AWS bedrock-agentcore documentation change
Summary
Updated documentation formatting and typography, including changing straight apostrophes to curly apostrophes, adding example headings, reformatting CLI command examples with numbering and placeholder notation (++ ++), and minor text corrections in a troubleshooting table.
Security assessment
The changes are purely presentational and instructional, focusing on improving readability and command formatting. There is no mention of patching a vulnerability, addressing a security incident, or changing security-relevant behavior. The content still describes the same security feature (policy engine for authorization) without adding new security information or indicating a response to a security issue.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-getting-started.md b/bedrock-agentcore/latest/devguide/policy-getting-started.md index 7ef66e7c8..964cc7474 100644 --- a//bedrock-agentcore/latest/devguide/policy-getting-started.md +++ b//bedrock-agentcore/latest/devguide/policy-getting-started.md @@ -5 +5 @@ -PrerequisitesStep 1: Setup and installStep 2: Add a gateway with a policy engineStep 3: DeployStep 4: Test the policyWhat you've builtTroubleshootingClean up +PrerequisitesStep 1: Setup and installStep 2: Add a gateway with a policy engineStep 3: DeployStep 4: Test the policyWhat you’ve builtTroubleshootingClean up @@ -9 +9 @@ PrerequisitesStep 1: Setup and installStep 2: Add a gateway with a policy engine -In this tutorial, you'll learn how to set up Policy in AgentCore and integrate it with a Amazon Bedrock AgentCore Gateway using the AgentCore CLI. You'll create a refund processing tool with Cedar policies that enforce business rules for refund amounts. +In this tutorial, you’ll learn how to set up Policy in AgentCore and integrate it with a Amazon Bedrock AgentCore Gateway using the AgentCore CLI. You’ll create a refund processing tool with Cedar policies that enforce business rules for refund amounts. @@ -23 +23 @@ In this tutorial, you'll learn how to set up Policy in AgentCore and integrate i - * What you've built + * What you’ve built @@ -56 +56 @@ Create a new AgentCore project: -AgentCore CLI +###### Example @@ -57,0 +58 @@ AgentCore CLI +AgentCore CLI @@ -60 +61 @@ AgentCore CLI - agentcore create --name PolicyDemo --defaults + 1. agentcore create --name PolicyDemo --defaults @@ -68 +72,4 @@ Interactive -You can also run `agentcore create` without flags to use the interactive wizard. The wizard guides you through selecting a project name, agent framework, model provider, and other options. After project creation, change into the project directory with **cd PolicyDemo**. + 1. You can also run `agentcore create` without flags to use the interactive wizard. The wizard guides you through selecting a project name, agent framework, model provider, and other options. After project creation, change into the project directory with **cd PolicyDemo**. + + + @@ -77,0 +85,2 @@ Create a gateway with no inbound authorization (for simplicity in this tutorial) +###### Example + @@ -80,0 +90,3 @@ AgentCore CLI + 1. agentcore add gateway --name PolicyGateway --authorizer-type NONE --runtimes PolicyDemo + + @@ -82 +93,0 @@ AgentCore CLI - agentcore add gateway --name PolicyGateway --authorizer-type NONE --runtimes PolicyDemo @@ -87 +98 @@ Interactive -Run `agentcore` to open the TUI, then select **add** and choose **Gateway** : + 1. Run `agentcore` to open the TUI, then select **add** and choose **Gateway** : @@ -89 +100 @@ Run `agentcore` to open the TUI, then select **add** and choose **Gateway** : - 1. Enter the gateway name: + 2. Enter the gateway name: @@ -93 +104 @@ Run `agentcore` to open the TUI, then select **add** and choose **Gateway** : - 2. Select the authorizer type. For this tutorial, choose **NONE** : + 3. Select the authorizer type. For this tutorial, choose **NONE** : @@ -97 +108 @@ Run `agentcore` to open the TUI, then select **add** and choose **Gateway** : - 3. Configure advanced options or accept the defaults: + 4. Configure advanced options or accept the defaults: @@ -101 +112 @@ Run `agentcore` to open the TUI, then select **add** and choose **Gateway** : - 4. Review the configuration and press **Enter** to confirm: + 5. Review the configuration and press **Enter** to confirm: @@ -112 +123 @@ Register your Lambda function as a gateway target with a tool schema that define -AgentCore CLI +###### Example @@ -113,0 +125 @@ AgentCore CLI +AgentCore CLI @@ -116,2 +128,2 @@ AgentCore CLI - agentcore add gateway-target --name RefundTarget --type lambda-function-arn \ - --lambda-arn <YOUR_LAMBDA_ARN> \ + 1. agentcore add gateway-target --name RefundTarget --type lambda-function-arn \ + --lambda-arn ++<YOUR_LAMBDA_ARN>++ \ @@ -126 +141 @@ Interactive -Run `agentcore` to open the TUI, then select **add** and choose **Gateway Target** : + 1. Run `agentcore` to open the TUI, then select **add** and choose **Gateway Target** : @@ -128 +143 @@ Run `agentcore` to open the TUI, then select **add** and choose **Gateway Target - 1. Enter the target name. + 2. Enter the target name. @@ -130 +145 @@ Run `agentcore` to open the TUI, then select **add** and choose **Gateway Target - 2. Select **Lambda function** as the target type: + 3. Select **Lambda function** as the target type: @@ -134 +149 @@ Run `agentcore` to open the TUI, then select **add** and choose **Gateway Target - 3. Enter the Lambda ARN and tool schema file path, then confirm. + 4. Enter the Lambda ARN and tool schema file path, then confirm. @@ -143 +158 @@ Create a policy engine and attach it to the gateway in ENFORCE mode: -AgentCore CLI +###### Example @@ -144,0 +160 @@ AgentCore CLI +AgentCore CLI @@ -147 +163 @@ AgentCore CLI - agentcore add policy-engine --name RefundPolicyEngine \ + 1. agentcore add policy-engine --name RefundPolicyEngine \ @@ -154 +173 @@ Interactive -Run `agentcore` to open the TUI, then select **add** and choose **Policy Engine** : + 1. Run `agentcore` to open the TUI, then select **add** and choose **Policy Engine** : @@ -156 +175 @@ Run `agentcore` to open the TUI, then select **add** and choose **Policy Engine* - 1. Enter the policy engine name: + 2. Enter the policy engine name: @@ -160 +179 @@ Run `agentcore` to open the TUI, then select **add** and choose **Policy Engine* - 2. Select the gateways to attach the policy engine to: + 3. Select the gateways to attach the policy engine to: @@ -164 +183 @@ Run `agentcore` to open the TUI, then select **add** and choose **Policy Engine* - 3. Choose the enforcement mode. Select **ENFORCE** : + 4. Choose the enforcement mode. Select **ENFORCE** : @@ -196 +215 @@ The `--generate` flag requires the gateway to be deployed first, because it call -The CLI commands above configure several resources in your AgentCore project. Here's a detailed explanation of each component. +The CLI commands above configure several resources in your AgentCore project. Here’s a detailed explanation of each component. @@ -223 +242 @@ The **agentcore add gateway-target** command registers a Lambda function as a ta -The **agentcore add policy-engine** command creates a policy engine — a collection of Cedar policies that evaluates and authorizes agent tool calls. The policy engine intercepts all requests at the gateway boundary and determines whether to allow or deny each action based on the defined policies. This provides deterministic authorization outside of the agent's code, ensuring consistent security enforcement regardless of how the agent is implemented. +The **agentcore add policy-engine** command creates a policy engine — a collection of Cedar policies that evaluates and authorizes agent tool calls. The policy engine intercepts all requests at the gateway boundary and determines whether to allow or deny each action based on the defined policies. This provides deterministic authorization outside of the agent’s code, ensuring consistent security enforcement regardless of how the agent is implemented. @@ -294 +313 @@ The refund amount of $500 is under the $1000 limit, so the policy engine permits - curl -X POST <GATEWAY_URL> \ + curl -X POST ++<GATEWAY_URL>++ \ @@ -303 +322 @@ The refund amount of $2000 exceeds the $1000 limit, so the policy engine denies - curl -X POST <GATEWAY_URL> \ + curl -X POST ++<GATEWAY_URL>++ \ @@ -311 +330 @@ Replace `<GATEWAY_URL>` with the gateway URL shown in the output of **agentcore -## What you've built +## What you’ve built @@ -313 +332 @@ Replace `<GATEWAY_URL>` with the gateway URL shown in the output of **agentcore -Through this tutorial, you've created: +Through this tutorial, you’ve created: @@ -332 +351 @@ Issue | Solution -"AccessDeniedException" | Check IAM permissions for `bedrock-agentcore:*` +"AccessDeniedException" | Check IAM permissions for bedrock-agentcore:* @@ -336,2 +355,2 @@ Policy not enforced | Verify the policy engine is attached in ENFORCE mode by ru -Cedar validation error during deploy | Cedar policies must use specific resource ARNs — wildcard resources (e.g., `permit(principal, action, resource);`) are rejected. Use the gateway ARN from **agentcore status** in your Cedar policy's `resource` field. -Tool call denied unexpectedly | The policy engine is enforcing and the Cedar policy denied the request. Verify that the policy's `action` and `resource` fields match the tool call being made. +Cedar validation error during deploy | Cedar policies must use specific resource ARNs — wildcard resources (e.g., `permit(principal, action, resource);` ) are rejected. Use the gateway ARN from **agentcore status** in your Cedar policy’s `resource` field. +Tool call denied unexpectedly | The policy engine is enforcing and the Cedar policy denied the request. Verify that the policy’s `action` and `resource` fields match the tool call being made.