AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-25 · Documentation low

File: bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md

Summary

Added 'Considerations' section explaining limitations of the managed policy including missing iam:CreateRole permission and scoped iam:PassRole permissions

Security assessment

This change documents IAM policy limitations but doesn't address a specific vulnerability. It enhances security documentation by clarifying permission requirements.

Diff

diff --git a/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md b/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
index 01bcca6d4..ef2932f54 100644
--- a//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
+++ b//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
@@ -80,0 +81,11 @@ This policy includes the following permissions:
+### Considerations
+
+Note the following limitations of this policy:
+
+  * **`iam:CreateRole` is not included.** When you create certain AgentCore resources (for example, harness or runtime) in the console, you can elect for the console to auto-create the resource’s execution role on your behalf. This requires `iam:CreateRole` permissions, which are not included in this managed policy. For more information, see [Troubleshooting iam:CreateRole authorization in the console](./security_iam_troubleshoot.html#security_iam_troubleshoot-createrole).
+
+  * **`iam:PassRole` is scoped by role name.** When you create certain AgentCore resources (for example, harness or runtime), you must have `iam:PassRole` permissions on the resource’s execution role. This managed policy only includes `iam:PassRole` permissions for roles with names matching `*BedrockAgentCore*`. For more information, see [Troubleshooting iam:PassRole authorization](./security_iam_troubleshoot.html#security_iam_troubleshoot-passrole).
+
+
+
+