AWS bedrock-agentcore documentation change
Summary
Added documentation for IAM Entity Principal type and how to use pattern matching on IAM ARN for access control in IAM-authenticated gateways
Security assessment
This change adds security documentation about IAM entity principals and how to implement account-based or role-based access control using pattern matching on IAM ARNs. It enhances security guidance but doesn't fix a specific vulnerability.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-scope.md b/bedrock-agentcore/latest/devguide/policy-scope.md index 158a7cd08..85e6ca35e 100644 --- a//bedrock-agentcore/latest/devguide/policy-scope.md +++ b//bedrock-agentcore/latest/devguide/policy-scope.md @@ -40 +40,5 @@ Entity format: `Namespace::EntityType::"identifier"` -The principal identifies the entity making the authorization request: +The principal identifies the entity making the authorization request. The principal type depends on how your AgentCore Gateway is configured for authentication. + +### OAuth User Principal + +When using OAuth authorization, the principal is an `AgentCore::OAuthUser`: @@ -50 +54 @@ Components: - * `AgentCore::OAuthUser` \- Entity type representing authenticated users + * `AgentCore::OAuthUser` \- Entity type representing OAuth-authenticated users @@ -58,0 +63,21 @@ Principals are OAuth-authenticated users. Each user has a unique ID from the JWT +### IAM Entity Principal + +When using AWS_IAM authorization, the principal is an `AgentCore::IamEntity`: + + + principal is AgentCore::IamEntity + + +Components: + + * `principal` \- The entity making the authorization request + + * `AgentCore::IamEntity` \- Entity type representing IAM-authenticated callers + + * `is` \- Type check operator (matches any IamEntity) + + + + +IAM principals have an `id` attribute containing the caller's IAM ARN. You can use pattern matching on this attribute to implement account-based or role-based access control. +