AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-06-04 · Security-related high

File: bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md

Summary

Added security caveat about GetWorkloadAccessTokenForUserId permission in managed policy

Security assessment

Explicitly warns about unverified user identifier risk in managed policy and recommends production hardening through explicit denials.

Diff

diff --git a/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md b/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
index ef2932f54..eec71b85e 100644
--- a//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
+++ b//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
@@ -88,0 +89,2 @@ Note the following limitations of this policy:
+  * **`GetWorkloadAccessTokenForUserId` is included.** This policy grants permission to call `GetWorkloadAccessTokenForUserId`, which allows issuing workload access tokens using a caller-supplied user identifier string without IdP token verification. This is suitable for development and quickstart scenarios. For production deployments, create custom IAM policies that only grant `GetWorkloadAccessTokenForJWT` (which validates the JWT signature, issuer, and expiry) and explicitly deny `GetWorkloadAccessTokenForUserId` if your workloads always have a JWT available. For more information, see [Get workload access token](./get-workload-access-token.html).
+