AWS bedrock-agentcore medium security documentation change
Summary
Added condition to trust policy requiring source ARN to match bedrock-agentcore memory resources
Security assessment
Added IAM condition restricting AssumeRole to specific ARN pattern, reducing attack surface by preventing unauthorized role assumption. This addresses potential confused deputy vulnerabilities.
Diff
diff --git a/bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md b/bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md index e139b36cd..b8cc4c6a7 100644 --- a//bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md +++ b//bedrock-agentcore/latest/devguide/memory-self-managed-strategies.md @@ -116 +116,6 @@ Use the following trust policy: - "Action": "sts:AssumeRole" + "Action": "sts:AssumeRole", + "Condition": { + "ArnLike": { + "aws:SourceArn": "arn:aws:bedrock-agentcore:<region>:<account-id>:memory/*" + } + }