AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-02-25 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-sra.md

Summary

Updated the AWS Security Reference Architecture (SRA) documentation to expand scope from generative AI to general AI security. Added six new security capabilities, restructured content around AI workload security considerations, introduced Amazon Bedrock AgentCore, and enhanced security guidance for model evaluation and guardrails.

Security assessment

The changes restructure and expand security documentation but don't address any specific security vulnerability. New sections on Amazon Bedrock AgentCore and enhanced guardrail/data protection documentation provide security feature guidance without referencing patched vulnerabilities.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-sra.md b/prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-sra.md
index 431431786..ba14be435 100644
--- a//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-sra.md
+++ b//prescriptive-guidance/latest/security-reference-architecture-generative-ai/gen-ai-sra.md
@@ -3 +3 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – generative AI](introduction.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[AWS Security Reference Architecture (AWS SRA) – AI security](introduction.html)
@@ -5 +5 @@
-Amazon BedrockAmazon Bedrock GuardrailsAmazon Bedrock model evaluation
+Amazon BedrockAmazon Bedrock GuardrailsAmazon Bedrock model evaluationAmazon Bedrock AgentCore
@@ -7 +7 @@ Amazon BedrockAmazon Bedrock GuardrailsAmazon Bedrock model evaluation
-# AWS SRA for generative AI
+# AWS SRA for AI
@@ -12 +12 @@ Influence the future of the AWS Security Reference Architecture (AWS SRA) by tak
-The architecture illustrated in the following diagram is an extension of the AWS SRA [Workloads OU](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/application.html) in the AWS SRA core architecture.
+This section provides recommendations for securing AI workloads within the AWS SRA multi-account framework. It covers AWS Identity and Access Management (IAM) permissions, data protection, input/output validation, network isolation, logging, and monitoring for generative AI capabilities. This section also covers integrating these capabilities into traditional AWS workloads.
@@ -14 +14 @@ The architecture illustrated in the following diagram is an extension of the AWS
-A specific OU is dedicated for applications that use generative AI. The OU consists of an Application account where you host your traditional AWS application that provides specific business functionality. This AWS application uses the generative AI capabilities that Amazon Bedrock provides. These capabilities are served out of the Generative AI account, which hosts relevant Amazon Bedrock and associated AWS services. Grouping AWS services based on application type helps enforce security controls through OU-specific and AWS account-specific service control policies. This also makes it easier to implement strong access control and least privilege. In addition to these specific OUs and accounts, the reference architecture depicts additional OUs and accounts that provide foundational security capabilities that apply to all application types. The [Org Management](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/org-management.html), [Security Tooling](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/security-tooling.html), [Log Archive](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/log-archive.html), [Network](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/network.html), and [Shared Services](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/shared-services.html) accounts are discussed in the _SRA – core architecture_ guide.
+This guidance covers security for the following capabilities:
@@ -16 +16 @@ A specific OU is dedicated for applications that use generative AI. The OU consi
-###### Design considerations
+  * [Capability 1. Providing developers and data scientists with secure access to generative AI FMs (model inference)](./gen-ai-model-inference.html)
@@ -18 +18 @@ A specific OU is dedicated for applications that use generative AI. The OU consi
-If your application architecture requires generative AI services provided by Amazon Bedrock and other AWS services to be consolidated within the same account where your business application is hosted, you can merge the Application and Generative AI accounts into a single account. This will also be the case if your generative AI usage is spread across your entire AWS organization.
+  * [Capability 2. Providing secure access, usage, and implementation for generative AI model customization](./gen-ai-rag.html)
@@ -20 +20 @@ If your application architecture requires generative AI services provided by Ama
-![AWS SRA architecture to support generative AI.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/generative-ai-architecture.png)
+  * [Capability 3. Providing secure access to data and systems for generative AI](./gen-ai-agents.html)
@@ -22 +22 @@ If your application architecture requires generative AI services provided by Ama
-###### Design consideration
+  * [Capability 4. Providing secure access, usage, and implementation of tools](./gen-ai-customization.html)
@@ -24 +24 @@ If your application architecture requires generative AI services provided by Ama
-You can further break out your Generative AI account based on the software development lifecycle (SDLC) environment (for example, development, test, or production), or by model or user community.
+  * [Capability 5. Providing secure access, usage, and implementation of generative AI agents](./gen-auto-agents.html)
@@ -26 +26 @@ You can further break out your Generative AI account based on the software devel
-  * Account separation based on the SDLC environment: As a best practice, [separate the SDLC environments into separate OUs](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/workloads-ou.html). This separation ensures proper isolation and control over each environment and supports. It provides:
+  * [Capability 6. Providing secure access, usage, and implementation for AI applications](./ai-apps.html)
@@ -28 +27,0 @@ You can further break out your Generative AI account based on the software devel
-    * Controlled access. Different teams or individuals can be granted access to specific environments based on their roles and responsibilities. 
@@ -30 +28,0 @@ You can further break out your Generative AI account based on the software devel
-    * Resource isolation. Each environment can have its own dedicated resources (such as models or knowledge bases) without interfering with other environments. 
@@ -32 +29,0 @@ You can further break out your Generative AI account based on the software devel
-    * Cost tracking. Costs associated with each environment can be tracked and monitored separately. 
@@ -34 +31 @@ You can further break out your Generative AI account based on the software devel
-    * Risk mitigation. Issues or experiments in one environment (for example, development) don't impact the stability of other environments (for example, production). 
+Most capability sections include the following information:
@@ -36 +33 @@ You can further break out your Generative AI account based on the software devel
-  * Account separation based on the model or user community: In the current architecture, one account provides access to multiple foundation models (FMs) for inference through Amazon Bedrock. You can use IAM roles to provide access control to pre-trained FMs based on user roles and responsibilities. (For an example, see the [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-deny-inference) documentation.) Conversely, you can choose to separate your Generative AI accounts based on risk level, model, or user community. This can be beneficial in certain scenarios: 
+  * **Rationale** explains what the capability does and when to use it.
@@ -38 +35 @@ You can further break out your Generative AI account based on the software devel
-    * User community risk levels. If different user communities have varying levels of risk or access requirements, separate accounts could help enforce appropriate access controls and filters. 
+  * **Security considerations** describes risks that are specific to the capability. 
@@ -40 +37 @@ You can further break out your Generative AI account based on the software devel
-    * Customized models. For models that are customized with customer data, if comprehensive information about the training data is available, separate accounts could provide better isolation and control. 
+  * **Remediations** reviews the AWS services and features that address the risks.
@@ -41,0 +39 @@ You can further break out your Generative AI account based on the software devel
+  * **Recommended AWS services** describes the services to build the capability securely. 
@@ -45 +42,0 @@ You can further break out your Generative AI account based on the software devel
-Based on these considerations, you can evaluate the specific requirements, security needs, and operational complexities associated with your use case. If the primary focus is on Amazon Bedrock and pre-trained FMs, a single account with IAM roles could be a viable approach. However, if you have specific requirements for model or user community separation, or if you plan to work with customer-loaded models, separate accounts might be necessary. Ultimately, the decision should be driven by your application-specific needs and factors such as security, operational complexity, and cost considerations.
@@ -47 +44 @@ Based on these considerations, you can evaluate the specific requirements, secur
-###### Note
+All capabilities build on Capability 1 (foundation model inference) because they all invoke models. When you combine capabilities, apply security controls from each relevant section. For example, a customized model with Retrieval Augmented Generation (RAG) requires controls from capabilities 1, 2, and 3.
@@ -49 +46 @@ Based on these considerations, you can evaluate the specific requirements, secur
-To simplify the following discussions and examples, this guide assumes a single generative AI account strategy with IAM roles.
+The following diagram shows the extension of the AWS SRA [Workloads organizational unit (OU)](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/application.html) architecture with a dedicated Generative AI OU. The Generative AI OU contains two accounts that separate concerns:
@@ -51 +48 @@ To simplify the following discussions and examples, this guide assumes a single
-## Amazon Bedrock
+  * The _Application account_ hosts your traditional AWS application, which provides specific business functionality. 
@@ -53 +50 @@ To simplify the following discussions and examples, this guide assumes a single
-Amazon Bedrock is an easy way to build and scale generative AI applications with foundation models (FMs). As a fully managed service, it offers a choice of high-performing FMs from leading AI companies, including AI21 Labs, Anthropic, Cohere, Meta, Stability AI, and Amazon. It also offers a broad set of capabilities needed to build generative AI applications, and simplifies development while maintaining privacy and security. FMs serve as building blocks for developing generative AI applications and solutions. By providing access to Amazon Bedrock, users can directly interact with these FMs through a user-friendly interface or through the [Amazon Bedrock API](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html). The objective of Amazon Bedrock is to provide model choice through a single API for rapid experimentation, customization, and deployment to production while supporting fast pivoting to different models. It's all about model choice.
+  * The _Generative AI account_ hosts Amazon Bedrock and associated AWS services. Your application in the Application account calls Amazon Bedrock capabilities in the Generative AI account through APIs. 
@@ -55 +51,0 @@ Amazon Bedrock is an easy way to build and scale generative AI applications with
-You can experiment with pre-trained models, customize the models for your specific use cases, and integrate them into your applications and workflows. This direct interaction with the FMs enables organizations to rapidly prototype and iterate on generative AI solutions, and to take advantage of the latest advancements in machine learning without the need for extensive resources or expertise in training complex models from scratch. The Amazon Bedrock console simplifies the process of accessing and using these powerful generative AI capabilities.
@@ -57 +52,0 @@ You can experiment with pre-trained models, customize the models for your specif
-Amazon Bedrock provides an array of security capabilities to help with the privacy and security of your data: 
@@ -59 +53,0 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
-  * All user content that's processed by Amazon Bedrock is isolated by user, encrypted at rest, and stored in the AWS Region where you are using Amazon Bedrock. Your content is also encrypted in transit by using TLS 1.2 at the minimum. To learn more about data protection in Amazon Bedrock, see the [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html) documentation. 
@@ -61 +55 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
-  * Amazon Bedrock doesn't store or log your prompts and completions. Amazon Bedrock doesn't use your prompts and completions to train any AWS models and doesn't distribute them to third parties.
+This account separation provides two key benefits. First, it enforces security controls through OU-specific and account-specific service control policies. Second, it simplifies implementing least-privilege access by grouping services based on application type. The reference architecture also includes foundational accounts that apply to all application types: Org Management, Security Tooling, Log Archive, Network, and Shared Services. For more information about these accounts, see [AWS Security Reference Architecture](https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html) in the _AWS SRA – core architecture_ guide. 
@@ -63 +57 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
-  * When you tune an FM, your changes use a private copy of that model. This means that your data isn't shared with model providers or used to improve the base models. 
+![AWS SRA architecture to support generative AI.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/aws-sra-for-ai.png)
@@ -65 +59 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
-  * Amazon Bedrock implements automated abuse detection mechanisms to identify potential violations of the [AWS Responsible AI Policy](https://aws.amazon.com/machine-learning/responsible-ai/policy/). To learn more about abuse detection in Amazon Bedrock, see the [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/abuse-detection.html) documentation. 
+###### Design considerations
@@ -67 +61 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
-  * Amazon Bedrock is in scope for common [compliance standards](https://docs.aws.amazon.com/bedrock/latest/userguide/compliance-validation.html), including International Organization for Standardization (ISO), System and Organization Controls (SOC), Federal Risk and Authorization Management Program (FedRAMP) Moderate, and Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Level 2. Amazon Bedrock is Health Insurance Portability and Accountability Act (HIPAA) eligible, and you can use this service in compliance with the General Data Protection Regulation (GDPR). To learn whether an AWS service is within the scope of specific compliance programs, see [AWS services in scope by compliance program](https://aws.amazon.com/compliance/services-in-scope/) and choose the compliance program that you're interested in. 
+  * Merge the Application and Generative AI accounts if your architecture requires consolidating both services in one account, or if your generative AI usage spans your entire organization.
@@ -68,0 +63 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
+  * Separate Generative AI accounts by software development lifecycle (SDLC) environment (development, test, and production) or by model and user community:
@@ -69,0 +65 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
+    * Use separate OUs for each SDLC environment. This approach controls team access, isolates resources, tracks costs separately, and prevents development issues from affecting production.
@@ -70,0 +67,28 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
+    * Use AWS Identity and Access Management (IAM) roles in a single account for pre-trained models. Use separate accounts when user communities have different risk levels, or when customized models contain sensitive training data.
+
+  * Use multiple accounts when different user communities have distinct risk profiles, when customized models contain sensitive training data, or when regulatory requirements mandate data isolation.
+
+  * Use a single account when you only use pre-trained foundation models, when users have a consistent risk profile, or when IAM roles provide sufficient access control.
+
+
+
+
+###### Note
+
+This guide assumes a single generative AI account strategy with IAM roles.
+
+## Amazon Bedrock
+
+[Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/what-is-bedrock.html) helps you build and scale generative AI applications with foundation models (FMs). As a fully managed service, it provides access to FMs from companies such as AI21 Labs, Anthropic, Cohere, Meta, Stability AI, and Amazon through a [single API](https://docs.aws.amazon.com/bedrock/latest/APIReference/welcome.html). You can experiment with pre-trained models, customize them with your data, and deploy them into your applications without training models from scratch or managing specialized infrastructure.
+
+Amazon Bedrock protects your data through the following security capabilities:
+
+  * **Data protection** – Amazon Bedrock isolates your content by user, encrypts it at rest in your AWS Region, and encrypts it in transit using TLS 1.2 or higher.
+
+    * **Data privacy** – Amazon Bedrock doesn't store or log your prompts and completions. AWS doesn't use your content to train models or share it with third parties.
+
+    * **Model customization** – When you customize a foundation model, your changes use a private copy. Your data isn't shared with model providers or used to improve base models.
+
+    * **Abuse detection** – Amazon Bedrock uses automated detection to identify potential violations of the [AWS Responsible AI Policy](https://aws.amazon.com/ai/responsible-ai/policy/).
+
+  * **Compliance** – Amazon Bedrock meets these standards: International Organization for Standardization (ISO), System and Organization Controls (SOC), Federal Risk and Authorization Management Program (FedRAMP) Moderate, and Cloud Security Alliance (CSA) Security Trust Assurance and Risk (STAR) Level 2. Amazon Bedrock is Health Insurance Portability and Accountability Act (HIPAA) eligible and in compliance with the General Data Protection Regulation (GDPR). 
@@ -72 +95,0 @@ Amazon Bedrock provides an array of security capabilities to help with the priva
-To learn more, see the [AWS secure approach to generative AI](https://aws.amazon.com/ai/generative-ai/security/).
@@ -74 +96,0 @@ To learn more, see the [AWS secure approach to generative AI](https://aws.amazon
-## Amazon Bedrock Guardrails
@@ -76 +97,0 @@ To learn more, see the [AWS secure approach to generative AI](https://aws.amazon
-[Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) enables you to implement safeguards for your generative AI applications based on your use cases and responsible AI policies. A [guardrail](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html) in Amazon Bedrock consists of [filters](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html#guardrails-content-filters) that you can configure, [topics](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html#guardrails-topic-policies) that you can define to block, and messages to send to users when content is blocked or filtered. 
@@ -78 +99 @@ To learn more, see the [AWS secure approach to generative AI](https://aws.amazon
-Content filtering depends on the confidence classification of user inputs (input validation) and FM responses (output validation) across six harmful categories. All input and output statements are classified into one of four confidence levels (none, low, medium, high) for each harmful category. For each category, you can configure the strength of the filters. The following table shows the degree of content that each filter strength blocks and allows.
+For more information, see the [AWS secure approach to generative AI](https://aws.amazon.com/ai/generative-ai/security/).
@@ -80,6 +101,3 @@ Content filtering depends on the confidence classification of user inputs (input
-Filter strength | Blocked content confidence | Allowed content confidence  
----|---|---  
-None | No filtering | None, low, medium, high  
-Low | High | None, low, medium  
-Medium | High, medium | None, low  
-High | High, medium, low | None  
+## Amazon Bedrock Guardrails
+
+[Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) help you implement safeguards that align with your use cases and responsible AI policies. You configure [filters](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-components.html#guardrails-content-filters) to block harmful content, define restricted topics, and customize messages that users see when content is blocked. 
@@ -87 +105 @@ High | High, medium, low | None
-When you're ready to [deploy your guardrail](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-deploy.html) to production, you create a version of it and invoke the version of the guardrail in your application. Follow the steps in the **API** tab in the [Test your guardrail](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-test.html) section of the Amazon Bedrock documentation.
+Guardrails evaluate both user inputs and model outputs across multiple harmful categories (hate, insults, sexual, violence, misconduct, and prompt attacks). The system classifies each input and output into one of four confidence levels: none, low, medium, or high. You set filter strength for each category based on your risk tolerance. When you [deploy a guardrail](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-deploy.html) to production, you create a versioned instance and invoke it in your application through the Amazon Bedrock API. For more information about implementation steps, see the [Guardrails](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails.html) section in the Amazon Bedrock documentation.
@@ -91 +109 @@ When you're ready to [deploy your guardrail](https://docs.aws.amazon.com/bedrock
-By default, guardrails are encrypted with an AWS managed key in AWS Key Management Service (AWS KMS). To prevent unauthorized users from gaining access to the guardrails, which could result in undesired changes; we recommend that you use a [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) to encrypt your guardrails and restrict access to the guardrails by using [least privilege IAM permissions](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-permissions.html).
+By default, Amazon Bedrock encrypts guardrails with an AWS managed key in AWS Key Management Service (AWS KMS). We recommend that you use a [customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) to encrypt your guardrails and prevent unauthorized modifications. Combine encryption with [least-privilege IAM permissions](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-permissions.html) to restrict who can view or modify guardrail configurations.
@@ -95 +113 @@ By default, guardrails are encrypted with an AWS managed key in AWS Key Manageme
-Amazon Bedrock supports [model evaluation](https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation.html) jobs. You can use the results of a model evaluation job to compare model outputs, and then choose the model that best suits your downstream generative AI applications.
+Model evaluation helps you compare FM outputs and select the model that best fits your application requirements. Amazon Bedrock supports both automatic evaluation using prompt datasets and human evaluation with subject matter experts.
@@ -97 +115 @@ Amazon Bedrock supports [model evaluation](https://docs.aws.amazon.com/bedrock/l
-You can use an automatic model evaluation job to evaluate a model's performance by using either a custom prompt dataset or a built-in dataset. For more information, see [Starting an automatic model evaluation job](https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-jobs-management-create.html) and [Using prompt datasets for model evaluation](https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-prompt-datasets.html) in the Amazon Bedrock documentation.
+_Automatic evaluation_ jobs assess model performance using either custom prompt datasets or built-in datasets. This approach provides quantitative metrics for comparing models at scale. For more information, see [Creating an automatic model evaluation job](https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-automatic.html) and [Use prompt datasets for model evaluation](https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-prompt-datasets.html) in the Amazon Bedrock documentation.
@@ -99 +117 @@ You can use an automatic model evaluation job to evaluate a model's performance
-Model evaluation jobs that use human workers bring human input from employees or subject matter experts to the evaluation process.
+_Human evaluation_ jobs incorporate input from employees or subject matter experts to assess model quality, relevance, and safety. You organize evaluators into work teams managed through Amazon SageMaker Ground Truth. Create and manage work teams during job setup in Amazon Bedrock, or use the Amazon Cognito or [Amazon SageMaker Ground Truth](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-management.html) consoles for ongoing management.
@@ -103 +121,36 @@ Model evaluation jobs that use human workers bring human input from employees or
-Model evaluation should occur in a development environment. For recommendations for organizing your non-production environments, see the [Organizing your AWS environment using multiple accounts](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/ou-structure-for-non-production-environments.html) whitepaper.
+We recommend that you run model evaluation in development environments, not production. For information about multi-account strategies, see the [Organizing your AWS environment using multiple accounts](https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/ou-structure-for-non-production-environments.html) whitepaper. Both evaluation types require IAM service roles with the following specific permissions:
+
+  * Automatic evaluation jobs require permissions to access Amazon Simple Storage Service (Amazon S3) datasets and write results.
+
+  * Human evaluation jobs require additional permissions for Amazon SageMaker Ground Truth integration.
+
+  * Custom prompt datasets require cross-origin resource sharing (CORS) configuration on Amazon S3 buckets.
+
+
+
+
+For more information, see [Service role requirements for automatic model evaluation jobs](https://docs.aws.amazon.com/bedrock/latest/userguide/automatic-service-roles.html) and [Service role requirements for human-based model evaluation jobs](https://docs.aws.amazon.com/bedrock/latest/userguide/model-eval-service-roles.html) in the Amazon Bedrock documentation.
+
+Amazon Bedrock creates a temporary copy of your evaluation data during the job and deletes it after completion. By default, Amazon Bedrock encrypts this data with an AWS managed key. We recommend that you use a customer managed key in AWS KMS for enhanced control over data access. For more information, see [Data management and encryption in Amazon Bedrock evaluation job](https://docs.aws.amazon.com/bedrock/latest/userguide/evaluation-data-management.html) in the Amazon Bedrock documentation.
+
+## Amazon Bedrock AgentCore
+
+[Amazon Bedrock AgentCore](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/what-is-bedrock-agentcore.html) provides infrastructure and controls for deploying AI agents securely at scale. AgentCore consists of the following modular services that work together or independently:
+
+  * **AgentCore Runtime** – Serverless execution environment with session isolation
+
+  * **AgentCore Identity** – Authentication and credential management for agents and tools
+
+  * **AgentCore Memory** – Persistent storage for conversation history and context
+
+  * **AgentCore Gateway** – Centralized API integration and tool access
+
+  * **AgentCore Policy** – Policy-based governance for agent actions
+
+  * **AgentCore tools** – Built-in sandboxed tools (Code Interpreter, Browser)
+
+  * **AgentCore Observability** – Trace, debug, and monitor agent performance
+
+  * **AgentCore Evaluations** – Assess agent quality through online and on-demand testing
+
+
@@ -105 +157,0 @@ Model evaluation should occur in a development environment. For recommendations
-All model evaluation jobs require IAM permissions and IAM service roles. For more information, see the [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-security.html) documentation for permissions that are required to create a model evaluation job by using the Amazon Bedrock console, the service role requirements, and the required cross-origin resource sharing (CORS) permissions. Automatic evaluation jobs and model evaluation jobs that use human workers require different service roles. For more information about the policies that are needed for a role to perform model evaluation jobs, see [Service role requirements for automatic model evaluation jobs](https://docs.aws.amazon.com/bedrock/latest/userguide/automatic-service-roles.html) and [Service role requirements for human-based model evaluation jobs](https://docs.aws.amazon.com/bedrock/latest/userguide/model-eval-service-roles.html) in the Amazon Bedrock documentation.
@@ -107 +159 @@ All model evaluation jobs require IAM permissions and IAM service roles. For mor
-For custom prompt datasets, you must specify a CORS configuration on the Amazon Simple Storage Service (Amazon S3) bucket. For the minimal required configuration, see the [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/model-evaluation-security-cors.html) documentation. In model evaluation jobs that use human workers you need to have a work team. You can create or manage [create or manage work teams](https://docs.aws.amazon.com/bedrock/latest/userguide/human-worker-evaluations.html) while setting up a model evaluation job and add workers to a private workforce that's managed by Amazon SageMaker Ground Truth. To manage work teams that are created in Amazon Bedrock outside of job setup, you must use the Amazon Cognito or [Amazon SageMaker Ground Truth consoles](https://docs.aws.amazon.com/sagemaker/latest/dg/security_iam_id-based-policy-examples.html#groundtruth-console-policy). Amazon Bedrock supports a maximum of 50 workers per work team.
+AgentCore works with any agent framework (for example, CrewAI, LangGraph, LlamaIndex, and Strands Agents) and any foundation model (FM). AgentCore provides security capabilities including session isolation through dedicated micro virtual machines (microVMs), encrypted credential storage, namespace-based memory isolation, and comprehensive audit logging.
@@ -109 +161 @@ For custom prompt datasets, you must specify a CORS configuration on the Amazon