AWS bedrock-agentcore documentation change
Summary
Added IAM permissions for Lambda (InvokeFunction and GetFunction) required for custom code-based evaluators, with a note explaining these permissions are only needed for code-based evaluators and can be scoped to specific functions.
Security assessment
This change adds documentation about required IAM permissions for a specific feature (custom code-based evaluators). While it documents security-related permissions, there is no evidence it addresses a specific security vulnerability or incident. The note about scoping permissions follows the principle of least privilege, which is a security best practice.
Diff
diff --git a/bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md b/bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md index c24c3322a..26d68850b 100644 --- a//bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md +++ b//bedrock-agentcore/latest/devguide/iam-permissions-on-demand.md @@ -35,0 +36,9 @@ Your IAM user or role needs the following permissions to run on-demand evaluatio + }, + { + "Sid": "LambdaInvokeForCodeBasedEvaluators", + "Effect": "Allow", + "Action": [ + "lambda:InvokeFunction", + "lambda:GetFunction" + ], + "Resource": "arn:aws:lambda:*:*:function:*" @@ -39,0 +49,4 @@ Your IAM user or role needs the following permissions to run on-demand evaluatio +###### Note + +The Lambda permissions are only required if you use [Custom code-based evaluator](./code-based-evaluators.html). You can scope the Lambda resource ARN to specific functions as needed. +