AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-01 · Documentation medium

File: bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md

Summary

Added IAM permissions for Lambda (InvokeFunction and GetFunction) required for custom code-based evaluators, with a note explaining these permissions are only needed for code-based evaluators and can be scoped to specific functions.

Security assessment

This change adds documentation about required IAM permissions for a specific feature (custom code-based evaluators). While it documents security-related permissions, there is no evidence it addresses a specific security vulnerability or incident. The note about scoping permissions follows the principle of least privilege, which is a security best practice.

Diff

diff --git a/bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md b/bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md
index c24c3322a..26d68850b 100644
--- a//bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md
+++ b//bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md
@@ -35,0 +36,9 @@ Your IAM user or role needs the following permissions to run on-demand evaluatio
+            },
+            {
+                "Sid": "LambdaInvokeForCodeBasedEvaluators",
+                "Effect": "Allow",
+                "Action": [
+                    "lambda:InvokeFunction",
+                    "lambda:GetFunction"
+                ],
+                "Resource": "arn:aws:lambda:*:*:function:*"
@@ -39,0 +49,4 @@ Your IAM user or role needs the following permissions to run on-demand evaluatio
+###### Note
+
+The Lambda permissions are only required if you use [Custom code-based evaluator](./code-based-evaluators.html). You can scope the Lambda resource ARN to specific functions as needed.
+