AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2026-05-10 · Security-related medium

File: bedrock-agentcore/latest/devguide/policy-generation-validation.md

Summary

Updated action names from double underscore (__) to triple underscore (___) in policy examples and validation messages

Security assessment

Fixes policy syntax that could cause overly permissive access if misinterpreted. Corrects validation warnings to prevent potential authorization vulnerabilities.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-generation-validation.md b/bedrock-agentcore/latest/devguide/policy-generation-validation.md
index cffe3a20b..d05e7609f 100644
--- a//bedrock-agentcore/latest/devguide/policy-generation-validation.md
+++ b//bedrock-agentcore/latest/devguide/policy-generation-validation.md
@@ -84 +84 @@ The response includes each generated policy with its Cedar definition and valida
-              "statement": "permit(\n  principal is AgentCore::OAuthUser,\n  action == AgentCore::Action::\"RefundTool__process_refund\",\n  resource == AgentCore::Gateway::\"arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/MyGateway-xyz789\"\n) when {\n  context.input.amount <= 500\n};"
+              "statement": "permit(\n  principal is AgentCore::OAuthUser,\n  action == AgentCore::Action::\"RefundTool___process_refund\",\n  resource == AgentCore::Gateway::\"arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/MyGateway-xyz789\"\n) when {\n  context.input.amount <= 500\n};"
@@ -98 +98 @@ The response includes each generated policy with its Cedar definition and valida
-              "statement": "permit(\n  principal,\n  action == AgentCore::Action::\"RefundTool__view_order_history\",\n  resource\n);"
+              "statement": "permit(\n  principal,\n  action == AgentCore::Action::\"RefundTool___view_order_history\",\n  resource\n);"
@@ -104 +104 @@ The response includes each generated policy with its Cedar definition and valida
-              "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool__view_order_history) and resource (gateway/*) combination if the policy is added or updated"
+              "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool___view_order_history) and resource (gateway/*) combination if the policy is added or updated"
@@ -134 +134 @@ A policy flagged as overly permissive:
-          "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool__view_order_history) and resource (gateway/*) combination if the policy is added or updated"
+          "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool___view_order_history) and resource (gateway/*) combination if the policy is added or updated"