AWS bedrock-agentcore documentation change
Summary
Updated documentation for AgentCore service-linked roles with minor editorial changes including updated headings, punctuation fixes (apostrophes), and clarification of role-specific context throughout the document.
Security assessment
The changes are primarily editorial and formatting updates (changing heading styles from markdown '######' to bold '**', updating apostrophes, and adding 'AgentCore' specificity to section titles). There is no evidence of addressing a specific security vulnerability, weakness, or incident. The document already discusses security features (service-linked roles), but these changes do not add new security documentation or address security flaws.
Diff
diff --git a/bedrock-agentcore/latest/devguide/service-linked-roles.md b/bedrock-agentcore/latest/devguide/service-linked-roles.md index 9a11ea76f..e1a9589d4 100644 --- a//bedrock-agentcore/latest/devguide/service-linked-roles.md +++ b//bedrock-agentcore/latest/devguide/service-linked-roles.md @@ -5 +5 @@ -Service-linked role permissionsCreating a service-linked roleEditing a service-linked roleDeleting a service-linked role +AgentCore service-linked role permissionsCreating a service-linked role for AgentCoreEditing a service-linked role for AgentCoreDeleting a service-linked role for AgentCore @@ -11 +11 @@ Amazon Bedrock AgentCore uses AWS Identity and Access Management (IAM) service-l -A service-linked role makes using AgentCore easier because you don't have to manually add the necessary permissions. AgentCore defines the permissions of its service-linked roles, and unless defined otherwise, only AgentCore can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. +A service-linked role makes using AgentCore easier because you don’t have to manually add the necessary permissions. AgentCore defines the permissions of its service-linked roles, and unless defined otherwise, only AgentCore can assume its roles. The defined permissions include the trust policy and the permissions policy, and that permissions policy cannot be attached to any other IAM entity. @@ -13 +13 @@ A service-linked role makes using AgentCore easier because you don't have to man -You can delete the roles only after first deleting their related resources. This protects your AgentCore resources because you can't inadvertently remove permission to access the resources. +You can delete the roles only after first deleting their related resources. This protects your AgentCore resources because you can’t inadvertently remove permission to access the resources. @@ -159 +159 @@ For information about changes to this policy, see [AgentCore updates to AWS mana -###### Understanding the Identity Feature +**Understanding the Identity Feature** @@ -163 +163 @@ The service-linked role is used to support OAuth authentication and JWT bearer t -###### Key Benefits of Identity Management +**Key Benefits of Identity Management** @@ -176 +176 @@ The service-linked role is used to support OAuth authentication and JWT bearer t -###### How Identity Management Works +**How Identity Management Works** @@ -193 +193 @@ When you invoke an AgentCore Runtime with OAuth authentication or JWT bearer tok -###### Migration from Legacy Approach +**Migration from Legacy Approach** @@ -303 +303 @@ You can view the complete policy at [BedrockAgentCoreGatewayNetworkServiceRolePo -###### Understanding the Gateway Managed Lattice Feature +**Understanding the Gateway Managed Lattice Feature** @@ -307 +307 @@ The service-linked role is used to support the managed private endpoint feature -###### Key Benefits of Managed Lattice Resources +**Key Benefits of Managed Lattice Resources** @@ -311 +311 @@ The service-linked role is used to support the managed private endpoint feature - * **Scoped-down Networking permissions** : Application developers don't need VPC Lattice networking permissions in their own IAM policies + * **Scoped-down Networking permissions** : Application developers don’t need VPC Lattice networking permissions in their own IAM policies @@ -320 +320 @@ The service-linked role is used to support the managed private endpoint feature -###### How Managed Lattice Resources Work +**How Managed Lattice Resources Work** @@ -343 +343 @@ The service-linked role can only manage VPC Lattice resource gateways that are t -You don't need to manually create service-linked roles. AgentCore creates them automatically when needed: +You don’t need to manually create service-linked roles. AgentCore creates them automatically when needed: @@ -360 +360 @@ You must configure permissions to allow an IAM entity (such as a user, group, or -###### For the Network service-linked role +**For the Network service-linked role** @@ -374 +374 @@ You must configure permissions to allow an IAM entity (such as a user, group, or -###### For the Identity service-linked role +**For the Identity service-linked role** @@ -389 +389 @@ You must configure permissions to allow an IAM entity (such as a user, group, or -###### For the Gateway service-linked role +**For the Gateway service-linked role** @@ -411 +411 @@ AgentCore does not allow you to edit the `AWSServiceRoleForBedrockAgentCoreNetwo -If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained. However, you must delete all your AgentCore resources that use the service-linked role before you can delete the role: +If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don’t have an unused entity that is not actively monitored or maintained. However, you must delete all your AgentCore resources that use the service-linked role before you can delete the role: @@ -426 +426 @@ Before you can use IAM to delete a service-linked role, you must first confirm t -###### To check whether the service-linked role has an active session in the IAM console +**To check whether the service-linked role has an active session in the IAM console**