AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-04 · Documentation low

File: bedrock-agentcore/latest/devguide/policy-conditions.md

Summary

Updated documentation to include IAM entity attributes alongside OAuth claims, providing details on principal attributes for both authentication types

Security assessment

This change expands security documentation by adding comprehensive information about IAM entity attributes for IAM-authenticated gateways, including ARN formats and pattern matching examples. It enhances the security documentation by covering both authentication methods (OAuth and IAM) but does not address any specific security vulnerability or incident. The change improves clarity on how to implement access controls using different authentication mechanisms.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-conditions.md b/bedrock-agentcore/latest/devguide/policy-conditions.md
index 07e01538e..df3348cb5 100644
--- a//bedrock-agentcore/latest/devguide/policy-conditions.md
+++ b//bedrock-agentcore/latest/devguide/policy-conditions.md
@@ -5 +5 @@
-Condition typesTool argumentsOAuth claimsLogical operators
+Condition typesTool argumentsPrincipal attributesLogical operators
@@ -59 +59 @@ Policies can make decisions based on specific tool call parameters.
-## OAuth claims
+## Principal attributes
@@ -61 +61,5 @@ Policies can make decisions based on specific tool call parameters.
-OAuth claims from the JWT token are stored as tags on the OAuthUser entity. Example JWT claims:
+Principal attributes differ based on the authentication type configured for your AgentCore Gateway.
+
+### OAuth claims (tags)
+
+For OAuth-authenticated gateways, JWT claims from the OAuth token are stored as tags on the OAuthUser entity. Example JWT claims:
@@ -89,0 +94,31 @@ Pattern matching:
+### IAM entity attributes
+
+For IAM-authenticated gateways, the principal has an `id` attribute containing the caller's IAM ARN. IAM principals do not support tags.
+
+The `principal.id` attribute contains the full IAM ARN in one of these formats:
+
+  * **IAM user:** `arn:aws:iam::123456789012:user/username`
+
+  * **IAM role (assumed):** `arn:aws:sts::123456789012:assumed-role/role-name/session-name`
+
+  * **IAM role:** `arn:aws:iam::123456789012:role/role-name`
+
+
+
+
+Use the `like` operator with wildcards to match patterns in the IAM ARN:
+    
+    
+    // Match specific AWS account
+    principal.id like "*:123456789012:*"
+    
+    // Match specific IAM role
+    principal.id like "arn:aws:iam::*:role/AdminRole"
+    
+    // Match any role in a specific account
+    principal.id like "arn:aws:iam::123456789012:role/*"
+    
+    // Match assumed role sessions
+    principal.id like "arn:aws:sts::*:assumed-role/ServiceRole/*"
+        
+