AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-01 · Documentation medium

File: bedrock-agentcore/latest/devguide/runtime-permissions.md

Summary

Updated references from 'starter toolkit' to 'AgentCore CLI' and added clarification that IAM policies created by the CLI are for development/testing only, not production.

Security assessment

The change adds security documentation by explicitly warning that the IAM policies created by the tool grant broad access and are not suitable for production, recommending the principle of least privilege for production deployments. This is a security best practice recommendation, not a response to a specific security issue.

Diff

diff --git a/bedrock-agentcore/latest/devguide/runtime-permissions.md b/bedrock-agentcore/latest/devguide/runtime-permissions.md
index 14ac500ef..c9c413ae3 100644
--- a//bedrock-agentcore/latest/devguide/runtime-permissions.md
+++ b//bedrock-agentcore/latest/devguide/runtime-permissions.md
@@ -5 +5 @@
-Use Amazon Bedrock AgentCoreUse the starter toolkitUser permissions for Amazon Bedrock AgentCore ConsoleExecution role for running an agent in AgentCore Runtime
+Use Amazon Bedrock AgentCoreUse the AgentCore CLIUser permissions for Amazon Bedrock AgentCore ConsoleExecution role for running an agent in AgentCore Runtime
@@ -17 +17 @@ For information about using resource-based policies to control access to your Ag
-  * Use the starter toolkit
+  * Use the AgentCore CLI
@@ -28 +28 @@ For information about using resource-based policies to control access to your Ag
-To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/BedrockAgentCoreFullAccess.html) AWS managed policy to your IAM user or IAM. role. This AWS managed policy grants broad permissions. We recommend creating a custom policy with only the permissions your application requires by copying the relevant statements and restricting the resources to your specific use case. To use the starter toolkit, you need additional permissions.
+To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/BedrockAgentCoreFullAccess.html) AWS managed policy to your IAM user or IAM. role. This AWS managed policy grants broad permissions. We recommend creating a custom policy with only the permissions your application requires by copying the relevant statements and restricting the resources to your specific use case. To use the AgentCore CLI, you need additional permissions.
@@ -30 +30 @@ To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess]
-## Use the starter toolkit
+## Use the AgentCore CLI
@@ -32 +32 @@ To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess]
-To use the Amazon Bedrock AgentCore starter toolkit, attach the following IAM policy to your IAM user or role. To change IAM permissions, see [Change permissions for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html).
+To use the AgentCore CLI, attach the following IAM policy to your IAM user or role. To change IAM permissions, see [Change permissions for an IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html).
@@ -36 +36 @@ To use the Amazon Bedrock AgentCore starter toolkit, attach the following IAM po
-The IAM policies created by the starter toolkit are designed for development and testing purposes. These permissions grant broad access to facilitate rapid prototyping and are not suitable for production environments. For production deployments, create custom IAM policies that follow the principle of least privilege and restrict permissions to only the specific resources and actions required by your Bedrock AgentCore application.
+The IAM policies created by the AgentCore CLI are designed for development and testing purposes. These permissions grant broad access to facilitate rapid prototyping and are not suitable for production environments. For production deployments, create custom IAM policies that follow the principle of least privilege and restrict permissions to only the specific resources and actions required by your Amazon Bedrock AgentCore application.