AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-06-22 · Security-related high

File: bedrock-agentcore/latest/devguide/resource-based-policies.md

Summary

Added link to example showing how to restrict runtime access to specific gateways using resource-based policies

Security assessment

The change explicitly documents security controls for limiting runtime access to authorized gateways only, preventing direct invocation bypasses. Concrete example reference demonstrates security implementation.

Diff

diff --git a/bedrock-agentcore/latest/devguide/resource-based-policies.md b/bedrock-agentcore/latest/devguide/resource-based-policies.md
index d283fff64..0c655be5e 100644
--- a//bedrock-agentcore/latest/devguide/resource-based-policies.md
+++ b//bedrock-agentcore/latest/devguide/resource-based-policies.md
@@ -150 +150 @@ SigV4 Authentication
-Use specific AWS principals (IAM users, roles, or accounts) in the `Principal` element. For example: `"Principal": {"AWS": "arn:aws:iam::123456789012:role/MyRole"}` . The policy is evaluated in conjunction with the caller’s IAM permissions.
+Use specific AWS principals (IAM users, roles, or accounts) in the `Principal` element. For example: `"Principal": {"AWS": "arn:aws:iam::123456789012:role/MyRole"}` . The policy is evaluated in conjunction with the caller’s IAM permissions. For an example that restricts a runtime to only be invoked by an AgentCore Gateway, see [Restrict IAM (SigV4) inbound invocation to your gateway](./runtime-oauth.html#runtime-restrict-iam-gateway).