AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2026-06-13 · Security-related medium

File: bedrock-agentcore/latest/devguide/memory-record-streaming.md

Summary

Added condition to trust policy requiring source ARN to match bedrock-agentcore memory resources

Security assessment

Added IAM condition restricting AssumeRole to specific ARN pattern, mitigating potential privilege escalation by limiting which entities can assume the role. This addresses potential unauthorized access vulnerabilities.

Diff

diff --git a/bedrock-agentcore/latest/devguide/memory-record-streaming.md b/bedrock-agentcore/latest/devguide/memory-record-streaming.md
index 73d8041bc..91b912411 100644
--- a//bedrock-agentcore/latest/devguide/memory-record-streaming.md
+++ b//bedrock-agentcore/latest/devguide/memory-record-streaming.md
@@ -156 +156,6 @@ Trust policy:
-          "Action": "sts:AssumeRole"
+          "Action": "sts:AssumeRole",
+          "Condition": {
+            "ArnLike": {
+              "aws:SourceArn": "arn:aws:bedrock-agentcore:<region>:<account-id>:memory/*"
+            }
+          }