AWS::BedrockAgentCore::Policy - AWS CloudFormation
SyntaxPropertiesReturn values

This is the new CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.

AWS::BedrockAgentCore::Policy

Specifies a Cedar authorization policy within an Amazon Bedrock AgentCore policy engine. A policy defines the authorization logic that controls what actions your AI agents can perform.

For more information, see Control agent actions with Amazon Bedrock AgentCore policy engines.

See the Properties section below for descriptions of both the required and optional properties.

Syntax

To declare this entity in your CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::BedrockAgentCore::Policy",
  "Properties" : {
      "Definition" : PolicyDefinition,
      "Description" : String,
      "Name" : String,
      "PolicyEngineId" : String,
      "ValidationMode" : String
    }
}

YAML

Type: AWS::BedrockAgentCore::Policy
Properties:
  Definition: 
    PolicyDefinition
  Description: String
  Name: String
  PolicyEngineId: String
  ValidationMode: String

Properties

Definition

The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.

Required: Yes

Type: PolicyDefinition

Update requires: No interruption

Description

A human-readable description of the policy's purpose and functionality. Limited to 4,096 characters, this helps administrators understand and manage the policy.

Required: No

Type: String

Minimum: 1

Maximum: 4096

Update requires: No interruption

Name

The customer-assigned immutable name for the policy. This human-readable identifier must be unique within the account and cannot exceed 48 characters.

Required: Yes

Type: String

Pattern: ^[A-Za-z][A-Za-z0-9_]*$

Minimum: 1

Maximum: 48

Update requires: Replacement

PolicyEngineId

The identifier of the policy engine that manages this policy. This establishes the policy engine context for policy evaluation and management.

Required: Yes

Type: String

Pattern: ^[A-Za-z][A-Za-z0-9_]*-[a-z0-9_]{10}$

Minimum: 12

Maximum: 59

Update requires: Replacement

ValidationMode

The validation mode for the policy. Determines how Cedar analyzer validation results are handled.

Required: No

Type: String

Allowed values: FAIL_ON_ANY_FINDINGS | IGNORE_ALL_FINDINGS

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ARN of the policy. For example:

arn:aws:bedrock-agentcore:us-east-1:123456789012:policy-engine/MyPolicyEngine-a1b2c3d4e5/policy/MyPolicy-f6g7h8i9j0

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

CreatedAt

The timestamp when the policy was created.

PolicyArn

The Amazon Resource Name (ARN) of the policy.

PolicyId

The unique identifier of the policy.

Status

The current status of the policy.

StatusReasons

Additional information about the current status of the policy.

UpdatedAt

The timestamp when the policy was last updated.