IAM Permissions
Registry actions
For an identity to be able to create, manage, or use Registries, you need to attach an identity-based policy to the IAM identity to allow it to perform Amazon Bedrock AgentCore-related actions . For comprehensive permissions, you can use the BedrockAgentCoreFullAccess managed policy.
For greater security and control, you can create your own custom policy by reducing the permissions in the full access policy.
Registry control plane actions
| Action | Description | Access level |
|---|---|---|
|
|
Grants permission to create a registry |
Write |
|
|
Grants permission to get a registry |
Read |
|
|
Grants permission to update a registry |
Write |
|
|
Grants permission to delete a registry |
Write |
|
|
Grants permission to list registries |
List |
Registry record control plane actions
| Action | Description | Access level |
|---|---|---|
|
|
Grants permission to create a registry record |
Write |
|
|
Grants permission to get a registry record |
Read |
|
|
Grants permission to update a registry record |
Write |
|
|
Grants permission to delete a registry record |
Write |
|
|
Grants permission to list registry records |
List |
|
|
Grants permission to submit a registry record for approval |
Write |
|
|
Grants permission to approve, reject, or deprecate a registry record |
Write |
Registry data plane actions
| Action | Description | Access level |
|---|---|---|
|
|
Grants permission to search registry records |
Read |
|
|
Grants permission to invoke the registry MCP endpoint |
Read |
Note
For Invoking the MCP Server, you will need both SearchRegistryRecords and InvokeRegistryMcp IAM Permissions.
Registry resource types
The following resource types are defined for AWS Agent Registry:
| Resource type | ARN format |
|---|---|
|
Registry |
|
|
Registry record |
|
