AWS bedrock-agentcore high security documentation change
Summary
Added link to example showing how to restrict runtime access to specific gateways using resource-based policies
Security assessment
The change explicitly documents security controls for limiting runtime access to authorized gateways only, preventing direct invocation bypasses. Concrete example reference demonstrates security implementation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/resource-based-policies.md b/bedrock-agentcore/latest/devguide/resource-based-policies.md index d283fff64..0c655be5e 100644 --- a//bedrock-agentcore/latest/devguide/resource-based-policies.md +++ b//bedrock-agentcore/latest/devguide/resource-based-policies.md @@ -150 +150 @@ SigV4 Authentication -Use specific AWS principals (IAM users, roles, or accounts) in the `Principal` element. For example: `"Principal": {"AWS": "arn:aws:iam::123456789012:role/MyRole"}` . The policy is evaluated in conjunction with the caller’s IAM permissions. +Use specific AWS principals (IAM users, roles, or accounts) in the `Principal` element. For example: `"Principal": {"AWS": "arn:aws:iam::123456789012:role/MyRole"}` . The policy is evaluated in conjunction with the caller’s IAM permissions. For an example that restricts a runtime to only be invoked by an AgentCore Gateway, see [Restrict IAM (SigV4) inbound invocation to your gateway](./runtime-oauth.html#runtime-restrict-iam-gateway).