2.254.0

class PolicyEngineMode ๐Ÿ”น

LanguageType name
.NETAmazon.CDK.AWS.Bedrock.Agentcore.Alpha.PolicyEngineMode
Gogithub.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#PolicyEngineMode
Javasoftware.amazon.awscdk.services.bedrock.agentcore.alpha.PolicyEngineMode
Pythonaws_cdk.aws_bedrock_agentcore_alpha.PolicyEngineMode
TypeScript (source)@aws-cdk/aws-bedrock-agentcore-alpha ยป PolicyEngineMode

The enforcement mode for a policy engine associated with a gateway.

Example


// Create a Policy engine
const policyEngine = new agentcore.PolicyEngine(this, "MyPolicyEngine", {
  policyEngineName: "my_policy_engine",
  description: "Policy engine for access control",
});

const gateway = new agentcore.Gateway(this, "MyGateway", {
  gatewayName: "my-gateway",
  policyEngineConfiguration: {
    policyEngine: policyEngine,
    mode: agentcore.PolicyEngineMode.ENFORCE, // Default is LOG_ONLY
  },
});

// Add policy to policy engine
policyEngine.addPolicy("AllowAllActions", {
  definition: `
    permit(
      principal,
      action,
      resource == AgentCore::Gateway::"${gateway.gatewayArn}"
    );
  `,
  description: "Allow all actions on specific gateway (development)",
  validationMode: agentcore.PolicyValidationMode.IGNORE_ALL_FINDINGS, // This will ignore all cedar warnings
});

// you can add multiple policies to the policy engine
policyEngine.addPolicy("SpecificToolPolicy", {
  definition: `
    permit(
      principal is AgentCore::OAuthUser,
      action == AgentCore::Action::"WeatherTool__get_forecast",
      resource == AgentCore::Gateway::"${gateway.gatewayArn}"
    );
  `,
  description: "Allow specific weather tool access",
  validationMode: agentcore.PolicyValidationMode.FAIL_ON_ANY_FINDINGS, // This will fail policy creation for any cedar warning
});

Initializer

new PolicyEngineMode(value: string)

Parameters

  • value string

Properties

NameTypeDescription
value๐Ÿ”นstringThe string value of the policy engine mode.
static ENFORCE๐Ÿ”นPolicyEngineModeEnforces decisions by allowing or denying agent operations based on Cedar policies.
static LOG_ONLY๐Ÿ”นPolicyEngineModeEvaluates actions and adds traces but does not enforce decisions.

value๐Ÿ”น

Type: string

The string value of the policy engine mode.

static ENFORCE๐Ÿ”น

Type: PolicyEngineMode

Enforces decisions by allowing or denying agent operations based on Cedar policies.

static LOG_ONLY๐Ÿ”น

Type: PolicyEngineMode

Evaluates actions and adds traces but does not enforce decisions.

Use this mode for testing and validation before enabling enforcement.

โ† PreviousNext โ†’