AWS bedrock-agentcore high security documentation change
Summary
Clarified IAM role matching patterns and ARN formats for authorization policies. Added details about exact vs pattern matching for principals.
Security assessment
Changes explicitly refine authorization patterns for IAM roles, including correcting ARN formats for assumed roles (arn:aws:sts) and demonstrating secure exact matching. This prevents misconfiguration risks where overly permissive patterns could grant unauthorized access.
Diff
diff --git a/bedrock-agentcore/latest/devguide/policy-common-patterns.md b/bedrock-agentcore/latest/devguide/policy-common-patterns.md index 49981713e..5b146a446 100644 --- a//bedrock-agentcore/latest/devguide/policy-common-patterns.md +++ b//bedrock-agentcore/latest/devguide/policy-common-patterns.md @@ -78 +78 @@ Block callers from a specific AWS account: -**Use case:** Block test or unauthorized accounts from accessing production tools. +**Use case:** Block test or unauthorized accounts from accessing production tools. The pattern ` **:444455556666:** ` matches any ARN format (assumed-role, IAM user, or IAM role) containing that account ID. @@ -103 +103 @@ Permit access only to users with specific roles: -Permit access only to callers using specific IAM roles: +Permit access only to callers using specific IAM roles. You can use exact `principal ==` matching or `principal.id like` pattern matching: @@ -105,0 +106 @@ Permit access only to callers using specific IAM roles: + // Exact match (recommended for single-role policies) @@ -107 +108 @@ Permit access only to callers using specific IAM roles: - principal is AgentCore::IamEntity, + principal == AgentCore::IamEntity::"arn:aws:sts::123456789012:assumed-role/AdminRole", @@ -110,4 +111 @@ Permit access only to callers using specific IAM roles: - ) - when { - principal.id like "arn:aws:iam::*:role/AdminRole" - }; + ); @@ -115 +113 @@ Permit access only to callers using specific IAM roles: -**Use case:** Allow administrative operations only for callers using the AdminRole IAM role. +**Use case:** Allow administrative operations only for callers assuming the AdminRole IAM role. The Cedar entity ID for assumed roles uses the format `arn:aws:sts::<account>:assumed-role/<role-name>`. @@ -117 +115 @@ Permit access only to callers using specific IAM roles: -**Variations:** +**Variations using pattern matching:** @@ -120,2 +118,2 @@ Permit access only to callers using specific IAM roles: - // Match assumed role sessions - principal.id like "arn:aws:sts::*:assumed-role/AdminRole/*" + // Match a specific role from any account + principal.id like "arn:aws:sts::*:assumed-role/AdminRole" @@ -124 +122 @@ Permit access only to callers using specific IAM roles: - principal.id like "arn:aws:iam::123456789012:role/*" + principal.id like "arn:aws:sts::123456789012:assumed-role/*"