AWS bedrock-agentcore documentation change
Summary
Removed the 'bedrock-agentcore:CheckAuthorizePermissions' permission from all required permission lists and updated accompanying text to reflect that only three permissions are now required for policy authorization.
Security assessment
This change updates IAM policy requirements by removing a specific permission ('CheckAuthorizePermissions'). While IAM permissions are security-related, the change itself is a routine update to the permission model with no evidence of addressing a specific security vulnerability, weakness, or incident. The documentation now states that associating a Policy Engine will no longer fail with an AccessDeniedException for missing this permission, indicating a simplification of the authorization flow, not a security fix.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-permissions.md b/bedrock-agentcore/latest/devguide/policy-permissions.md index c76e3ebef..f775a1f87 100644 --- a//bedrock-agentcore/latest/devguide/policy-permissions.md +++ b//bedrock-agentcore/latest/devguide/policy-permissions.md @@ -49 +48,0 @@ The execution role must include these three permissions to use Amazon Bedrock Ag - 4. `bedrock-agentcore:CheckAuthorizePermissions` \- Validates that the execution role has the required policy evaluation permissions when associating a Policy Engine with a Gateway @@ -53,2 +52 @@ The execution role must include these three permissions to use Amazon Bedrock Ag - -Without these permissions, the Gateway cannot perform policy authorization. This manifests in three ways: associating a Policy Engine with a Gateway will fail with an AccessDeniedException if CheckAuthorizePermissions is missing, associating a Policy Engine to an existing Gateway will result in an InternalServerException if AuthorizeAction or PartiallyAuthorizeActions are missing, and all tool invocations will be denied by default even if you have permit policies configured. +Without these permissions, the Gateway cannot perform policy authorization. This manifests in two ways: attaching a Policy Engine to an existing Gateway will result in an InternalServerException, and all tool invocations will be denied by default even if you have permit policies configured. @@ -132,2 +130 @@ Replace these placeholders: - "bedrock-agentcore:PartiallyAuthorizeActions", - "bedrock-agentcore:CheckAuthorizePermissions" + "bedrock-agentcore:PartiallyAuthorizeActions" @@ -343 +340 @@ This section covers common issues when configuring IAM permissions for Amazon Be -**Solution:** Ensure the Gateway Execution Role includes these four permissions: +**Solution:** Ensure the Gateway Execution Role includes these three permissions: @@ -351,2 +348 @@ This section covers common issues when configuring IAM permissions for Amazon Be - "bedrock-agentcore:GetPolicyEngine", - "bedrock-agentcore:CheckAuthorizePermissions" + "bedrock-agentcore:GetPolicyEngine" @@ -398 +394 @@ Both `AuthorizeAction` and `PartiallyAuthorizeActions` require access to BOTH th - 4. **Verify All Four Permissions** \- Ensure `AuthorizeAction`, `PartiallyAuthorizeActions`, `GetPolicyEngine`, AND `CheckAuthorizePermissions` are all present + 4. **Verify All Four Permissions** \- Ensure `AuthorizeAction`, `PartiallyAuthorizeActions`, AND `GetPolicyEngine` are all present @@ -464,2 +460 @@ The following example demonstrates how to create both required IAM roles using t - "bedrock-agentcore:PartiallyAuthorizeActions", - "bedrock-agentcore:CheckAuthorizePermissions" + "bedrock-agentcore:PartiallyAuthorizeActions"