Amazon Bedrock Agentcore (bedrock-agentcore)

Additions

Actions

• AuthorizeAction
  
  • Description:  Grants permission to evaluate Cedar policies for authorization requests
  • Access:  Permissions management
  • Resources: 

    Name: gateway

    Required: Yes

    Name: policy-engine

    Required: Yes

• CreateEvaluator
  
  • Description:  Grants permission to create a new evaluator
  • Access:  Write
• CreateOnlineEvaluationConfig
  
  • Description:  Grants permission to create a new online evaluation configuration
  • Access:  Write
  • Dependents: 

    iam:PassRole

• CreatePolicy
  
  • Description:  Grants permission to create a new policy within a policy engine
  • Access:  Write
  • Resources: 

    Name: policy-engine

    Required: Yes

• CreatePolicyEngine
  
  • Description:  Grants permission to create a new policy engine
  • Access:  Write
• DeleteEvaluator
  
  • Description:  Grants permission to delete an evaluator
  • Access:  Write
  • Resources: 

    Name: evaluator

    Required: Yes

• DeleteOnlineEvaluationConfig
  
  • Description:  Grants permission to delete an online evaluation configuration
  • Access:  Write
  • Resources: 

    Name: online-evaluation-config

    Required: Yes

• DeletePolicy
  
  • Description:  Grants permission to delete a policy
  • Access:  Write
  • Resources: 

    Name: policy

    Required: Yes

    Name: policy-engine

    Required: Yes

• DeletePolicyEngine
  
  • Description:  Grants permission to delete a policy engine
  • Access:  Write
  • Resources: 

    Name: policy-engine

    Required: Yes

• DeleteResourcePolicy
  
  • Description:  Grants permission to delete the resource-based policy for a Bedrock resource
  • Access:  Write
  • Resources: 

    Name: gateway

    Required: No

    Name: runtime

    Required: No

    Name: runtime-endpoint

    Required: No

• Evaluate
  
  • Description:  Grants permission to run an evaluation using an evaluator
  • Access:  Write
  • Resources: 

    Name: evaluator

    Required: Yes

• GetEvaluator
  
  • Description:  Grants permission to get details of an evaluator
  • Access:  Read
  • Resources: 

    Name: evaluator

    Required: Yes

• GetOnlineEvaluationConfig
  
  • Description:  Grants permission to get details of an online evaluation configuration
  • Access:  Read
  • Resources: 

    Name: online-evaluation-config

    Required: Yes

• GetPolicy
  
  • Description:  Grants permission to retrieve a policy
  • Access:  Read
  • Resources: 

    Name: policy

    Required: Yes

    Name: policy-engine

    Required: Yes

• GetPolicyEngine
  
  • Description:  Grants permission to retrieve a policy engine
  • Access:  Read
  • Resources: 

    Name: policy-engine

    Required: Yes

• GetPolicyGeneration
  
  • Description:  Grants permission to retrieve status and results of a policy generation request
  • Access:  Read
  • Resources: 

    Name: policy-engine

    Required: Yes

    Name: policy-generation

    Required: Yes

• GetResourcePolicy
  
  • Description:  Grants permission to retrieve the resource-based policy for a Bedrock resource
  • Access:  Read
  • Resources: 

    Name: gateway

    Required: No

    Name: runtime

    Required: No

    Name: runtime-endpoint

    Required: No

• InvokeAgentRuntimeWithWebSocketStream
  
  • Description:  Grants permission to invoke an agent runtime endpoint with WebSocket stream
  • Access:  Write
  • Resources: 

    Name: runtime

    Required: Yes

    Name: runtime-endpoint

    Required: Yes

• InvokeAgentRuntimeWithWebSocketStreamForUser
  
  • Description:  Grants permission to invoke an agent runtime endpoint with WebSocket stream and with X-Amzn-Bedrock-AgentCore-Runtime-User-Id header
  • Access:  Write
  • Resources: 

    Name: runtime

    Required: Yes

    Name: runtime-endpoint

    Required: Yes

• ListEvaluators
  
  • Description:  Grants permission to list evaluators
  • Access:  List
• ListMemoryExtractionJobs
  
  • Description:  Grants permission to list extraction jobs for this memory
  • Access:  List
  • Resources: 

    Name: memory

    Required: Yes

• ListOnlineEvaluationConfigs
  
  • Description:  Grants permission to list online evaluation configurations
  • Access:  List
• ListPolicies
  
  • Description:  Grants permission to list policies within a policy engine
  • Access:  List
  • Resources: 

    Name: policy-engine

    Required: Yes

• ListPolicyEngines
  
  • Description:  Grants permission to list policy engines
  • Access:  List
• ListPolicyGenerationAssets
  
  • Description:  Grants permission to list generated policy assets from a generation request
  • Access:  List
  • Resources: 

    Name: policy-engine

    Required: Yes

    Name: policy-generation

    Required: Yes

• ListPolicyGenerations
  
  • Description:  Grants permission to list policy generation requests
  • Access:  List
  • Resources: 

    Name: policy-engine

    Required: Yes

• ManageAdminPolicy
  
  • Description:  Grants permission to create or modify wildcard policies that apply to gateway resources
  • Access:  Permissions management
• ManageResourceScopedPolicy
  
  • Description:  Grants permission to create or modify policies that apply to specific gateway resources
  • Access:  Permissions management
  • Resources: 

    Name: gateway

    Required: Yes

• PartiallyAuthorizeActions
  
  • Description:  Grants permission to perform partial evaluation of Cedar policies to authorize a caller to list tools they are allowed to call
  • Access:  Permissions management
  • Resources: 

    Name: gateway

    Required: Yes

    Name: policy-engine

    Required: Yes

• PutResourcePolicy
  
  • Description:  Grants permission to create or update the resource-based policy for a Bedrock resource
  • Access:  Write
  • Resources: 

    Name: gateway

    Required: No

    Name: runtime

    Required: No

    Name: runtime-endpoint

    Required: No

• StartMemoryExtractionJob
  
  • Description:  Grants permission to start memory extraction job
  • Access:  Write
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:strategyId

    bedrock-agentcore:sessionId

    bedrock-agentcore:actorId

• StartPolicyGeneration
  
  • Description:  Grants permission to start an AI-powered policy generation request
  • Access:  Write
  • Resources: 

    Name: policy-engine

    Required: Yes

• UpdateEvaluator
  
  • Description:  Grants permission to update an evaluator
  • Access:  Write
  • Resources: 

    Name: evaluator

    Required: Yes

• UpdateOnlineEvaluationConfig
  
  • Description:  Grants permission to update an online evaluation configuration
  • Access:  Write
  • Resources: 

    Name: online-evaluation-config

    Required: Yes

  • Dependents: 

    iam:PassRole

• UpdatePolicy
  
  • Description:  Grants permission to update an existing policy
  • Access:  Write
  • Resources: 

    Name: policy

    Required: Yes

    Name: policy-engine

    Required: Yes

• UpdatePolicyEngine
  
  • Description:  Grants permission to update a policy engine
  • Access:  Write
  • Resources: 

    Name: policy-engine

    Required: Yes

Resources

• evaluator
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:evaluator/${EvaluatorId}
• online-evaluation-config
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:online-evaluation-config/${OnlineEvaluationConfigId}
• policy-engine
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:policy-engine/${PolicyEngineId}
• policy
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:policy-engine/${PolicyEngineId}/policy/${PolicyId}
• policy-generation
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:policy-engine/${PolicyEngineId}/policy-generation/${PolicyGenerationId}

Updates

Actions

• CreateWorkloadIdentity
  
  Conditions
  
  • － bedrock-agentcore:KmsKeyArn

Deletions

Conditions

• bedrock-agentcore:KmsKeyArn
  
  • Description:  Filters access by KMS Key arn provided
  • Type:  String