AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-19 · Documentation low

File: bedrock-agentcore/latest/devguide/add-policies-to-engine.md

Summary

Clarified validation mode behavior for policy engine, explaining that schema checks always run and detailing differences between FAIL_ON_ANY_FINDINGS and IGNORE_ALL_FINDINGS modes

Security assessment

This change clarifies security validation behavior for policies but doesn't indicate a specific security vulnerability was fixed. It improves documentation about security features (policy validation modes) which helps users understand security implications of their validation choices.

Diff

diff --git a/bedrock-agentcore/latest/devguide/add-policies-to-engine.md b/bedrock-agentcore/latest/devguide/add-policies-to-engine.md
index 9ef5ba0cb..8fb3c9df4 100644
--- a//bedrock-agentcore/latest/devguide/add-policies-to-engine.md
+++ b//bedrock-agentcore/latest/devguide/add-policies-to-engine.md
@@ -13 +13 @@ You can create one or more policies in your policy engine to control how agents
-Use the policy engine ID from the previous step. The validation mode determines how policy validation findings are handled: `FAIL_ON_ANY_FINDINGS` will reject policies with validation issues, while `IGNORE_ALL_FINDINGS` will accept them. For more information about validation and the types of findings, see [Validate and test policies](./policy-validate-policies.html).
+Use the policy engine ID from the previous step. The validation mode controls how findings are handled. Schema checks always run regardless of the validation mode. `FAIL_ON_ANY_FINDINGS` runs both schema checks and semantic validation, rejecting the policy if either produces findings. `IGNORE_ALL_FINDINGS` runs only schema checks, and policies are accepted as long as they pass. For more information about validation and the types of findings, see [Validate and test policies](./policy-validate-policies.html).