How it works Example: Create a policy with validation Example: Validation failure

Policy create and update: per-policy engine validation

When creating or updating policies directly (not through generation), validation and analysis takes into account the new policy as well as its interactions with all preexisting policies in the policy engine.

How it works

The policy is validated against the Cedar schema for all gateways associated with the policy engine
Analysis runs in the context of the entire policy engine
The validation mode determines whether creation fails on findings. For more information about validation modes, see Add policies to the Policy Engine

Example: Create a policy with validation

Create a policy with strict validation that rejects policies with any findings:


aws bedrock-agentcore-control create-policy \
  --policy-engine-id MyEngine-abc123 \
  --name RestrictRefunds \
  --validation-mode FAIL_ON_ANY_FINDINGS \
  --definition '{
    "cedar": {
      "statement": "forbid(\n  principal,\n  action == Action::\"processRefund\",\n  resource\n) when {\n  context.amount > 1000\n};"
    }
  }'

The response indicates the policy is being created:


{
  "policyId": "RestrictRefunds-ghi789",
  "status": "CREATING"
}

Check the policy status to confirm validation passed:


aws bedrock-agentcore-control get-policy \
  --policy-engine-id MyEngine-abc123 \
  --policy-id RestrictRefunds-ghi789

When validation passes, the policy becomes active:


{
  "policyId": "RestrictRefunds-ghi789",
  "status": "ACTIVE",
  "statusReasons": []
}

Example: Validation failure

If a policy references an action that doesn’t exist in any associated gateway’s schema, validation fails:


aws bedrock-agentcore-control create-policy \
  --policy-engine-id MyEngine-abc123 \
  --name InvalidPolicy \
  --validation-mode FAIL_ON_ANY_FINDINGS \
  --definition '{
    "cedar": {
      "statement": "permit(\n  principal,\n  action == Action::\"nonExistentTool\",\n  resource\n);"
    }
  }'

When you check the policy status, the response shows the validation failure:


aws bedrock-agentcore-control get-policy \
  --policy-engine-id MyEngine-abc123 \
  --policy-id InvalidPolicy-jkl012


{
  "policyId": "InvalidPolicy-jkl012",
  "status": "CREATE_FAILED",
  "statusReasons": [
    "Validation failed: Action 'nonExistentTool' is not defined in the schema for any associated gateway"
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Policy generation: per-policy validation

Use policies