UpdatePolicy - Amazon Bedrock AgentCore Control Plane
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

UpdatePolicy

Updates an existing policy within the AgentCore Policy system. This operation allows modification of the policy description and definition while maintaining the policy's identity. The updated policy is validated against the Cedar schema before being applied. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.

Request Syntax

PUT /policy-engines/policyEngineId/policies/policyId HTTP/1.1
Content-type: application/json

{
   "definition": { ... },
   "description": "string",
   "validationMode": "string"
}

URI Request Parameters

The request uses the following URI parameters.

policyEngineId

The identifier of the policy engine that manages the policy to be updated. This ensures the policy is updated within the correct policy engine context.

Length Constraints: Minimum length of 12. Maximum length of 59.

Pattern: [A-Za-z][A-Za-z0-9_]*-[a-z0-9_]{10}

Required: Yes

policyId

The unique identifier of the policy to be updated. This must be a valid policy ID that exists within the specified policy engine.

Length Constraints: Minimum length of 12. Maximum length of 59.

Pattern: [A-Za-z][A-Za-z0-9_]*-[a-z0-9_]{10}

Required: Yes

Request Body

The request accepts the following data in JSON format.

definition

The new Cedar policy statement that defines the access control rules. This replaces the existing policy definition with new logic while maintaining the policy's identity.

Type: PolicyDefinition object

Note: This object is a Union. Only one member of this object can be specified or returned.

Required: Yes

description

The new human-readable description for the policy. This optional field allows updating the policy's documentation while keeping the same policy logic.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

Required: No

validationMode

The validation mode for the policy update. Determines how Cedar analyzer validation results are handled during policy updates. FAIL_ON_ANY_FINDINGS runs the Cedar analyzer and fails the update if validation issues are detected, ensuring the policy conforms to the Cedar schema and tool context. IGNORE_ALL_FINDINGS runs the Cedar analyzer but allows updates despite validation warnings. Use FAIL_ON_ANY_FINDINGS to ensure policy correctness during updates, especially when modifying policy logic or conditions.

Type: String

Valid Values: FAIL_ON_ANY_FINDINGS | IGNORE_ALL_FINDINGS

Required: No

Response Syntax

HTTP/1.1 202
Content-type: application/json

{
   "createdAt": "string",
   "definition": { ... },
   "description": "string",
   "name": "string",
   "policyArn": "string",
   "policyEngineId": "string",
   "policyId": "string",
   "status": "string",
   "statusReasons": [ "string" ],
   "updatedAt": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 202 response.

The following data is returned in JSON format by the service.

createdAt

The original creation timestamp of the policy.

Type: Timestamp

definition

The updated Cedar policy statement.

Type: PolicyDefinition object

Note: This object is a Union. Only one member of this object can be specified or returned.

description

The updated description of the policy.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

name

The name of the updated policy.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 48.

Pattern: [A-Za-z][A-Za-z0-9_]*

policyArn

The ARN of the updated policy.

Type: String

Length Constraints: Minimum length of 96. Maximum length of 203.

Pattern: arn:aws[-a-z]{0,7}:bedrock-agentcore:[a-z0-9-]{9,15}:[0-9]{12}:policy-engine/[a-zA-Z][a-zA-Z0-9-_]{0,47}-[a-zA-Z0-9_]{10}/policy/[a-zA-Z][a-zA-Z0-9-_]{0,47}-[a-zA-Z0-9_]{10}

policyEngineId

The identifier of the policy engine managing the updated policy.

Type: String

Length Constraints: Minimum length of 12. Maximum length of 59.

Pattern: [A-Za-z][A-Za-z0-9_]*-[a-z0-9_]{10}

policyId

The unique identifier of the updated policy.

Type: String

Length Constraints: Minimum length of 12. Maximum length of 59.

Pattern: [A-Za-z][A-Za-z0-9_]*-[a-z0-9_]{10}

status

The current status of the updated policy.

Type: String

Valid Values: CREATING | ACTIVE | UPDATING | DELETING | CREATE_FAILED | UPDATE_FAILED | DELETE_FAILED

statusReasons

Additional information about the update status.

Type: Array of strings

updatedAt

The timestamp when the policy was last updated.

Type: Timestamp

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

This exception is thrown when a request is denied per access permissions

HTTP Status Code: 403

ConflictException

This exception is thrown when there is a conflict performing an operation

HTTP Status Code: 409

InternalServerException

This exception is thrown if there was an unexpected error during processing of request

HTTP Status Code: 500

ResourceNotFoundException

This exception is thrown when a resource referenced by the operation does not exist

HTTP Status Code: 404

ThrottlingException

This exception is thrown when the number of requests exceeds the limit

HTTP Status Code: 429

ValidationException

The input fails to satisfy the constraints specified by the service.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: