@shinyaz

AgentCore Policy rejects Cedar permit without conditions as Overly Permissive

1 min read
#agentcore#bedrock#cedar#aws

Tried the "allow everything first, tighten later" approach with AgentCore Policy by creating a permit without a when clause. Got CREATE_FAILED.

permit(
  principal,
  action == AgentCore::Action::"my-target___get_weather",
  resource == AgentCore::Gateway::"arn:aws:bedrock-agentcore:..."
);

The status reason:

Overly Permissive: Policy Engine will allow every request for the specified
principal (AgentCore::OAuthUser), action (my-target___get_weather) and
resource (arn:aws:bedrock-agentcore:...) combination if the policy is added

The create_policy API defaults validationMode to FAIL_ON_ANY_FINDINGS, and the automated reasoning engine flags unconditional permits as overly permissive. Either add a when clause with some condition, or explicitly pass validationMode="IGNORE_ALL_FINDINGS".

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more