AWS bedrock-agentcore documentation change
Summary
Updated documentation with formatting changes, link updates, and consolidation of bullet points. Changed apostrophe usage from 'you'll' to 'you’ll' and updated internal links. Removed redundant JSON code block markers and restructured sections for clarity.
Security assessment
The changes are primarily formatting, grammatical, and structural improvements. There is no evidence of addressing a specific security vulnerability or weakness. The update to the link for resource-based policies (from './resource-based-policies.html' to './security.html#resource-based-policies') is a documentation reorganization, not a security fix. The mention of adding the Condition field as a 'best security practice' is a pre-existing security recommendation, not a new security feature or response to an incident.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-prerequisites-permissions.md b/bedrock-agentcore/latest/devguide/gateway-prerequisites-permissions.md index 900ff729d..a59f654e6 100644 --- a//bedrock-agentcore/latest/devguide/gateway-prerequisites-permissions.md +++ b//bedrock-agentcore/latest/devguide/gateway-prerequisites-permissions.md @@ -9 +9 @@ Gateway builder and user permissionsAgentCore Gateway service role permissionsBe -To use Amazon Bedrock AgentCore Gateway and its capabilities, you'll need to consider the following permissions: +To use Amazon Bedrock AgentCore Gateway and its capabilities, you’ll need to consider the following permissions: @@ -13 +13 @@ To use Amazon Bedrock AgentCore Gateway and its capabilities, you'll need to con - 2. **Gateway service role permissions** – Permissions provided to a service role that you'll create for your gateway. These permissions allow the Amazon Bedrock AgentCore service to perform actions on behalf of the identity that invokes the gateway. + 2. **Gateway service role permissions** – Permissions provided to a service role that you’ll create for your gateway. These permissions allow the Amazon Bedrock AgentCore service to perform actions on behalf of the identity that invokes the gateway. @@ -15 +15 @@ To use Amazon Bedrock AgentCore Gateway and its capabilities, you'll need to con - 3. **Resource-based permissions** – Permissions attached to resources to allow the gateway service role to access it. You'll include the Amazon Resource Name (ARN) of the gateway service role as the `Principal` in the resource-based policy. + 3. **Resource-based permissions** – Permissions attached to resources to allow the gateway service role to access it. You’ll include the Amazon Resource Name (ARN) of the gateway service role as the `Principal` in the resource-based policy. @@ -17 +17 @@ To use Amazon Bedrock AgentCore Gateway and its capabilities, you'll need to con - 4. **Gateway resource-based policies** – Policies attached directly to your gateway resources to control which principals can invoke them. For more information, see [Resource-based policies for Amazon Bedrock AgentCore](./resource-based-policies.html). + 4. **Gateway resource-based policies** – Policies attached directly to your gateway resources to control which principals can invoke them. For more information, see [Resource-based policies for Amazon Bedrock AgentCore](./security.html#resource-based-policies). @@ -24,8 +24 @@ To use Amazon Bedrock AgentCore Gateway and its capabilities, you'll need to con -If you prefer not to set up custom permissions, you can use the following options for easy setup: - - * Attach the [BedrockAgentCoreFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/BedrockAgentCoreFullAccess.html) to an IAM identity to allow it to create, manage, and invoke gateways. - - * Use the AWS Management Console or AgentCore CLI to create an AgentCore gateway service role with the proper permissions and gateway targets with the proper resource-based policies to allow the service role to access them. - - - +If you prefer not to set up custom permissions, you can use the following options for easy setup: * Attach the [BedrockAgentCoreFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/BedrockAgentCoreFullAccess.html) to an IAM identity to allow it to create, manage, and invoke gateways. * Use the AWS Management Console or AgentCore CLI to create an AgentCore gateway service role with the proper permissions and gateway targets with the proper resource-based policies to allow the service role to access them. @@ -52,6 +44,0 @@ For greater security and control, you can create your own custom policy by reduc -JSON - - -**** - - @@ -76,8 +63 @@ JSON - - -The following custom policy is a more restrictive one that only allows read access to gateways and gateway targets:: - -JSON - - -**** +The following custom policy is a more restrictive one that only allows read access to gateways and gateway targets @@ -107 +85 @@ JSON -In addition to gateway-related permissions, you'll also need to configure permissions for identities to be able to access the gateway during invocation. You'll configure these permissions when you [set up inbound authorization](./gateway-inbound-auth.html). +In addition to gateway-related permissions, you’ll also need to configure permissions for identities to be able to access the gateway during invocation. You’ll configure these permissions when you [set up inbound authorization](./gateway-inbound-auth.html). @@ -111 +89 @@ In addition to gateway-related permissions, you'll also need to configure permis -When creating a gateway, you need a service role that has permissions to assume an IAM role and to access AWS resources and external services on the IAM role's behalf. You can create the service role in the following ways: +When creating a gateway, you need a service role that has permissions to assume an IAM role and to access AWS resources and external services on the IAM role’s behalf. You can create the service role in the following ways: @@ -115 +93 @@ When creating a gateway, you need a service role that has permissions to assume - * If you prefer to create your own service role for greater customization, you'll need to configure the role with the permissions outlined in this topic. To learn how to create a service role and attach permissions to it, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-service.html). + * If you prefer to create your own service role for greater customization, you’ll need to configure the role with the permissions outlined in this topic. To learn how to create a service role and attach permissions to it, see [Create a role to delegate permissions to an AWS service](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles_create_for-service.html). @@ -139,6 +116,0 @@ The following is an example of a trust policy that you can use. -JSON - - -**** - - @@ -171,8 +142 @@ JSON -Because you won't know the gateway ARN before you create it, you can omit the `Condition` field when you first create the service role. After you create the gateway, add the `Condition` field back to the policy as a best security practice and do the following: - - * Replace the `aws:SourceAccount` condition key value with the ID of the account that the gateway belongs to. - - * Replace the `aws:SourceArn` condition key with the ARN of the gateway. - - - +Because you won’t know the gateway ARN before you create it, you can omit the `Condition` field when you first create the service role. After you create the gateway, add the `Condition` field back to the policy as a best security practice and do the following: * Replace the `aws:SourceAccount` condition key value with the ID of the account that the gateway belongs to. * Replace the `aws:SourceArn` condition key with the ARN of the gateway. @@ -201,3 +164,0 @@ Select a topic to learn how to set up the permissions: - * Attach an identity-based policy to the gateway service role - - * (If function is in another account) Attach a resource-based policy to the Lambda function @@ -207,2 +168 @@ Select a topic to learn how to set up the permissions: - -##### Attach an identity-based policy to the gateway service role +===== Attach an identity-based policy to the gateway service role @@ -229 +189 @@ Replace the ARN in the `Resource` field with the ARN of your Lambda function gat -##### (If function is in another account) Attach a resource-based policy to the Lambda function +===== (If function is in another account) Attach a resource-based policy to the Lambda function @@ -254,0 +215,2 @@ Replace the values of the following fields: +To learn how to attach a resource-based policy to the Lambda function that allows your gateway service role to access the function, select one of the following methods + @@ -258 +219,0 @@ Replace the values of the following fields: -To learn how to attach a resource-based policy to the Lambda function that allows your gateway service role to access the function, select one of the following methods:: @@ -263 +224 @@ Console -###### To attach a resource-based policy to your Lambda function in the AWS Management Console + 1. ====== To attach a resource-based policy to your Lambda function in the AWS Management Console @@ -265 +226 @@ Console - 1. Follow the steps in the **Console** tab at [Viewing resource-based IAM policies in Lambda](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html). + 2. Follow the steps in the **Console** tab at [Viewing resource-based IAM policies in Lambda](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html). @@ -267 +228 @@ Console - 2. In the **Resource-based policy statements** section, choose **Add permissions**. + 3. In the **Resource-based policy statements** section, choose **Add permissions**. @@ -269 +230 @@ Console - 3. Select **AWS account** and fill out the following fields: + 4. Select **AWS account** and fill out the following fields: @@ -283 +244 @@ CLI -To attach a resource-based policy to your Lambda function using the AWS CLI, follow the steps at [Granting Lambda function access to AWS services](https://docs.aws.amazon.com/lambda/latest/dg/permissions-function-services.html) and specify your gateway service role as the `principal`. + 1. To attach a resource-based policy to your Lambda function using the AWS CLI, follow the steps at [Granting Lambda function access to AWS services](https://docs.aws.amazon.com/lambda/latest/dg/permissions-function-services.html) and specify your gateway service role as the `principal`. @@ -295 +254,0 @@ You can run the following code in a terminal to add permissions for your gateway -If you plan to include a gateway target tool definition from an Amazon S3 URI, you'll need to include permissions for the gateway service role to access the bucket. The [AmazonS3ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3ReadOnlyAccess.html) policy is an example of a policy that you can attach to the service role. You can scope the `Resource` to the S3 location for greater security. @@ -297 +255,0 @@ If you plan to include a gateway target tool definition from an Amazon S3 URI, y -If you plan to add a Smithy target, you need to add permissions for the gateway service role to access AWS services that your Smithy models refer to. To determine which permissions need to be attached to the service role, refer to that service's documentation. @@ -299 +256,0 @@ If you plan to add a Smithy target, you need to add permissions for the gateway -You can add permissions to the service role by choosing the topic at [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) that pertains to your use case and following the steps. @@ -301 +258 @@ You can add permissions to the service role by choosing the topic at [Adding and -For example, if your Smithy model target accesses a DynamoDB table, you can attach the following policy to allow the service role to perform DynamoDB operations on the table: +###### Example @@ -303 +260 @@ For example, if your Smithy model target accesses a DynamoDB table, you can atta -JSON +If you plan to include a gateway target tool definition from an Amazon S3 URI, you’ll need to include permissions for the gateway service role to access the bucket. The [AmazonS3ReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonS3ReadOnlyAccess.html) policy is an example of a policy that you can attach to the service role. You can scope the `Resource` to the S3 location for greater security. @@ -304,0 +262 @@ JSON +If you plan to add a Smithy target, you need to add permissions for the gateway service role to access AWS services that your Smithy models refer to. To determine which permissions need to be attached to the service role, refer to that service’s documentation. @@ -306 +264 @@ JSON -**** +You can add permissions to the service role by choosing the topic at [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) that pertains to your use case and following the steps. @@ -307,0 +266 @@ JSON +For example, if your Smithy model target accesses a DynamoDB table, you can attach the following policy to allow the service role to perform DynamoDB operations on the table: