CreatePolicyEngine - Amazon Bedrock AgentCore Control Plane
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

CreatePolicyEngine

Creates a new policy engine within the AgentCore Policy system. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with Gateways (each Gateway can be associated with at most one policy engine, but multiple Gateways can be associated with the same engine), the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.

Request Syntax

POST /policy-engines HTTP/1.1
Content-type: application/json

{
   "clientToken": "string",
   "description": "string",
   "name": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

clientToken

A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If you retry a request with the same client token, the service returns the same response without creating a duplicate policy engine.

Type: String

Length Constraints: Minimum length of 33. Maximum length of 256.

Pattern: [a-zA-Z0-9](-*[a-zA-Z0-9]){0,256}

Required: No

description

A human-readable description of the policy engine's purpose and scope (1-4,096 characters). This helps administrators understand the policy engine's role in the overall governance strategy. Document which Gateway this engine will be associated with, what types of tools or workflows it governs, and the team or service responsible for maintaining it. Clear descriptions are essential when managing multiple policy engines across different services or environments.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

Required: No

name

The customer-assigned immutable name for the policy engine. This name identifies the policy engine and cannot be changed after creation.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 48.

Pattern: [A-Za-z][A-Za-z0-9_]*

Required: Yes

Response Syntax

HTTP/1.1 202
Content-type: application/json

{
   "createdAt": "string",
   "description": "string",
   "name": "string",
   "policyEngineArn": "string",
   "policyEngineId": "string",
   "status": "string",
   "statusReasons": [ "string" ],
   "updatedAt": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 202 response.

The following data is returned in JSON format by the service.

createdAt

The timestamp when the policy engine was created. This is automatically set by the service and used for auditing and lifecycle management.

Type: Timestamp

description

A human-readable description of the policy engine's purpose.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

name

The customer-assigned name of the created policy engine. This matches the name provided in the request and serves as the human-readable identifier.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 48.

Pattern: [A-Za-z][A-Za-z0-9_]*

policyEngineArn

The Amazon Resource Name (ARN) of the created policy engine. This globally unique identifier can be used for cross-service references and IAM policy statements.

Type: String

Length Constraints: Minimum length of 76. Maximum length of 136.

Pattern: arn:aws[-a-z]{0,7}:bedrock-agentcore:[a-z0-9-]{9,15}:[0-9]{12}:policy-engine/[a-zA-Z][a-zA-Z0-9-_]{0,47}-[a-zA-Z0-9_]{10}

policyEngineId

The unique identifier for the created policy engine. This system-generated identifier consists of the user name plus a 10-character generated suffix and is used for all subsequent policy engine operations.

Type: String

Length Constraints: Minimum length of 12. Maximum length of 59.

Pattern: [A-Za-z][A-Za-z0-9_]*-[a-z0-9_]{10}

status

The current status of the policy engine. A status of ACTIVE indicates the policy engine is ready for use.

Type: String

Valid Values: CREATING | ACTIVE | UPDATING | DELETING | CREATE_FAILED | UPDATE_FAILED | DELETE_FAILED

statusReasons

Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine creation process.

Type: Array of strings

updatedAt

The timestamp when the policy engine was last updated. For newly created policy engines, this matches the createdAt timestamp.

Type: Timestamp

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

This exception is thrown when a request is denied per access permissions

HTTP Status Code: 403

ConflictException

This exception is thrown when there is a conflict performing an operation

HTTP Status Code: 409

InternalServerException

This exception is thrown if there was an unexpected error during processing of request

HTTP Status Code: 500

ServiceQuotaExceededException

This exception is thrown when a request is made beyond the service quota

HTTP Status Code: 402

ThrottlingException

This exception is thrown when the number of requests exceeds the limit

HTTP Status Code: 429

ValidationException

The input fails to satisfy the constraints specified by the service.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: