AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/example-policies.md

Summary

Minor formatting and typographical changes including removal of blank lines, apostrophe formatting changes, and removal of backticks from pattern examples in Cedar policy documentation

Security assessment

These are typographical and formatting changes only. The security content remains identical - the examples still demonstrate the same authorization patterns, IAM role restrictions, and Cedar policy semantics. No security vulnerabilities are addressed, and no new security features are documented. The changes include formatting apostrophes (don't → don't) and removing code formatting from pattern examples (*:111122223333:* instead of `*:111122223333:*`), which doesn't affect security meaning.

Diff

diff --git a/bedrock-agentcore/latest/devguide/example-policies.md b/bedrock-agentcore/latest/devguide/example-policies.md
index b812cea14..452b4a427 100644
--- a//bedrock-agentcore/latest/devguide/example-policies.md
+++ b//bedrock-agentcore/latest/devguide/example-policies.md
@@ -215,2 +211 @@ This policy demonstrates how to enforce business rules by requiring optional fie
-
-**Explanation:** This policy demonstrates enforcing required fields for optional parameters. The description field is optional in the tool schema, but this policy makes it mandatory by forbidding requests that don't include it. This shows how policies can add business rules beyond schema validation.
+**Explanation:** This policy demonstrates enforcing required fields for optional parameters. The description field is optional in the tool schema, but this policy makes it mandatory by forbidding requests that don’t include it. This shows how policies can add business rules beyond schema validation.
@@ -291 +283 @@ These policies demonstrate key Cedar authorization semantics:
-If no policy explicitly permits an action, it's denied. For example, a user without the "insurance:claim" scope cannot file claims even though no policy explicitly forbids it.
+If no policy explicitly permits an action, it’s denied. For example, a user without the "insurance:claim" scope cannot file claims even though no policy explicitly forbids it.
@@ -372 +364 @@ Scenario 6: Premium calculation for auto coverage
-When your AgentCore Gateway uses AWS_IAM authentication instead of OAuth, the principal in Cedar policies is represented as `AgentCore::IamEntity`. IAM principals have an `id` attribute containing the caller's IAM ARN, which enables account-based and role-based access control using pattern matching.
+When your AgentCore Gateway uses AWS_IAM authentication instead of OAuth, the principal in Cedar policies is represented as `AgentCore::IamEntity` . IAM principals have an `id` attribute containing the caller’s IAM ARN, which enables account-based and role-based access control using pattern matching.
@@ -402,2 +393 @@ Restrict tool access to callers from specific AWS accounts:
-
-**Explanation:** The `principal.id` contains the full IAM ARN (e.g., `arn:aws:iam::111122223333:role/MyRole`). The pattern `*:111122223333:*` matches any ARN containing that account ID. This restricts access to callers from the specified AWS account only.
+**Explanation:** The `principal.id` contains the full IAM ARN (e.g., `arn:aws:iam::111122223333:role/MyRole` ). The pattern *:111122223333:* matches any ARN containing that account ID. This restricts access to callers from the specified AWS account only.
@@ -419,2 +409 @@ Restrict administrative tools to specific IAM roles:
-
-**Explanation:** This policy uses pattern matching to restrict access to callers using a specific IAM role name. The wildcard `*` in the account position allows the role from any account. To restrict to a specific account, use the full account ID: `arn:aws:iam::111122223333:role/AdminRole`.
+**Explanation:** This policy uses pattern matching to restrict access to callers using a specific IAM role name. The wildcard * in the account position allows the role from any account. To restrict to a specific account, use the full account ID: `arn:aws:iam::111122223333:role/AdminRole`.