AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2026-05-16 · Security-related medium

File: bedrock-agentcore/latest/devguide/policy-core-concepts.md

Summary

Refined description of IamEntity principal format to clarify stable ARN structure for assumed roles.

Security assessment

Specifies consistent assumed-role ARN format (arn:aws:sts) enabling reliable principal matching, preventing authorization errors from format misunderstandings. Security impact: ensures accurate role-based access control.

Diff

diff --git a/bedrock-agentcore/latest/devguide/policy-core-concepts.md b/bedrock-agentcore/latest/devguide/policy-core-concepts.md
index 14f3e9300..965654cd2 100644
--- a//bedrock-agentcore/latest/devguide/policy-core-concepts.md
+++ b//bedrock-agentcore/latest/devguide/policy-core-concepts.md
@@ -52 +52 @@ Cedar policies use principals to represent the entity making an authorization re
-  * **AgentCore::IamEntity** \- Represents IAM-authenticated callers. When a AgentCore Gateway uses AWS_IAM authorization, the principal is created from the caller’s IAM ARN. IAM principals have an `id` attribute containing the full IAM ARN, which can be used for account-based or role-based access control.
+  * **AgentCore::IamEntity** \- Represents IAM-authenticated callers. When a AgentCore Gateway uses AWS_IAM authorization, the principal is created from the caller’s IAM identity. IAM principals have an `id` attribute containing the IAM ARN (format: `arn:aws:sts::<account>:assumed-role/<role-name>` for assumed roles), enabling stable `principal ==` matching. See [Policy conditions](./policy-conditions.html) for details.