AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-04 · Documentation low

File: bedrock-agentcore/latest/devguide/policy-limitations-section.md

Summary

Removed section about fine-grained authorization limitations on IAM principals in Cedar policies for IAM-authenticated Gateways

Security assessment

This change removes documentation about a limitation where Cedar policies couldn't restrict specific IAM principals. While this could indicate the limitation has been addressed, there's no explicit evidence of a security vulnerability being fixed. The change appears to be documentation cleanup or feature enhancement.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-limitations-section.md b/bedrock-agentcore/latest/devguide/policy-limitations-section.md
index 98c7b1cf6..c17c02acb 100644
--- a//bedrock-agentcore/latest/devguide/policy-limitations-section.md
+++ b//bedrock-agentcore/latest/devguide/policy-limitations-section.md
@@ -5 +5 @@
-Cedar language limitationsCurrent implementation limitationsFine-grained authorization on IAM principals
+Cedar language limitationsCurrent implementation limitations
@@ -41,17 +40,0 @@ These implementation limitations may be addressed in future releases.
-## Fine-grained authorization on IAM principals
-
-When using an IAM-authenticated Gateway, fine-grained authorization on IAM principals is not currently supported in Cedar policies.
-
-For Gateways configured with IAM authentication:
-
-  * The `principal` in Cedar policies must remain unconstrained (wildcard).
-
-  * You cannot use `==`, `in`, or `is` constraints to restrict specific IAM principals within Cedar.
-
-  * Policies such as `permit(principal, action, resource);` express a wildcard principal by leaving the `principal` variable unconstrained.
-
-
-
-
-To implement fine-grained authorization on the calling IAM principal, use IAM policies. IAM policies are evaluated before Cedar policies during request processing. After IAM authorization succeeds, Cedar policies can be used to enforce fine-grained constraints on actions, resources, tool inputs, and contextual attributes.
-