AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-01 · Documentation medium

File: bedrock-agentcore/latest/devguide/runtime-persistent-filesystems.md

Summary

Updated IAM policy example for S3 bucket permissions in VPC mode with session storage: added explicit Action array with s3:GetObject, s3:PutObject, and s3:ListBucket; changed resource ARNs to use wildcards for account IDs; added Condition to restrict to bedrock-agentcore.amazonaws.com service principal; removed region-specific account ID table and simplified instructions.

Security assessment

The change adds a security best practice by including a Condition that restricts the IAM policy to only allow the bedrock-agentcore service principal, which improves the principle of least privilege. The addition of s3:ListBucket action and wildcard resource ARNs could potentially expand permissions, but the service principal condition mitigates this risk. There's no evidence this addresses a specific security vulnerability or incident.

Diff

diff --git a/bedrock-agentcore/latest/devguide/runtime-persistent-filesystems.md b/bedrock-agentcore/latest/devguide/runtime-persistent-filesystems.md
index b9600196e..83c5ef0d4 100644
--- a//bedrock-agentcore/latest/devguide/runtime-persistent-filesystems.md
+++ b//bedrock-agentcore/latest/devguide/runtime-persistent-filesystems.md
@@ -263,0 +264,5 @@ If your agent runtime uses VPC mode with session storage, the agent will need ne
+    "Action": [
+        "s3:GetObject",
+        "s3:PutObject",
+        "s3:ListBucket"
+    ],
@@ -265,3 +270,8 @@ If your agent runtime uses VPC mode with session storage, the agent will need ne
-        "arn:aws:s3:::acr-storage-account-id-region-an",
-        "arn:aws:s3:::acr-storage-account-id-region-an/*"
-    ]
+        "arn:aws:s3:::acr-storage-*-region-an",
+        "arn:aws:s3:::acr-storage-*-region-an/*"
+    ],
+    "Condition": {
+        "StringEquals": {
+            "aws:PrincipalServiceName": "bedrock-agentcore.amazonaws.com"
+        }
+    }
@@ -269,20 +279 @@ If your agent runtime uses VPC mode with session storage, the agent will need ne
-Replace `region` with your AWS Region (for example, `us-west-2`) and `account-id` with the account ID for your region from the table below. The required actions are `s3:GetObject` and `s3:PutObject`.
-
-If your S3 Gateway endpoint policy requires account-level restrictions, you can use the following AWS account IDs for session storage in each Region:
-
-Session storage account IDs by Region Region | Account ID  
----|---  
-Asia Pacific (Tokyo) – ap-northeast-1 | 046651569190  
-Asia Pacific (Seoul) – ap-northeast-2 | 894064921762  
-Asia Pacific (Mumbai) – ap-south-1 | 883086653949  
-Asia Pacific (Singapore) – ap-southeast-1 | 426567131211  
-Asia Pacific (Sydney) – ap-southeast-2 | 502881461673  
-Canada (Central) – ca-central-1 | 408585017259  
-Europe (Frankfurt) – eu-central-1 | 215229808186  
-Europe (Stockholm) – eu-north-1 | 335057493446  
-Europe (Ireland) – eu-west-1 | 440913182437  
-Europe (London) – eu-west-2 | 476199653545  
-Europe (Paris) – eu-west-3 | 798429904384  
-US East (N. Virginia) – us-east-1 | 642137767729  
-US East (Ohio) – us-east-2 | 623592712076  
-US West (Oregon) – us-west-2 | 306679390385  
+Replace `region` with your AWS Region (for example, `us-west-2`).