class PolicyValidationMode
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.PolicyValidationMode |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#PolicyValidationMode |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.PolicyValidationMode |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.PolicyValidationMode |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป PolicyValidationMode |
Validation mode for Cedar policy definitions.
Example
declare const policyEngine: agentcore.PolicyEngine;
declare const gateway: agentcore.Gateway;
// Allow access unless the user is suspended
const policyWithUnless = new agentcore.Policy(this, "UnlessPolicy", {
policyEngine: policyEngine,
policyName: "unless_suspended",
statement: agentcore.PolicyStatement.permit()
.forPrincipal('AgentCore::OAuthUser')
.onAllActions()
.onResource('AgentCore::Gateway', gateway.gatewayArn)
.unless()
.principalAttribute('suspended').equalTo(true)
.done(),
description: "Allow all actions unless user is suspended",
validationMode: agentcore.PolicyValidationMode.FAIL_ON_ANY_FINDINGS,
});
// Generated Cedar:
// permit(
// principal is AgentCore::OAuthUser,
// action,
// resource == AgentCore::Gateway::"arn:..."
// )
// unless {
// principal.suspended == true
// };
Initializer
new PolicyValidationMode(value: string)
Parameters
- value
string
Properties
| Name | Type | Description |
|---|---|---|
| value | string | The string value of the validation mode. |
| static FAIL_ON_ANY_FINDINGS | Policy | Fail policy creation if any validation findings are detected. |
| static IGNORE_ALL_FINDINGS | Policy | Ignore all validation findings and create the policy anyway. |
value
Type:
string
The string value of the validation mode.
static FAIL_ON_ANY_FINDINGS
Type:
Policy
Fail policy creation if any validation findings are detected.
This is the safer default - catches policy errors early.
static IGNORE_ALL_FINDINGS
Type:
Policy
Ignore all validation findings and create the policy anyway.
Use with caution - may result in runtime authorization errors.