AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/policy-encryption.md

Summary

Updated documentation with typographical fixes (straight quotes to curly quotes), minor formatting changes to a list, and corrected formatting for a kms:ViaService example and error message text.

Security assessment

The changes are purely editorial and formatting in nature. They involve typographical corrections (e.g., 'service's' to 'service’s'), reformatting a bulleted list into a single line, and adjusting the formatting of a code example and an error message. There is no mention of a vulnerability, security patch, incident response, or change in security posture. The content describes existing encryption features without adding new security guidance or altering security recommendations.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-encryption.md b/bedrock-agentcore/latest/devguide/policy-encryption.md
index 928f9b9c1..9494ae884 100644
--- a//bedrock-agentcore/latest/devguide/policy-encryption.md
+++ b//bedrock-agentcore/latest/devguide/policy-encryption.md
@@ -11 +11 @@ Policy in AgentCore provides encryption by default to protect sensitive customer
-  * Reduce the operational burden on service's end to protect sensitive data
+  * Reduce the operational burden on service’s end to protect sensitive data
@@ -32 +32 @@ Policy in AgentCore integrates with AWS KMS to manage encryption keys used for e
-The default encryption type. Policy in AgentCore owns the key at no additional charge to you and encrypts resource data at rest upon creation. No additional configuration is required in your code or applications to encrypt or decrypt your data using the key owned by Policy in AgentCore. You don't need to view, manage, use, or audit these keys. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the AWS KMS Developer Guide.
+The default encryption type. Policy in AgentCore owns the key at no additional charge to you and encrypts resource data at rest upon creation. No additional configuration is required in your code or applications to encrypt or decrypt your data using the key owned by Policy in AgentCore. You don’t need to view, manage, use, or audit these keys. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the AWS KMS Developer Guide.
@@ -52 +52 @@ The Policy in AgentCore encryption at rest feature uses a KMS key and a hierarch
-Policy in AgentCore supports only symmetric AWS KMS keys. You can't use an asymmetric KMS key to encrypt your Policy in AgentCore resources.
+Policy in AgentCore supports only symmetric AWS KMS keys. You can’t use an asymmetric KMS key to encrypt your Policy in AgentCore resources.
@@ -83 +83 @@ When you delete a policy engine with a customer managed key, Policy in AgentCore
-If you need to revoke grants manually, always revoke both the policy management grant and the policy evaluation grant. Revoking only one grant does not fully remove the service's access to your key and may result in inconsistent behavior. You can view and manage grants for your key using the AWS KMS console or the `list-grants` AWS CLI command.
+If you need to revoke grants manually, always revoke both the policy management grant and the policy evaluation grant. Revoking only one grant does not fully remove the service’s access to your key and may result in inconsistent behavior. You can view and manage grants for your key using the AWS KMS console or the `list-grants` AWS CLI command.
@@ -145 +144 @@ The `kms:ViaService` condition key limits use of a KMS key to requests from spec
-In the key policy, the `kms:ViaService` value follows the format `bedrock-agentcore.`REGION`.amazonaws.com`, where `REGION` is the AWS Region where your policy engine is created (for example, `bedrock-agentcore.us-east-1.amazonaws.com`).
+In the key policy, the `kms:ViaService` value follows the format `bedrock-agentcore.REGION.amazonaws.com` , where `REGION` is the AWS Region where your policy engine is created (for example, `bedrock-agentcore.us-east-1.amazonaws.com` ).
@@ -167,8 +165 @@ Based on the concepts in the previous sections, the following example key policy
-Replace the following values in the key policy:
-
-  * `111122223333` — Replace with your AWS account ID
-
-  * `us-east-1` — Replace with your AWS Region
-
-
-
+Replace the following values in the key policy: * `111122223333` — Replace with your AWS account ID * `us-east-1` — Replace with your AWS Region
@@ -329 +317 @@ The following limitations apply to customer managed key encryption for policy en
-  * After you revoke Policy in AgentCore's access to a customer managed key for an existing encrypted policy engine, all authorization decisions will be denied because the policy engine can no longer decrypt policy data.
+  * After you revoke Policy in AgentCore’s access to a customer managed key for an existing encrypted policy engine, all authorization decisions will be denied because the policy engine can no longer decrypt policy data.
@@ -342 +330 @@ This section describes common customer managed key related errors you might enco
-This could mean that the caller lacks the required `kms:*` action permissions in their IAM policy or AWS KMS key policy, or that the key being referenced does not exist or no longer exists.
+This could mean that the caller lacks the required kms:* action permissions in their IAM policy or AWS KMS key policy, or that the key being referenced does not exist or no longer exists.
@@ -350 +338 @@ This could mean that the caller lacks the required `kms:*` action permissions in
-  3. Verify that the caller's IAM policy includes the required AWS KMS permissions (`kms:CreateGrant`, `kms:Decrypt`, `kms:GenerateDataKey`, `kms:DescribeKey`).
+  3. Verify that the caller’s IAM policy includes the required AWS KMS permissions ( `kms:CreateGrant` , `kms:Decrypt` , `kms:GenerateDataKey` , `kms:DescribeKey` ).