AWS bedrock-agentcore medium security documentation change
Summary
Updated action names from double underscore (__) to triple underscore (___) in policy examples and validation messages
Security assessment
Fixes policy syntax that could cause overly permissive access if misinterpreted. Corrects validation warnings to prevent potential authorization vulnerabilities.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-generation-validation.md b/bedrock-agentcore/latest/devguide/policy-generation-validation.md index cffe3a20b..d05e7609f 100644 --- a//bedrock-agentcore/latest/devguide/policy-generation-validation.md +++ b//bedrock-agentcore/latest/devguide/policy-generation-validation.md @@ -84 +84 @@ The response includes each generated policy with its Cedar definition and valida - "statement": "permit(\n principal is AgentCore::OAuthUser,\n action == AgentCore::Action::\"RefundTool__process_refund\",\n resource == AgentCore::Gateway::\"arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/MyGateway-xyz789\"\n) when {\n context.input.amount <= 500\n};" + "statement": "permit(\n principal is AgentCore::OAuthUser,\n action == AgentCore::Action::\"RefundTool___process_refund\",\n resource == AgentCore::Gateway::\"arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/MyGateway-xyz789\"\n) when {\n context.input.amount <= 500\n};" @@ -98 +98 @@ The response includes each generated policy with its Cedar definition and valida - "statement": "permit(\n principal,\n action == AgentCore::Action::\"RefundTool__view_order_history\",\n resource\n);" + "statement": "permit(\n principal,\n action == AgentCore::Action::\"RefundTool___view_order_history\",\n resource\n);" @@ -104 +104 @@ The response includes each generated policy with its Cedar definition and valida - "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool__view_order_history) and resource (gateway/*) combination if the policy is added or updated" + "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool___view_order_history) and resource (gateway/*) combination if the policy is added or updated" @@ -134 +134 @@ A policy flagged as overly permissive: - "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool__view_order_history) and resource (gateway/*) combination if the policy is added or updated" + "description": "Overly Permissive: Policy Engine will allow every request for the specified principal (AgentCore::OAuthUser), action (RefundTool___view_order_history) and resource (gateway/*) combination if the policy is added or updated"