AWS bedrock-agentcore documentation change
Summary
Added 'Considerations' section explaining limitations of the managed policy including missing iam:CreateRole permission and scoped iam:PassRole permissions
Security assessment
This change documents IAM policy limitations but doesn't address a specific vulnerability. It enhances security documentation by clarifying permission requirements.
Diff
diff --git a/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md b/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md index 01bcca6d4..ef2932f54 100644 --- a//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md +++ b//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md @@ -80,0 +81,11 @@ This policy includes the following permissions: +### Considerations + +Note the following limitations of this policy: + + * **`iam:CreateRole` is not included.** When you create certain AgentCore resources (for example, harness or runtime) in the console, you can elect for the console to auto-create the resource’s execution role on your behalf. This requires `iam:CreateRole` permissions, which are not included in this managed policy. For more information, see [Troubleshooting iam:CreateRole authorization in the console](./security_iam_troubleshoot.html#security_iam_troubleshoot-createrole). + + * **`iam:PassRole` is scoped by role name.** When you create certain AgentCore resources (for example, harness or runtime), you must have `iam:PassRole` permissions on the resource’s execution role. This managed policy only includes `iam:PassRole` permissions for roles with names matching `*BedrockAgentCore*`. For more information, see [Troubleshooting iam:PassRole authorization](./security_iam_troubleshoot.html#security_iam_troubleshoot-passrole). + + + +