AWS bedrock-agentcore documentation change
Summary
Clarified policy validation behavior: schema checks always run regardless of validation mode, and semantic validation only runs with FAIL_ON_ANY_FINDINGS mode. Added note about IGNORE_ALL_FINDINGS mode only running schema checks.
Security assessment
This change documents security validation behavior but doesn't indicate a specific security issue was fixed. It clarifies that semantic validation (which checks for security issues like overly permissive policies) can be bypassed with IGNORE_ALL_FINDINGS mode, which could impact security if misconfigured.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-create-update-validation.md b/bedrock-agentcore/latest/devguide/policy-create-update-validation.md index bd7575c8d..fdf0bb41b 100644 --- a//bedrock-agentcore/latest/devguide/policy-create-update-validation.md +++ b//bedrock-agentcore/latest/devguide/policy-create-update-validation.md @@ -15 +15 @@ When creating or updating policies directly (not through generation), validation - 1. The policy is validated against the Cedar schema for **all gateways** associated with the policy engine + 1. The policy is checked against the Cedar schema for **all gateways** associated with the policy engine. Schema checks always run regardless of the validation mode. @@ -17 +17 @@ When creating or updating policies directly (not through generation), validation - 2. Analysis runs in the context of the **entire policy engine** + 2. If the validation mode is set to `FAIL_ON_ANY_FINDINGS`, semantic validation runs in the context of the **entire policy engine** , checking for overly permissive, overly restrictive, and ineffective policies. If either schema checks or semantic validation produces findings, the policy is rejected. For details on each check, see [Validation and analysis overview](./policy-validation-overview.html). @@ -19 +18,0 @@ When creating or updating policies directly (not through generation), validation - 3. The validation mode determines whether creation fails on findings. For more information about validation modes, see [Add policies to the Policy Engine](./add-policies-to-engine.html) @@ -22,0 +22,3 @@ When creating or updating policies directly (not through generation), validation +###### Note + +With `IGNORE_ALL_FINDINGS`, only schema checks run. Policies are accepted as long as they pass the schema checks. For more information, see [Add policies to the Policy Engine](./add-policies-to-engine.html).