AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-19 · Documentation low

File: bedrock-agentcore/latest/devguide/policy-create-update-validation.md

Summary

Clarified policy validation behavior: schema checks always run regardless of validation mode, and semantic validation only runs with FAIL_ON_ANY_FINDINGS mode. Added note about IGNORE_ALL_FINDINGS mode only running schema checks.

Security assessment

This change documents security validation behavior but doesn't indicate a specific security issue was fixed. It clarifies that semantic validation (which checks for security issues like overly permissive policies) can be bypassed with IGNORE_ALL_FINDINGS mode, which could impact security if misconfigured.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-create-update-validation.md b/bedrock-agentcore/latest/devguide/policy-create-update-validation.md
index bd7575c8d..fdf0bb41b 100644
--- a//bedrock-agentcore/latest/devguide/policy-create-update-validation.md
+++ b//bedrock-agentcore/latest/devguide/policy-create-update-validation.md
@@ -15 +15 @@ When creating or updating policies directly (not through generation), validation
-  1. The policy is validated against the Cedar schema for **all gateways** associated with the policy engine
+  1. The policy is checked against the Cedar schema for **all gateways** associated with the policy engine. Schema checks always run regardless of the validation mode.
@@ -17 +17 @@ When creating or updating policies directly (not through generation), validation
-  2. Analysis runs in the context of the **entire policy engine**
+  2. If the validation mode is set to `FAIL_ON_ANY_FINDINGS`, semantic validation runs in the context of the **entire policy engine** , checking for overly permissive, overly restrictive, and ineffective policies. If either schema checks or semantic validation produces findings, the policy is rejected. For details on each check, see [Validation and analysis overview](./policy-validation-overview.html).
@@ -19 +18,0 @@ When creating or updating policies directly (not through generation), validation
-  3. The validation mode determines whether creation fails on findings. For more information about validation modes, see [Add policies to the Policy Engine](./add-policies-to-engine.html)
@@ -22,0 +22,3 @@ When creating or updating policies directly (not through generation), validation
+###### Note
+
+With `IGNORE_ALL_FINDINGS`, only schema checks run. Policies are accepted as long as they pass the schema checks. For more information, see [Add policies to the Policy Engine](./add-policies-to-engine.html).