PolicyEngineMode

class aws_cdk.aws_bedrock_agentcore_alpha.PolicyEngineMode(value)

Bases: object

(experimental) The enforcement mode for a policy engine associated with a gateway.

Stability:

experimental

ExampleMetadata:

fixture=default infused

Example:

# Create a Policy engine
policy_engine = agentcore.PolicyEngine(self, "MyPolicyEngine",
    policy_engine_name="my_policy_engine",
    description="Policy engine for access control"
)

gateway = agentcore.Gateway(self, "MyGateway",
    gateway_name="my-gateway",
    policy_engine_configuration=agentcore.GatewayPolicyEngineConfig(
        policy_engine=policy_engine,
        mode=agentcore.PolicyEngineMode.ENFORCE
    )
)

# Add policy to policy engine
policy_engine.add_policy("AllowAllActions",
    definition=f"""
        permit(
          principal,
          action,
          resource == AgentCore::Gateway::"{gateway.gatewayArn}"
        );
      """,
    description="Allow all actions on specific gateway (development)",
    validation_mode=agentcore.PolicyValidationMode.IGNORE_ALL_FINDINGS
)

# you can add multiple policies to the policy engine
policy_engine.add_policy("SpecificToolPolicy",
    definition=f"""
        permit(
          principal is AgentCore::OAuthUser,
          action == AgentCore::Action::"WeatherTool__get_forecast",
          resource == AgentCore::Gateway::"{gateway.gatewayArn}"
        );
      """,
    description="Allow specific weather tool access",
    validation_mode=agentcore.PolicyValidationMode.FAIL_ON_ANY_FINDINGS
)

Parameters:

value (str)

Stability:

experimental

Attributes

ENFORCE = <aws_cdk.aws_bedrock_agentcore_alpha.PolicyEngineMode object>

LOG_ONLY = <aws_cdk.aws_bedrock_agentcore_alpha.PolicyEngineMode object>

value

(experimental) The string value of the policy engine mode.

Stability:

experimental