AWS bedrock-agentcore documentation change
Summary
Clarified validation mode behavior for policy engine, explaining that schema checks always run and detailing differences between FAIL_ON_ANY_FINDINGS and IGNORE_ALL_FINDINGS modes
Security assessment
This change clarifies security validation behavior for policies but doesn't indicate a specific security vulnerability was fixed. It improves documentation about security features (policy validation modes) which helps users understand security implications of their validation choices.
Diff
diff --git a/bedrock-agentcore/latest/devguide/add-policies-to-engine.md b/bedrock-agentcore/latest/devguide/add-policies-to-engine.md index 9ef5ba0cb..8fb3c9df4 100644 --- a//bedrock-agentcore/latest/devguide/add-policies-to-engine.md +++ b//bedrock-agentcore/latest/devguide/add-policies-to-engine.md @@ -13 +13 @@ You can create one or more policies in your policy engine to control how agents -Use the policy engine ID from the previous step. The validation mode determines how policy validation findings are handled: `FAIL_ON_ANY_FINDINGS` will reject policies with validation issues, while `IGNORE_ALL_FINDINGS` will accept them. For more information about validation and the types of findings, see [Validate and test policies](./policy-validate-policies.html). +Use the policy engine ID from the previous step. The validation mode controls how findings are handled. Schema checks always run regardless of the validation mode. `FAIL_ON_ANY_FINDINGS` runs both schema checks and semantic validation, rejecting the policy if either produces findings. `IGNORE_ALL_FINDINGS` runs only schema checks, and policies are accepted as long as they pass. For more information about validation and the types of findings, see [Validate and test policies](./policy-validate-policies.html).