AWS bedrock-agentcore documentation change
Summary
Updated troubleshooting entry to clarify that FAIL_ON_ANY_FINDINGS runs both schema checks and semantic validation, while IGNORE_ALL_FINDINGS only runs schema checks.
Security assessment
This change improves documentation about validation modes and their security implications. It warns that IGNORE_ALL_FINDINGS skips semantic validation, which could lead to security issues if used in production, but doesn't indicate a specific security vulnerability was addressed.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-getting-started.md b/bedrock-agentcore/latest/devguide/policy-getting-started.md index 77aac1ff8..5378376fb 100644 --- a//bedrock-agentcore/latest/devguide/policy-getting-started.md +++ b//bedrock-agentcore/latest/devguide/policy-getting-started.md @@ -359 +359 @@ Tool call denied unexpectedly | The policy engine is enforcing and the Cedar po -Deploy fails with policy validation error | The default validation mode `FAIL_ON_ANY_FINDINGS` rejects policies with any validation findings. For testing, you can set the validation mode to `IGNORE_ALL_FINDINGS` . For production, fix the Cedar policy to pass validation. +Deploy fails with policy validation error | The default validation mode `FAIL_ON_ANY_FINDINGS` runs both schema checks and semantic validation, rejecting the policy if either produces findings. You can set the validation mode to `IGNORE_ALL_FINDINGS` to run only schema checks if you don’t need semantic validation. For production, fix the Cedar policy to pass both schema checks and semantic validation.