AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-19 · Documentation low

File: bedrock-agentcore/latest/devguide/policy-getting-started.md

Summary

Updated troubleshooting entry to clarify that FAIL_ON_ANY_FINDINGS runs both schema checks and semantic validation, while IGNORE_ALL_FINDINGS only runs schema checks.

Security assessment

This change improves documentation about validation modes and their security implications. It warns that IGNORE_ALL_FINDINGS skips semantic validation, which could lead to security issues if used in production, but doesn't indicate a specific security vulnerability was addressed.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-getting-started.md b/bedrock-agentcore/latest/devguide/policy-getting-started.md
index 77aac1ff8..5378376fb 100644
--- a//bedrock-agentcore/latest/devguide/policy-getting-started.md
+++ b//bedrock-agentcore/latest/devguide/policy-getting-started.md
@@ -359 +359 @@ Tool call denied unexpectedly |  The policy engine is enforcing and the Cedar po
-Deploy fails with policy validation error |  The default validation mode `FAIL_ON_ANY_FINDINGS` rejects policies with any validation findings. For testing, you can set the validation mode to `IGNORE_ALL_FINDINGS` . For production, fix the Cedar policy to pass validation.  
+Deploy fails with policy validation error |  The default validation mode `FAIL_ON_ANY_FINDINGS` runs both schema checks and semantic validation, rejecting the policy if either produces findings. You can set the validation mode to `IGNORE_ALL_FINDINGS` to run only schema checks if you don’t need semantic validation. For production, fix the Cedar policy to pass both schema checks and semantic validation.