AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-10 · Documentation low

File: bedrock-agentcore/latest/devguide/example-policies.md

Summary

Updated all action names in example policies from double underscores (__) to triple underscores (___)

Security assessment

Syntax change only modifies naming convention in policy examples without altering security logic or addressing vulnerabilities.

Diff

diff --git a/bedrock-agentcore/latest/devguide/example-policies.md b/bedrock-agentcore/latest/devguide/example-policies.md
index 0d6487ec3..7ee0f9f08 100644
--- a//bedrock-agentcore/latest/devguide/example-policies.md
+++ b//bedrock-agentcore/latest/devguide/example-policies.md
@@ -32 +32 @@ The Insurance API provides five tools for managing insurance policies and claims
-InsuranceAPI__get_policy
+InsuranceAPI___get_policy
@@ -44 +44 @@ Retrieve insurance policy details.
-InsuranceAPI__file_claim
+InsuranceAPI___file_claim
@@ -62 +62 @@ File an insurance claim.
-InsuranceAPI__update_coverage
+InsuranceAPI___update_coverage
@@ -78 +78 @@ Update policy coverage.
-InsuranceAPI__get_claim_status
+InsuranceAPI___get_claim_status
@@ -90 +90 @@ Check claim status.
-InsuranceAPI__calculate_premium
+InsuranceAPI___calculate_premium
@@ -122,2 +122,2 @@ This policy demonstrates how to grant access to multiple related actions using a
-        AgentCore::Action::"InsuranceAPI__get_policy",
-        AgentCore::Action::"InsuranceAPI__get_claim_status"
+        AgentCore::Action::"InsuranceAPI___get_policy",
+        AgentCore::Action::"InsuranceAPI___get_claim_status"
@@ -141 +141 @@ This policy shows how to use OAuth scopes to control access to specific operatio
-      action == AgentCore::Action::"InsuranceAPI__file_claim",
+      action == AgentCore::Action::"InsuranceAPI___file_claim",
@@ -162 +162 @@ This policy demonstrates using the `unless` clause to create exceptions to restr
-      action == AgentCore::Action::"InsuranceAPI__update_coverage",
+      action == AgentCore::Action::"InsuranceAPI___update_coverage",
@@ -183 +183 @@ This policy shows how to validate input parameters and use OR logic for multiple
-      action == AgentCore::Action::"InsuranceAPI__file_claim",
+      action == AgentCore::Action::"InsuranceAPI___file_claim",
@@ -206 +206 @@ This policy demonstrates how to enforce business rules by requiring optional fie
-      action == AgentCore::Action::"InsuranceAPI__file_claim",
+      action == AgentCore::Action::"InsuranceAPI___file_claim",
@@ -226 +226 @@ This policy shows how to grant access based on specific user identities.
-      action == AgentCore::Action::"InsuranceAPI__update_coverage",
+      action == AgentCore::Action::"InsuranceAPI___update_coverage",
@@ -247 +247 @@ This policy demonstrates flexible pattern matching using wildcards for category-
-      action == AgentCore::Action::"InsuranceAPI__calculate_premium",
+      action == AgentCore::Action::"InsuranceAPI___calculate_premium",
@@ -268 +268 @@ This policy shows how to combine multiple conditions to create complex authoriza
-      action == AgentCore::Action::"InsuranceAPI__update_coverage",
+      action == AgentCore::Action::"InsuranceAPI___update_coverage",
@@ -375 +375 @@ This policy permits any IAM-authenticated caller to use a specific tool:
-      action == AgentCore::Action::"OrderAPI__get_order",
+      action == AgentCore::Action::"OrderAPI___get_order",
@@ -388 +388 @@ Restrict tool access to callers from specific AWS accounts:
-      action == AgentCore::Action::"OrderAPI__process_order",
+      action == AgentCore::Action::"OrderAPI___process_order",
@@ -404 +404 @@ Restrict administrative tools to specific IAM roles:
-      action == AgentCore::Action::"AdminAPI__delete_resource",
+      action == AgentCore::Action::"AdminAPI___delete_resource",
@@ -420 +420 @@ Combine IAM principal matching with tool input validation:
-      action == AgentCore::Action::"RefundAPI__process_refund",
+      action == AgentCore::Action::"RefundAPI___process_refund",
@@ -438 +438 @@ Block callers from specific AWS accounts from accessing sensitive tools:
-      action == AgentCore::Action::"AdminAPI__delete_resource",
+      action == AgentCore::Action::"AdminAPI___delete_resource",