AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2026-06-13 · Security-related medium

File: bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md

Summary

Added condition to trust policy requiring source ARN to match bedrock-agentcore memory resources

Security assessment

Added IAM condition restricting AssumeRole to specific ARN pattern, reducing attack surface by preventing unauthorized role assumption. This addresses potential confused deputy vulnerabilities.

Diff

diff --git a/bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md b/bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md
index e139b36cd..b8cc4c6a7 100644
--- a//bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md
+++ b//bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md
@@ -116 +116,6 @@ Use the following trust policy:
-                "Action": "sts:AssumeRole"
+                "Action": "sts:AssumeRole",
+                "Condition": {
+                    "ArnLike": {
+                        "aws:SourceArn": "arn:aws:bedrock-agentcore:<region>:<account-id>:memory/*"
+                    }
+                }