region:account-id:resource-type/resource-id", @@ -179,0 +180,4 @@ A resource-based policy is a JSON document with the following structure: +###### Important + +The `Resource` field in the policy document must contain the exact ARN of the resource to which the policy is attached. Using `"Resource": "*"` is not supported and will result in a validation error. + @@ -212 +216 @@ You can use condition keys to further refine access control in your policies. Fo -This section provides practical examples of resource-based policies for common scenarios. These examples use simplified syntax where `"Resource": "*"` represents the resource to which the policy is attached. +This section provides practical examples of resource-based policies for common scenarios. The `Resource` field in each example must contain the exact ARN of the resource to which the policy is attached. Replace the example ARNs with your actual resource ARNs. @@ -218,0 +223 @@ Grant API access to specific roles in a different AWS account: + // Policy attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -231 +236 @@ Grant API access to specific roles in a different AWS account: - "Resource": "*" + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID" @@ -240,0 +246 @@ Block incoming traffic from specific IP address ranges: + // Policy attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -250 +256 @@ Block incoming traffic from specific IP address ranges: - "Resource": "*" + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID" @@ -258 +264 @@ Block incoming traffic from specific IP address ranges: - "Resource": "*", + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID", @@ -275,0 +282 @@ Restrict access to requests from a specific VPC: + // Policy attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -285 +292 @@ Restrict access to requests from a specific VPC: - "Resource": "*" + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID" @@ -293 +300 @@ Restrict access to requests from a specific VPC: - "Resource": "*", + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID", @@ -307,0 +315 @@ When your Agent Runtime or Gateway is configured with OAuth authentication, you + // Policy attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -316 +324 @@ When your Agent Runtime or Gateway is configured with OAuth authentication, you - "Resource": "*", + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID", @@ -383,0 +392,3 @@ The following examples show how to manage resource policies using the AWS Python + # Define the resource ARN + resource_arn = 'arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID' + @@ -384,0 +396 @@ The following examples show how to manage resource policies using the AWS Python + # Note: The Resource field must match the resource ARN to which the policy is attached @@ -392 +404 @@ The following examples show how to manage resource policies using the AWS Python - "Resource": "*" + "Resource": resource_arn @@ -398 +410 @@ The following examples show how to manage resource policies using the AWS Python - resourceArn='arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID', + resourceArn=resource_arn, @@ -419,0 +432 @@ Grant only the minimum permissions necessary for your use case: + // Policy attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -429 +442 @@ Grant only the minimum permissions necessary for your use case: - "Resource": "*" + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID" @@ -438,0 +452 @@ Always use condition keys when granting access to AWS services: + // Policy attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:gateway/GATEWAYID @@ -448 +462 @@ Always use condition keys when granting access to AWS services: - "Resource": "*", + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:gateway/GATEWAYID", @@ -465,0 +480 @@ Use explicit deny statements for security-critical restrictions: + // Policy attached to arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID @@ -474 +489 @@ Use explicit deny statements for security-critical restrictions: - "Resource": "*", + "Resource": "arn:aws:bedrock-agentcore:us-west-2:111122223333:runtime/AGENTID",