AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-19 · Documentation low

File: bedrock-agentcore/latest/devguide/policy-validation-overview.md

Summary

Renamed sections from 'Cedar validation' to 'Schema checks' and 'Cedar analysis' to 'Semantic validation'. Added new 'Validation modes' section explaining FAIL_ON_ANY_FINDINGS (default) and IGNORE_ALL_FINDINGS modes and their security implications.

Security assessment

This change restructures and enhances documentation about policy validation security features. It explicitly warns that IGNORE_ALL_FINDINGS is not recommended for production because it skips semantic validation that catches security issues. No evidence of a specific security vulnerability being addressed.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-validation-overview.md b/bedrock-agentcore/latest/devguide/policy-validation-overview.md
index abb0a2886..7d57e2c2a 100644
--- a//bedrock-agentcore/latest/devguide/policy-validation-overview.md
+++ b//bedrock-agentcore/latest/devguide/policy-validation-overview.md
@@ -7 +7 @@
-Cedar validation (static analysis)Cedar analysis (automated reasoning)
+Schema checksSemantic validation (automated reasoning)Validation modes
@@ -11 +11 @@ Cedar validation (static analysis)Cedar analysis (automated reasoning)
-## Cedar validation (static analysis)
+## Schema checks
@@ -13,3 +13 @@ Cedar validation (static analysis)Cedar analysis (automated reasoning)
-Cedar validation performs static analysis to ensure policies are syntactically correct and comply with the schema:
-
-  * **Syntax correctness** — Verifies Cedar policy language syntax
+Schema checks verify that policies comply with the Cedar schema for your gateways:
@@ -24 +22 @@ Cedar validation performs static analysis to ensure policies are syntactically c
-## Cedar analysis (automated reasoning)
+## Semantic validation (automated reasoning)
@@ -26 +24 @@ Cedar validation performs static analysis to ensure policies are syntactically c
-Cedar analysis uses automated reasoning to detect potential security and logic issues:
+Semantic validation uses automated reasoning to detect potential security and logic issues:
@@ -36,0 +35,11 @@ Cedar analysis uses automated reasoning to detect potential security and logic i
+## Validation modes
+
+The `validationMode` parameter controls whether semantic validation runs during policy creation and updates. It does **not** affect schema checks, which always run.
+
+  * `FAIL_ON_ANY_FINDINGS` (default) — Both schema checks and semantic validation run. If either produces findings, the policy is rejected.
+
+  * `IGNORE_ALL_FINDINGS` — Only schema checks run. Policies are accepted as long as they pass the schema checks. This is not recommended for production because semantic validation catches security and logic issues that schema checks alone cannot detect.
+
+
+
+