AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-04 · Documentation medium

File: bedrock-agentcore/latest/devguide/policy-scope.md

Summary

Added documentation for IAM Entity Principal type and how to use pattern matching on IAM ARN for access control in IAM-authenticated gateways

Security assessment

This change adds security documentation about IAM entity principals and how to implement account-based or role-based access control using pattern matching on IAM ARNs. It enhances security guidance but doesn't fix a specific vulnerability.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-scope.md b/bedrock-agentcore/latest/devguide/policy-scope.md
index 158a7cd08..85e6ca35e 100644
--- a//bedrock-agentcore/latest/devguide/policy-scope.md
+++ b//bedrock-agentcore/latest/devguide/policy-scope.md
@@ -40 +40,5 @@ Entity format: `Namespace::EntityType::"identifier"`
-The principal identifies the entity making the authorization request:
+The principal identifies the entity making the authorization request. The principal type depends on how your AgentCore Gateway is configured for authentication.
+
+### OAuth User Principal
+
+When using OAuth authorization, the principal is an `AgentCore::OAuthUser`:
@@ -50 +54 @@ Components:
-  * `AgentCore::OAuthUser` \- Entity type representing authenticated users
+  * `AgentCore::OAuthUser` \- Entity type representing OAuth-authenticated users
@@ -58,0 +63,21 @@ Principals are OAuth-authenticated users. Each user has a unique ID from the JWT
+### IAM Entity Principal
+
+When using AWS_IAM authorization, the principal is an `AgentCore::IamEntity`:
+    
+    
+    principal is AgentCore::IamEntity
+        
+
+Components:
+
+  * `principal` \- The entity making the authorization request
+
+  * `AgentCore::IamEntity` \- Entity type representing IAM-authenticated callers
+
+  * `is` \- Type check operator (matches any IamEntity)
+
+
+
+
+IAM principals have an `id` attribute containing the caller's IAM ARN. You can use pattern matching on this attribute to implement account-based or role-based access control.
+