interface GatewayPolicyEngineConfig
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.GatewayPolicyEngineConfig |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#GatewayPolicyEngineConfig |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.GatewayPolicyEngineConfig |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.GatewayPolicyEngineConfig |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป GatewayPolicyEngineConfig |
Configuration for associating a policy engine with a gateway.
When configured, the policy engine intercepts all agent requests through this gateway and evaluates them against the defined Cedar policies. [disable-awslint:prefer-ref-interface]
Example
// Create a Policy engine
const policyEngine = new agentcore.PolicyEngine(this, "MyPolicyEngine", {
policyEngineName: "my_policy_engine",
description: "Policy engine for access control",
});
const gateway = new agentcore.Gateway(this, "MyGateway", {
gatewayName: "my-gateway",
policyEngineConfiguration: {
policyEngine: policyEngine,
mode: agentcore.PolicyEngineMode.ENFORCE, // Default is LOG_ONLY
},
});
// Add policy to policy engine
policyEngine.addPolicy("AllowAllActions", {
definition: `
permit(
principal,
action,
resource == AgentCore::Gateway::"${gateway.gatewayArn}"
);
`,
description: "Allow all actions on specific gateway (development)",
validationMode: agentcore.PolicyValidationMode.IGNORE_ALL_FINDINGS, // This will ignore all cedar warnings
});
// you can add multiple policies to the policy engine
policyEngine.addPolicy("SpecificToolPolicy", {
definition: `
permit(
principal is AgentCore::OAuthUser,
action == AgentCore::Action::"WeatherTool__get_forecast",
resource == AgentCore::Gateway::"${gateway.gatewayArn}"
);
`,
description: "Allow specific weather tool access",
validationMode: agentcore.PolicyValidationMode.FAIL_ON_ANY_FINDINGS, // This will fail policy creation for any cedar warning
});
Properties
| Name | Type | Description |
|---|---|---|
| policy | IPolicy | The policy engine to associate with this gateway. |
| mode? | Policy | The enforcement mode for the policy engine. |
policyEngine
Type:
IPolicy
The policy engine to associate with this gateway.
[disable-awslint:prefer-ref-interface]
mode?
Type:
Policy
(optional, default: PolicyEngineMode.LOG_ONLY)
The enforcement mode for the policy engine.
LOG_ONLY: Evaluates and logs decisions without enforcing them. Use for testing.ENFORCE: Actively allows or denies requests based on Cedar policy evaluation.