AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-03-25 · Documentation low

File: bedrock-agentcore/latest/devguide/policy-permissions.md

Summary

Added new required IAM permission 'CheckAuthorizePermissions' for Policy Engine association and updated all examples and troubleshooting to include this permission, changing from three to four required permissions.

Security assessment

This change documents a new IAM permission requirement for proper authorization functionality. While it relates to security controls (IAM permissions), there's no evidence of a specific security vulnerability being addressed. The change appears to be a routine update to document a new permission required for the service to function correctly, not a response to a security incident.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-permissions.md b/bedrock-agentcore/latest/devguide/policy-permissions.md
index 1800f0531..c76e3ebef 100644
--- a//bedrock-agentcore/latest/devguide/policy-permissions.md
+++ b//bedrock-agentcore/latest/devguide/policy-permissions.md
@@ -48,0 +49 @@ The execution role must include these three permissions to use Amazon Bedrock Ag
+  4. `bedrock-agentcore:CheckAuthorizePermissions` \- Validates that the execution role has the required policy evaluation permissions when associating a Policy Engine with a Gateway
@@ -52 +53,2 @@ The execution role must include these three permissions to use Amazon Bedrock Ag
-Without these permissions, the Gateway cannot perform policy authorization. This manifests in two ways: attaching a Policy Engine to an existing Gateway will result in an InternalServerException, and all tool invocations will be denied by default even if you have permit policies configured.
+
+Without these permissions, the Gateway cannot perform policy authorization. This manifests in three ways: associating a Policy Engine with a Gateway will fail with an AccessDeniedException if CheckAuthorizePermissions is missing, associating a Policy Engine to an existing Gateway will result in an InternalServerException if AuthorizeAction or PartiallyAuthorizeActions are missing, and all tool invocations will be denied by default even if you have permit policies configured.
@@ -130 +132,2 @@ Replace these placeholders:
-            "bedrock-agentcore:PartiallyAuthorizeActions"
+            "bedrock-agentcore:PartiallyAuthorizeActions",
+            "bedrock-agentcore:CheckAuthorizePermissions"
@@ -193,0 +197 @@ Replace these placeholders:
+            "bedrock-agentcore:InvokeGateway",
@@ -339 +343 @@ This section covers common issues when configuring IAM permissions for Amazon Be
-**Solution:** Ensure the Gateway Execution Role includes these three permissions:
+**Solution:** Ensure the Gateway Execution Role includes these four permissions:
@@ -347 +351,2 @@ This section covers common issues when configuring IAM permissions for Amazon Be
-        "bedrock-agentcore:GetPolicyEngine"
+        "bedrock-agentcore:GetPolicyEngine",
+        "bedrock-agentcore:CheckAuthorizePermissions"
@@ -393 +398 @@ Both `AuthorizeAction` and `PartiallyAuthorizeActions` require access to BOTH th
-  4. **Verify All Three Permissions** \- Ensure `AuthorizeAction`, `PartiallyAuthorizeActions`, AND `GetPolicyEngine` are all present
+  4. **Verify All Four Permissions** \- Ensure `AuthorizeAction`, `PartiallyAuthorizeActions`, `GetPolicyEngine`, AND `CheckAuthorizePermissions` are all present
@@ -459 +464,2 @@ The following example demonstrates how to create both required IAM roles using t
-            "bedrock-agentcore:PartiallyAuthorizeActions"
+            "bedrock-agentcore:PartiallyAuthorizeActions",
+            "bedrock-agentcore:CheckAuthorizePermissions"