AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-01 · Documentation low

File: bedrock-agentcore/latest/devguide/service-linked-roles.md

Summary

Added documentation for a new service-linked role 'AWSServiceRoleForBedrockAgentCoreGatewayNetwork' used by AgentCore Gateway to manage VPC Lattice resources for private connectivity, including its policy, benefits, and lifecycle management.

Security assessment

This change documents a new IAM service-linked role and its associated permissions policy, which is a security feature. It explains how the role enables scoped-down networking permissions and managed resource lifecycle, improving security posture by limiting manual VPC Lattice configuration needs. There is no evidence of addressing a specific security vulnerability or incident; it's a feature introduction.

Diff

diff --git a/bedrock-agentcore/latest/devguide/service-linked-roles.md b/bedrock-agentcore/latest/devguide/service-linked-roles.md
index 352373b67..6a5ce857c 100644
--- a//bedrock-agentcore/latest/devguide/service-linked-roles.md
+++ b//bedrock-agentcore/latest/devguide/service-linked-roles.md
@@ -20,0 +21,2 @@ AgentCore uses the following service-linked roles:
+  * `AWSServiceRoleForBedrockAgentCoreGatewayNetwork` \- Manages Amazon VPC Lattice resources for AgentCore Gateway private connectivity
+
@@ -218,0 +221,120 @@ For implementation details, see [Authenticate and authorize with Inbound Auth an
+### Gateway service-linked role
+
+AgentCore uses the service-linked role named `AWSServiceRoleForBedrockAgentCoreGatewayNetwork` to allow AgentCore Gateway to create and manage Amazon VPC Lattice resources in your account on your behalf. This role is used when you configure a gateway target with a managed private endpoint, enabling AgentCore Gateway to set up the necessary VPC Lattice resource gateways for private connectivity to resources in your VPC.
+
+The `AWSServiceRoleForBedrockAgentCoreGatewayNetwork` service-linked role trusts the following services to assume the role:
+
+  * `bedrock-agentcore.amazonaws.com`
+
+
+
+
+The role permissions policy allows AgentCore to complete the following actions on the specified resources:
+
+You can view the complete policy at [BedrockAgentCoreGatewayNetworkServiceRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/BedrockAgentCoreGatewayNetworkServiceRolePolicy.html).
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "AllowSLRActionsForLattice",
+                "Effect": "Allow",
+                "Action": [
+                    "iam:CreateServiceLinkedRole"
+                ],
+                "Resource": [
+                    "arn:aws:iam::*:role/aws-service-role/vpc-lattice.amazonaws.com/AWSServiceRoleForVpcLattice"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "iam:AWSServiceName": "vpc-lattice.amazonaws.com"
+                    }
+                }
+            },
+            {
+                "Sid": "AllowResourceGatewayCreate",
+                "Effect": "Allow",
+                "Action": [
+                    "vpc-lattice:CreateResourceGateway",
+                    "vpc-lattice:TagResource"
+                ],
+                "Resource": [
+                    "arn:aws:vpc-lattice:*:*:resourcegateway/*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:RequestTag/BedrockAgentCoreGatewayManaged": "true",
+                        "aws:ResourceTag/BedrockAgentCoreGatewayManaged": "true"
+                    }
+                }
+            },
+            {
+                "Sid": "AllowEC2PermissionsForResourceGatewayCreate",
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:DescribeSubnets",
+                    "ec2:DescribeVpcs",
+                    "ec2:DescribeSecurityGroups"
+                ],
+                "Resource": [
+                    "*"
+                ]
+            },
+            {
+                "Sid": "AllowResourceGatewayDelete",
+                "Effect": "Allow",
+                "Action": [
+                    "vpc-lattice:DeleteResourceGateway",
+                    "vpc-lattice:GetResourceGateway"
+                ],
+                "Resource": [
+                    "*"
+                ],
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceTag/BedrockAgentCoreGatewayManaged": "true"
+                    }
+                }
+            }
+        ]
+    }
+
+###### Understanding the Gateway Managed Lattice Feature
+
+The service-linked role is used to support the managed private endpoint feature for AgentCore Gateway targets. When you create a gateway target with a managed private endpoint, AgentCore uses this role to create and manage VPC Lattice resource gateways in your account on your behalf. These managed resource gateways enable private connectivity between AgentCore Gateway and resources in your VPC without requiring you to set up VPC Lattice resources manually.
+
+###### Key Benefits of Managed Lattice Resources
+
+  * **Simplified Setup** : Eliminates the need to manually create and configure VPC Lattice resource gateways
+
+  * **Scoped-down Networking permissions** : Application developers don't need VPC Lattice networking permissions in their own IAM policies
+
+  * **Managed Lifecycle** : AgentCore manages the full lifecycle of the Lattice resources, including creation, reuse, and cleanup
+
+  * **Automatic Provisioning** : The service-linked role is created automatically when you create a gateway target with a managed private endpoint
+
+
+
+
+###### How Managed Lattice Resources Work
+
+When you create a gateway target with a managed private endpoint:
+
+  1. You specify the VPC, subnets, and optional security groups for the private endpoint in the `managedLatticeResource` configuration
+
+  2. AgentCore creates the service-linked role automatically if it does not already exist
+
+  3. AgentCore uses the role to create a managed VPC Lattice resource gateway in your account, tagged with `BedrockAgentCoreGatewayManaged`
+
+  4. AgentCore sets up the necessary VPC Lattice resources to enable private connectivity
+
+  5. When you delete the gateway target, AgentCore cleans up the managed Lattice resources that are no longer in use
+
+
+
+
+###### Note
+
+The service-linked role can only manage VPC Lattice resource gateways that are tagged with `BedrockAgentCoreGatewayManaged`. It cannot modify or delete resource gateways that you create and manage yourself. If you use the self-managed Lattice resource option for your gateway targets, this service-linked role is not required.
+
@@ -226,0 +349,2 @@ You don't need to manually create service-linked roles. AgentCore creates them a
+  * **Gateway service-linked role** : Created when you create a AgentCore Gateway target with a managed private endpoint (`managedLatticeResource`) configuration
+
@@ -264,0 +389,14 @@ You must configure permissions to allow an IAM entity (such as a user, group, or
+###### For the Gateway service-linked role
+    
+    
+    {
+        "Effect": "Allow",
+        "Action": "iam:CreateServiceLinkedRole",
+        "Resource": "arn:aws:iam::*:role/aws-service-role/bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreGatewayNetwork",
+        "Condition": {
+            "StringEquals": {
+                "iam:AWSServiceName": "bedrock-agentcore.amazonaws.com"
+            }
+        }
+    }
+
@@ -269 +407 @@ These permissions are already included in the AWS managed policy [BedrockAgentCo
-AgentCore does not allow you to edit the `AWSServiceRoleForBedrockAgentCoreNetwork` or `AWSServiceRoleForBedrockAgentCoreRuntimeIdentity` service-linked roles. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role).
+AgentCore does not allow you to edit the `AWSServiceRoleForBedrockAgentCoreNetwork`, `AWSServiceRoleForBedrockAgentCoreRuntimeIdentity`, or `AWSServiceRoleForBedrockAgentCoreGatewayNetwork` service-linked roles. After you create a service-linked role, you cannot change the name of the role because various entities might reference the role. However, you can edit the description of the role using IAM. For more information, see [Editing a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#edit-service-linked-role).
@@ -278,0 +417,2 @@ If you no longer need to use a feature or service that requires a service-linked
+  * **Gateway service-linked role** : Delete all AgentCore Gateway targets that use managed private endpoints (`managedLatticeResource` configuration)
+
@@ -308,0 +449,2 @@ If you want to remove a service-linked role, you must first delete the appropria
+  * `AWSServiceRoleForBedrockAgentCoreGatewayNetwork`: Delete all AgentCore Gateway targets that use managed private endpoints. After all managed targets are deleted, AgentCore releases the managed VPC Lattice resource gateways that are no longer in use.
+