AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2026-06-19 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md

Summary

Added EnforcementMode property with ACTIVE and LOG_ONLY options to control policy enforcement behavior

Security assessment

Introduces security logging capability (LOG_ONLY mode) that allows auditing policy decisions before enforcement, which helps identify potential security issues through observation of real traffic patterns

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md
index a1e6a62d9..6f9013d8f 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md
@@ -28,0 +29 @@ To declare this entity in your CloudFormation template, use the following syntax
+          "EnforcementMode" : String,
@@ -43,0 +45 @@ To declare this entity in your CloudFormation template, use the following syntax
+      EnforcementMode: String
@@ -76,0 +79,20 @@ _Required_ : No
+`EnforcementMode`
+    
+
+The enforcement mode for the policy. Determines whether the policy contributes to the enforce decision. Valid values include:
+
+  * `ACTIVE` \- The policy is evaluated and its decision is enforced by the policy engine.
+
+  * `LOG_ONLY` \- The policy is evaluated but its decision is observed only, allowing you to validate a policy against real traffic before promoting it to active enforcement.
+
+
+
+
+_Required_ : No
+
+ _Type_ : String
+
+ _Allowed values_ : `ACTIVE | LOG_ONLY`
+
+ _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+