AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-04 · Documentation low

File: bedrock-agentcore/latest/devguide/gateway-fine-grained-access-control.md

Summary

Updated gateway-level access control description to include AWS IAM authentication and added new section on IAM principal matching for Cedar policies to restrict access based on IAM ARN.

Security assessment

The changes expand documentation for fine-grained access control to include IAM authentication methods, providing guidance on implementing access control policies. No evidence of a security issue being addressed; this is an enhancement to security feature documentation.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-fine-grained-access-control.md b/bedrock-agentcore/latest/devguide/gateway-fine-grained-access-control.md
index 7175f7f43..b27938b65 100644
--- a//bedrock-agentcore/latest/devguide/gateway-fine-grained-access-control.md
+++ b//bedrock-agentcore/latest/devguide/gateway-fine-grained-access-control.md
@@ -37 +37 @@ Fine-grained access control in Gateway can be implemented at multiple levels:
-Controls which users or agents can connect to and authenticate with the gateway through OAuth authorization servers.
+Controls which users or agents can connect to and authenticate with the gateway through OAuth authorization servers or AWS IAM authentication.
@@ -62,0 +63,5 @@ Use interceptors to examine JWT claims such as user roles, departments, or custo
+**IAM principal matching**
+    
+
+For IAM-authenticated gateways, implement access control by matching against the caller's IAM ARN. Use pattern matching on `principal.id` in Cedar policies to restrict access based on AWS accounts, roles, or users.
+