AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-16 · Documentation medium

File: bedrock-agentcore/latest/devguide/harness-security.md

Summary

Updated IAM policy examples to use specific ARN placeholders instead of wildcards, added guidance on least privilege access, included new sections for custom browser/code interpreter resources, added shared responsibility model reference, and created placeholder reference table

Security assessment

Changes promote security best practices by demonstrating least privilege IAM policies with specific resource constraints, but there's no evidence of addressing a specific vulnerability. The documentation now better explains how to securely configure harness resources.

Diff

diff --git a/bedrock-agentcore/latest/devguide/harness-security.md b/bedrock-agentcore/latest/devguide/harness-security.md
index f0801d1ad..4fe57da30 100644
--- a//bedrock-agentcore/latest/devguide/harness-security.md
+++ b//bedrock-agentcore/latest/devguide/harness-security.md
@@ -15 +15 @@ The harness gives you the same security primitives as the rest of AgentCore, wir
-  * **IAM execution role.** The harness assumes an IAM role you own. Least-privilege access to Bedrock, ECR, CloudWatch, and the AgentCore primitives it touches. See execution role policy below.
+  * **IAM execution role.** The harness assumes an IAM role you own, configurable to include Bedrock, ECR, CloudWatch, and the AgentCore primitives it touches. See sample execution role policy below.
@@ -17 +17 @@ The harness gives you the same security primitives as the rest of AgentCore, wir
-  * **IAM permissions model.** harness APIs require permissions on both the harness resource and the underlying [AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-how-it-works.html) resource. For example, calling `InvokeHarness` requires both `bedrock-agentcore:InvokeHarness` and `bedrock-agentcore:InvokeAgentRuntime` permissions on the harness ARN. The same pattern applies to control plane operations: `UpdateHarness` requires `bedrock-agentcore:UpdateAgentRuntime`, `DeleteHarness` requires `bedrock-agentcore:DeleteAgentRuntime`, and so on. See execution role policy for the full list.
+  * **IAM permissions model.** Harness APIs require permissions on both the harness resource and the underlying [AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-how-it-works.html) resource. For example, calling `InvokeHarness` requires both `bedrock-agentcore:InvokeHarness` and `bedrock-agentcore:InvokeAgentRuntime` permissions on the harness ARN. The same pattern applies to control plane operations: `UpdateHarness` requires `bedrock-agentcore:UpdateAgentRuntime`, `DeleteHarness` requires `bedrock-agentcore:DeleteAgentRuntime`, and so on. See execution role policy for the full list.
@@ -19 +19 @@ The harness gives you the same security primitives as the rest of AgentCore, wir
-  * **Inbound OAuth.** Require callers to present a valid JWT issued by a configured identity provider before they can invoke the harness. [AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) threads the end-user identity through the agent, so downstream tools can call APIs with scoped user credentials instead of a shared service account.
+  * **Inbound OAuth Support.** JWT configured Harness resources require callers to present a valid JWT issued by a configured identity provider before they can invoke the harness. [AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) threads the end-user identity through the agent, so downstream tools can call APIs with scoped user credentials instead of a shared service account.
@@ -23 +23 @@ The harness gives you the same security primitives as the rest of AgentCore, wir
-  * **Policies on Gateway.** When tools are served through [AgentCore Gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html), Cedar-based [policies](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html) gate every call: who can call which tool, under which conditions, with which arguments.
+  * **Policies on Gateway.** When tools are served through [AgentCore Gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html), Cedar-based [policies](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html) can be configured to gate every call: who can call which tool, under which conditions, with which arguments.
@@ -27,0 +28,2 @@ The harness gives you the same security primitives as the rest of AgentCore, wir
+Harness follows the AgentCore [shared responsibility model](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-security-best-practices.html#security-bp-shared-responsibility)
+
@@ -128 +130 @@ The harness assumes an IAM execution role you provide. The role’s trust policy
-harness APIs require permissions on both the harness resource and the underlying [AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-how-it-works.html) resource. The following table lists the required actions for each API:
+Harness APIs require permissions on both the harness resource and the underlying [AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-how-it-works.html) resource. The following table lists the required actions for each API:
@@ -157 +159 @@ All actions are scoped to the harness ARN (e.g., `arn:aws:bedrock-agentcore:{reg
-            "arn:aws:bedrock:{{region}}:{{accountId}}:*"
+            "arn:aws:bedrock:<region>:<accountId>:*"
@@ -194 +196 @@ All actions are scoped to the harness ARN (e.g., `arn:aws:bedrock-agentcore:{reg
-          "Resource": "arn:aws:logs:{{region}}:{{accountId}}:log-group:/aws/bedrock-agentcore/runtimes/*"
+          "Resource": "arn:aws:logs:<region>:<accountId>:log-group:/aws/bedrock-agentcore/runtimes/*"
@@ -202 +204 @@ All actions are scoped to the harness ARN (e.g., `arn:aws:bedrock-agentcore:{reg
-          "Resource": "arn:aws:logs:{{region}}:{{accountId}}:log-group:*"
+          "Resource": "arn:aws:logs:<region>:<accountId>:log-group:*"
@@ -211 +213 @@ All actions are scoped to the harness ARN (e.g., `arn:aws:bedrock-agentcore:{reg
-          "Resource": "arn:aws:logs:{{region}}:{{accountId}}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*"
+          "Resource": "arn:aws:logs:<region>:<accountId>:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*"
@@ -231 +233,4 @@ All actions are scoped to the harness ARN (e.g., `arn:aws:bedrock-agentcore:{reg
-          "Resource": ["*"]
+          "Resource": [
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default",
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default/workload-identity/harness_<agentName>-*"
+          ]
@@ -245 +250 @@ All actions are scoped to the harness ARN (e.g., `arn:aws:bedrock-agentcore:{reg
-          "Resource": "arn:aws:bedrock-agentcore:{{region}}:aws:browser/*"
+          "Resource": "arn:aws:bedrock-agentcore:<region>:aws:browser/*"
@@ -257 +262 @@ All actions are scoped to the harness ARN (e.g., `arn:aws:bedrock-agentcore:{reg
-          "Resource": "arn:aws:bedrock-agentcore:{{region}}:aws:code-interpreter/*"
+          "Resource": "arn:aws:bedrock-agentcore:<region>:aws:code-interpreter/*"
@@ -263,0 +269,4 @@ The AgentCore CLI creates a role with these permissions automatically when you s
+###### Note
+
+The `BedrockModelInvocation` sample statement above allows invocation of all foundation models across all regions and all Bedrock resources in your account. To scope this down, replace the resource ARNs with specific [inference profiles](https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles.html), which let you route requests across models and regions with a single ARN. For example: `arn:aws:bedrock:<destination_regions>:<accountId>:inference-profile/<profileId>` paired with all allowed regions `arn:aws:bedrock:<region>:<accountId>:foundation-model/<modelId>`.
+
@@ -268 +277 @@ For production workloads, scope `Resource` values down to the specific ARNs your
-Add the following policies to the execution role based on the features your harness uses.
+Below are sample policies you can append to your execution role based on the features your harness uses. Follow the principle of least privilege — grant your harness agent only the specific tools and credentials it needs for inference. See Placeholder reference for placeholder definitions.
@@ -271,0 +281,2 @@ Add the following policies to the execution role based on the features your harn
+Add this policy when your harness uses a private ECR image for a custom container.
+    
@@ -283 +294 @@ Add the following policies to the execution role based on the features your harn
-          "Resource": "arn:aws:ecr:*:*:repository/*"
+          "Resource": "arn:aws:ecr:<ecrRegion>:<ecrAccountId>:repository/<ecrRepoName>"
@@ -295,0 +307,2 @@ Add the following policies to the execution role based on the features your harn
+Add this policy when your harness uses a customer-owned memory instance.
+    
@@ -310 +323,49 @@ Add the following policies to the execution role based on the features your harn
-          "Resource": "arn:aws:bedrock-agentcore:*:*:memory/*"
+          "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:memory/<memoryId>"
+        }
+      ]
+    }
+
+#### AgentCore Browser (custom)
+
+Add this policy when your harness uses a customer-owned custom browser resource.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AgentCoreBrowserCustom",
+          "Effect": "Allow",
+          "Action": [
+            "bedrock-agentcore:StartBrowserSession",
+            "bedrock-agentcore:StopBrowserSession",
+            "bedrock-agentcore:GetBrowserSession",
+            "bedrock-agentcore:ListBrowserSessions",
+            "bedrock-agentcore:UpdateBrowserStream",
+            "bedrock-agentcore:ConnectBrowserAutomationStream",
+            "bedrock-agentcore:ConnectBrowserLiveViewStream"
+          ],
+          "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:browser-custom/<browserCustomId>"
+        }
+      ]
+    }
+
+#### AgentCore Code Interpreter (custom)
+
+Add this policy when your harness uses a customer-owned custom code interpreter.
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AgentCoreCodeInterpreterCustom",
+          "Effect": "Allow",
+          "Action": [
+            "bedrock-agentcore:StartCodeInterpreterSession",
+            "bedrock-agentcore:StopCodeInterpreterSession",
+            "bedrock-agentcore:GetCodeInterpreterSession",
+            "bedrock-agentcore:ListCodeInterpreterSessions",
+            "bedrock-agentcore:InvokeCodeInterpreter"
+          ],
+          "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:code-interpreter-custom/<codeInterpreterCustomId>"
@@ -316,0 +378,2 @@ Add the following policies to the execution role based on the features your harn
+Add this policy when your harness uses a gateway configured with SigV4 inbound authentication.
+    
@@ -322 +385 @@ Add the following policies to the execution role based on the features your harn
-          "Sid": "AgentCoreGateway",
+          "Sid": "AgentCoreGatewayAccess",
@@ -325 +388 @@ Add the following policies to the execution role based on the features your harn
-          "Resource": "arn:aws:bedrock-agentcore:*:*:gateway/*"
+          "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:gateway/<gatewayId>"
@@ -330 +393,3 @@ Add the following policies to the execution role based on the features your harn
-#### API key credential provider (OpenAI, Gemini)
+#### API key credential provider (OpenAI, Gemini, or MCP header ARN references)
+
+Add this policy when your harness uses an API key credential provider for model providers such as OpenAI or Gemini.
@@ -337 +402 @@ Add the following policies to the execution role based on the features your harn
-          "Sid": "AgentCoreApiKeyTokenVault",
+          "Sid": "AgentCoreApiKeyTokenVaultDefault",
@@ -341,2 +406,3 @@ Add the following policies to the execution role based on the features your harn
-            "arn:aws:bedrock-agentcore:*:*:token-vault/default",
-            "arn:aws:bedrock-agentcore:*:*:token-vault/default/apikeycredentialprovider/*"
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default",
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default",
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default/workload-identity/harness_<agentName>-*"
@@ -344,0 +411,6 @@ Add the following policies to the execution role based on the features your harn
+        {
+          "Sid": "AgentCoreApiKeyTokenVaultPerKey",
+          "Effect": "Allow",
+          "Action": "bedrock-agentcore:GetResourceApiKey",
+          "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default/apikeycredentialprovider/<apiKeyName>"
+        },
@@ -349 +421 @@ Add the following policies to the execution role based on the features your harn
-          "Resource": "arn:aws:secretsmanager:*:*:secret:bedrock-agentcore-identity!default/apikey/*"
+          "Resource": "arn:aws:secretsmanager:<region>:<accountId>:secret:bedrock-agentcore-identity!default/apikey/<apiKeyName>-*"
@@ -355,0 +428,2 @@ Add the following policies to the execution role based on the features your harn
+Add this policy when your harness uses an OAuth2 credential provider for OAuth-protected gateway tools.
+    
@@ -361 +435 @@ Add the following policies to the execution role based on the features your harn
-          "Sid": "AgentCoreOAuth2TokenVault",
+          "Sid": "AgentCoreOAuth2TokenVaultDefault",
@@ -365,4 +439,3 @@ Add the following policies to the execution role based on the features your harn
-            "arn:aws:bedrock-agentcore:*:*:token-vault/default",
-            "arn:aws:bedrock-agentcore:*:*:token-vault/default/oauth2credentialprovider/*",
-            "arn:aws:bedrock-agentcore:*:*:workload-identity-directory/default",
-            "arn:aws:bedrock-agentcore:*:*:workload-identity-directory/default/workload-identity/*"
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default",
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default",
+            "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default/workload-identity/harness_<agentName>-*"
@@ -370,0 +444,6 @@ Add the following policies to the execution role based on the features your harn
+        {
+          "Sid": "AgentCoreOAuth2TokenVaultPerProvider",
+          "Effect": "Allow",
+          "Action": "bedrock-agentcore:GetResourceOauth2Token",
+          "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default/oauth2credentialprovider/<oauthProviderName>"
+        },
@@ -375 +454 @@ Add the following policies to the execution role based on the features your harn
-          "Resource": "arn:aws:secretsmanager:*:*:secret:bedrock-agentcore-identity!default/oauth2/*"
+          "Resource": "arn:aws:secretsmanager:<region>:<accountId>:secret:bedrock-agentcore-identity!default/oauth2/<oauthProviderName>-*"
@@ -379,0 +459,23 @@ Add the following policies to the execution role based on the features your harn
+#### Placeholder reference
+
+Replace the following placeholders in the policies above with values specific to your environment:
+
+Placeholder | Description  
+---|---  
+`<region>` |  The AWS Region where your resource is deployed.  
+`<accountId>` |  Your AWS account ID.  
+`<agentName>` |  The name of your harness agent.  
+`<memoryId>` |  The ID of your AgentCore memory resource.  
+`<browserCustomId>` |  The ID of your custom browser resource.  
+`<codeInterpreterCustomId>` |  The ID of your custom code interpreter resource.  
+`<gatewayId>` |  The ID of your AgentCore Gateway resource.  
+`<apiKeyName>` |  The name of your API key credential provider.  
+`<oauthProviderName>` |  The name of your OAuth2 credential provider.  
+`<ecrRegion>` |  The region where your ECR repository is hosted.  
+`<ecrAccountId>` |  The AWS account ID that owns the ECR repository.  
+`<ecrRepoName>` |  The name of your ECR repository.  
+  
+###### Note
+
+The trailing `-*` on Secrets Manager resources accounts for the random suffix that Secrets Manager appends to secret ARNs.
+