AWS bedrock-agentcore documentation change
Summary
Reformatted policy names and condensed policy update history table entries into single lines
Security assessment
Changes are formatting/readability improvements. The policy update history content remains the same (describing added permissions for ECR, Bedrock, CloudWatch, CloudTrail, KMS, S3). No evidence of addressing a specific security vulnerability or adding new security guidance.
Diff
diff --git a/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md b/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md index af4d51b69..5ab80086e 100644 --- a//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md +++ b//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md @@ -5 +5 @@ -BedrockAgentCoreFullAccessBedrockAgentCoreNetworkServiceRolePolicyAmazonBedrockAgentCoreMemoryBedrockModelInferenceExecutionRolePolicyBedrockAgentCoreRuntimeIdentityServiceRolePolicyPolicy updates +AWS managed policy: BedrockAgentCoreFullAccessAWS managed policy: BedrockAgentCoreNetworkServiceRolePolicyAWS managed policy: AmazonBedrockAgentCoreMemoryBedrockModelInferenceExecutionRolePolicyAWS managed policy: BedrockAgentCoreRuntimeIdentityServiceRolePolicyAgentCore updates to AWS managed policies @@ -11 +11 @@ An AWS managed policy is a standalone policy that is created and administered by -Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they're available for all AWS customers to use. We recommend that you reduce permissions further by defining [ customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. +Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they’re available for all AWS customers to use. We recommend that you reduce permissions further by defining [customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#customer-managed-policies) that are specific to your use cases. @@ -140,18 +140,2 @@ Change | Description | Date -BedrockAgentCoreFullAccess – Updated policy | - - * Added Amazon Elastic Container Registry permissions (`ecr:DescribeRepositories`, `ecr:DescribeImages`, `ecr:ListImages`) to allow Amazon Bedrock AgentCore to access container images for runtime deployments. - * Added Amazon Bedrock permissions (`bedrock:InvokeModel`, `bedrock:InvokeModelWithResponseStream`) to allow Amazon Bedrock AgentCore Evaluations to invoke foundation models and inference profiles for evaluation purposes. - * Added CloudWatch Logs permissions for evaluations (`logs:CreateLogGroup` for `/aws/bedrock-agentcore/evaluations/*` log groups, `logs:PutIndexPolicy`, `logs:DescribeIndexPolicies`) to support evaluation logging and indexing. - -| December 2, 2025 -BedrockAgentCoreFullAccess – Updated policy | - - * Added the `cloudtrail:CreateServiceLinkedChannel` permission to allow Amazon Bedrock AgentCore to create a CloudTrail service-linked channel for the Application Signals feature. - * Added `kms:CreateGrant` permission to allow the Amazon Bedrock AgentCore Gateway service to create grants on customer managed keys for the S3 vectors service used for semantic search. - * Added `kms:ListGrants` permission to check if previously created grants exist. - * Added S3 permissions to create bucket, put bucket policy, versioning, put object for buckets with prefix bedrock-agentcore-runtime-. - * Added list buckets, list objects in the bucket, and get object permissions. - * Added ECR permissions to describe repositories, list images, and describe images. - * Added logs `PutResourcePolicy` permissions to enable transaction search. - -| November 3, 2025 +BedrockAgentCoreFullAccess – Updated policy | Added Amazon Elastic Container Registry permissions ( `ecr:DescribeRepositories` , `ecr:DescribeImages` , `ecr:ListImages` ) to allow Amazon Bedrock AgentCore to access container images for runtime deployments. Added Amazon Bedrock permissions ( `bedrock:InvokeModel` , `bedrock:InvokeModelWithResponseStream` ) to allow Amazon Bedrock AgentCore Evaluations to invoke foundation models and inference profiles for evaluation purposes. Added CloudWatch Logs permissions for evaluations ( `logs:CreateLogGroup` for /aws/bedrock-agentcore/evaluations/* log groups, `logs:PutIndexPolicy` , `logs:DescribeIndexPolicies` ) to support evaluation logging and indexing. | December 2, 2025 +BedrockAgentCoreFullAccess – Updated policy | Added the `cloudtrail:CreateServiceLinkedChannel` permission to allow Amazon Bedrock AgentCore to create a CloudTrail service-linked channel for the Application Signals feature. Added `kms:CreateGrant` permission to allow the Amazon Bedrock AgentCore Gateway service to create grants on customer managed keys for the S3 vectors service used for semantic search. Added `kms:ListGrants` permission to check if previously created grants exist. Added S3 permissions to create bucket, put bucket policy, versioning, put object for buckets with prefix bedrock-agentcore-runtime-. Added list buckets, list objects in the bucket, and get object permissions. Added ECR permissions to describe repositories, list images, and describe images. Added logs `PutResourcePolicy` permissions to enable transaction search. | November 3, 2025