AWS AWSCloudFormation medium security documentation change
Summary
Added EnforcementMode property with ACTIVE and LOG_ONLY options to control policy enforcement behavior
Security assessment
Introduces security logging capability (LOG_ONLY mode) that allows auditing policy decisions before enforcement, which helps identify potential security issues through observation of real traffic patterns
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md index a1e6a62d9..6f9013d8f 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-bedrockagentcore-policy.md @@ -28,0 +29 @@ To declare this entity in your CloudFormation template, use the following syntax + "EnforcementMode" : String, @@ -43,0 +45 @@ To declare this entity in your CloudFormation template, use the following syntax + EnforcementMode: String @@ -76,0 +79,20 @@ _Required_ : No +`EnforcementMode` + + +The enforcement mode for the policy. Determines whether the policy contributes to the enforce decision. Valid values include: + + * `ACTIVE` \- The policy is evaluated and its decision is enforced by the policy engine. + + * `LOG_ONLY` \- The policy is evaluated but its decision is observed only, allowing you to validate a policy against real traffic before promoting it to active enforcement. + + + + +_Required_ : No + + _Type_ : String + + _Allowed values_ : `ACTIVE | LOG_ONLY` + + _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) +