AWS bedrock-agentcore medium security documentation change
Summary
Added condition to trust policy requiring source ARN to match bedrock-agentcore memory resources
Security assessment
Added IAM condition restricting AssumeRole to specific ARN pattern, mitigating potential privilege escalation by limiting which entities can assume the role. This addresses potential unauthorized access vulnerabilities.
Diff
diff --git a/bedrock-agentcore/latest/devguide/memory-record-streaming.md b/bedrock-agentcore/latest/devguide/memory-record-streaming.md index 73d8041bc..91b912411 100644 --- a//bedrock-agentcore/latest/devguide/memory-record-streaming.md +++ b//bedrock-agentcore/latest/devguide/memory-record-streaming.md @@ -156 +156,6 @@ Trust policy: - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "ArnLike": { + "aws:SourceArn": "arn:aws:bedrock-agentcore:<region>:<account-id>:memory/*" + } + }