Skip to content

(aws-bedrock-agentcore): Add L2 constructs for Policy and PolicyEngine with type-safe Cedar policy builder #37219

New issue
New issue
Open
Open
(aws-bedrock-agentcore): Add L2 constructs for Policy and PolicyEngine with type-safe Cedar policy builder#37219
Labels
@aws-cdk/aws-bedrock-agentcore-alphaeffort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p2
@dineshSajwan

Description

@dineshSajwan
dineshSajwan
opened on Mar 10, 2026

Describe the feature

The AWS Bedrock AgentCore module now supports Policy and PolicyEngine resources for fine-grained security control. This feature request adds L2 constructs for:

  1. PolicyEngine - Container that manages Cedar authorization policies associated with gateways
  2. Policy - Individual Cedar authorization rules defining what agents can access
  3. PolicyStatement - Type safe builder for creating Cedar policies without writing raw Cedar syntax

Key Features:

  • Full L2 construct support for AWS::BedrockAgentCore::PolicyEngine and AWS::BedrockAgentCore::Policy
  • Type-safe PolicyStatement builder with fluent API for creating Cedar policies

https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html

Use Case

"As a CDK user, I need to implement fine-grained authorization control for my Bedrock agents using Cedar policies. Currently, I have to manually write CloudFormation templates or use L1 constructs, which requires deep knowledge of Cedar syntax and lacks type safety."

Proposed Solution

The implementation provides three main constructs:

  1. PolicyEngine L2 Construct
 const policyEngine = new agentcore.PolicyEngine(this, 'MyEngine', { policyEngineName: 'my_engine', description: 'Authorization engine for my agents', kmsKey: myKey, // Optional KMS encryption tags: { Environment: 'Production' }, });
  1. Policy L2 Construct (

Raw Cedar Definition

new agentcore.Policy(this, 'MyPolicy', { policyEngine: policyEngine, policyName: 'my_policy', definition: 'permit(principal, action, resource);', });

Type-Safe Builder

 new agentcore.Policy(this, 'MyPolicy', { policyEngine: policyEngine, policyName: 'my_policy', statement: agentcore.PolicyStatement.permit() .forPrincipal('AgentCore::OAuthUser', 'user123') .onActions(['AgentCore::Action::GetData', 'AgentCore::Action::PutData']) .onResource('AgentCore::Gateway', gatewayArn) .when() .principalAttribute('department').equalTo('Engineering') .and() .contextAttribute('sourceIp').isInRange('192.001.0.1/24') .done() .unless() .principalAttribute('suspended').equalTo(true) .done(), });
  1. PolicyStatement Builder

Provides a type-safe function for building Cedar policies:

Generated Cedar Example:

permit( principal == AgentCore::OAuthUser::"user123", action in [AgentCore::Action::"GetData", AgentCore::Action::"PutData"], resource == AgentCore::Gateway::"arn:aws:bedrock:us-east-1:123:gateway/gw-abc" ) when { principal.department == "Engineering" && context.sourceIp isInRange ip("192.001.0.1//24") } unless { principal.suspended == true };
  1. Convenience Methods
// Add multiple policies to an engine policyEngine.addPolicy('Policy1', { statement: PolicyStatement.permit()... }); // Access policies list const policies = policyEngine.policies;

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

latest

AWS CDK CLI version

latest

Environment details (OS name and version, etc.)

all

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-bedrock-agentcore-alphaeffort/mediumMedium work item – several days of effortfeature-requestA feature should be added or improved.p2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions