AWS bedrock-agentcore documentation change
Summary
Reformatted the document to change section headings and remove bullet points, making the content more compact. The same information about required IAM permissions, placeholders, and security best practices (like least-privilege) is retained.
Security assessment
The changes are primarily formatting and restructuring of existing content. The security implications of the documented IAM permissions remain the same. The change does not introduce or address any specific security vulnerability but maintains the existing security documentation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-permissions.md b/bedrock-agentcore/latest/devguide/policy-permissions.md index d671ab78a..971a9d79b 100644 --- a//bedrock-agentcore/latest/devguide/policy-permissions.md +++ b//bedrock-agentcore/latest/devguide/policy-permissions.md @@ -39,12 +39 @@ The Gateway Execution Role is assumed by the Amazon Bedrock AgentCore Gateway se -###### Critical Permissions for Policy in AgentCore Integration - -The execution role must include these three permissions to use Amazon Bedrock AgentCore Gateway with Policy in AgentCore: - - 1. `bedrock-agentcore:AuthorizeAction` \- Evaluates Cedar policies for authorization decisions - - 2. `bedrock-agentcore:PartiallyAuthorizeActions` \- Lists tools the caller is authorized to invoke - - 3. `bedrock-agentcore:GetPolicyEngine` \- Retrieves the policy engine configuration - - - +###### Important @@ -52 +41 @@ The execution role must include these three permissions to use Amazon Bedrock Ag -Without these permissions, the Gateway cannot perform policy authorization. This manifests in two ways: attaching a Policy Engine to an existing Gateway will result in an InternalServerException, and all tool invocations will be denied by default even if you have permit policies configured. +The execution role must include these three permissions to use Amazon Bedrock AgentCore Gateway with Policy in AgentCore: . `bedrock-agentcore:AuthorizeAction` \- Evaluates Cedar policies for authorization decisions . `bedrock-agentcore:PartiallyAuthorizeActions` \- Lists tools the caller is authorized to invoke . `bedrock-agentcore:GetPolicyEngine` \- Retrieves the policy engine configuration Without these permissions, the Gateway cannot perform policy authorization. This manifests in two ways: attaching a Policy Engine to an existing Gateway will result in an InternalServerException, and all tool invocations will be denied by default even if you have permit policies configured. @@ -60,8 +49 @@ The Gateway Execution Role must trust the `bedrock-agentcore.amazonaws.com` serv -Replace the following placeholders: - - * `us-east-1` with the AWS Region - - * `123456789012` with the AWS account ID - - - +Replace the following placeholders: * `us-east-1` with the AWS Region * `123456789012` with the AWS account ID @@ -98,12 +80 @@ This policy grants the Amazon Bedrock AgentCore Gateway the necessary permission -Replace these placeholders: - - * `us-east-1` with the AWS Region - - * `123456789012` with the AWS account ID - - * `<gateway-id>` with the Gateway ID (or use `*` for all gateways) - - * `<policy-engine-id>` with the policy engine ID (or use `*` for all policy engines) - - - +Replace these placeholders: * `us-east-1` with the AWS Region * `123456789012` with the AWS account ID * `<gateway-id>` with the Gateway ID (or use * for all gateways) * `<policy-engine-id>` with the policy engine ID (or use * for all policy engines) @@ -142,6 +113 @@ Replace these placeholders: - * Additional permissions may be required depending on the Amazon Bedrock AgentCore Gateway integration type (e.g., Lambda functions, API Gateway endpoints). These permissions are not included here as they vary based on the specific integration. - - * For Production: Replace the placeholders with specific resource IDs (e.g., `policy-engine/my-policy-engine-id` instead of `policy-engine/<policy-engine-id>`) to follow least-privilege principles, or use wildcards (`*`) to allow access to all resources of that type. - - - +* Additional permissions may be required depending on the Amazon Bedrock AgentCore Gateway integration type (e.g., Lambda functions, API Gateway endpoints). These permissions are not included here as they vary based on the specific integration. * For Production: Replace the placeholders with specific resource IDs (e.g., `policy-engine/my-policy-engine-id` instead of `policy-engine/<policy-engine-id>` ) to follow least-privilege principles, or use wildcards ( * ) to allow access to all resources of that type. @@ -172,8 +138 @@ This role is separate from the Gateway Execution Role and is only needed when se -Replace these placeholders: - - * `us-east-1` with the AWS Region - - * `123456789012` with the AWS account ID - - - +Replace these placeholders: * `us-east-1` with the AWS Region * `123456789012` with the AWS account ID @@ -288,10 +247 @@ Replace these placeholders: -###### Policy Scope Management Permissions - -The `ManageResourceScopedPolicy` and `ManageAdminPolicy` actions are permission-only gates that control what types of Cedar policies administrators can create: - - * `ManageResourceScopedPolicy` \- Grants permission to create Cedar policies that target specific gateway ARNs (e.g., policies applying to `gateway/my-gateway-123`) - - * `ManageAdminPolicy` \- Grants permission to create Cedar policies with wildcards (e.g., policies applying to `gateway/*`) - - - +###### Important @@ -299 +249 @@ The `ManageResourceScopedPolicy` and `ManageAdminPolicy` actions are permission- -Both permissions are required for full policy management capability. These are not API operations but rather authorization checks that determine the scope of Cedar policies that can be created through the Policy Management APIs. +The `ManageResourceScopedPolicy` and `ManageAdminPolicy` actions are permission-only gates that control what types of Cedar policies administrators can create: * `ManageResourceScopedPolicy` \- Grants permission to create Cedar policies that target specific gateway ARNs (e.g., policies applying to `gateway/my-gateway-123` ) * `ManageAdminPolicy` \- Grants permission to create Cedar policies with wildcards (e.g., policies applying to gateway/* ) Both permissions are required for full policy management capability. These are not API operations but rather authorization checks that determine the scope of Cedar policies that can be created through the Policy Management APIs. @@ -328 +278 @@ Custom IAM roles require the Policy in AgentCore permissions documented in this -For production environments, scope the Policy in AgentCore permissions to specific resource ARNs rather than using wildcards. Replace `policy-engine/*` and `gateway/*` with the specific policy engine and gateway IDs in your permission policies. +For production environments, scope the Policy in AgentCore permissions to specific resource ARNs rather than using wildcards. Replace policy-engine/* and gateway/* with the specific policy engine and gateway IDs in your permission policies. @@ -358 +308 @@ This section covers common issues when configuring IAM permissions for Amazon Be -If you attach a Policy Engine to an existing Gateway using the Policy Engine console, the IAM permissions may not be automatically updated. You must manually add these permissions to the Gateway's Service-Linked Role. +If you attach a Policy Engine to an existing Gateway using the Policy Engine console, the IAM permissions may not be automatically updated. You must manually add these permissions to the Gateway’s Service-Linked Role. @@ -372 +322 @@ If you attach a Policy Engine to an existing Gateway using the Policy Engine con -**Root Cause:** The Gateway Execution Role's policy uses incorrect ARN patterns or is missing the policy-engine resource. +**Root Cause:** The Gateway Execution Role’s policy uses incorrect ARN patterns or is missing the policy-engine resource.