Bedrock AgentCore Policy FAQs

Question 1

What happens if no policy is defined for a tool?

Accepted Answer

The system follows a 'Default Deny' principle; if there is no explicit permit policy allowing an action, the Gateway will automatically deny the agent's request to use that tool.

Question 2

How does AgentCore Policy differ from Bedrock Guardrails?

Accepted Answer

While Bedrock Guardrails focuses on content filtering and PII masking, AgentCore Policy provides deterministic enforcement of tool actions and API permissions using the Cedar policy language at the gateway level.

Question 3

Can I restrict specific tool parameters?

Accepted Answer

Yes, you can define policies that check 'context.input' to enforce constraints, such as limiting a refund tool to amounts under $1,000 for specific users.

Question 4

Do I need to learn Cedar to use this skill?

Accepted Answer

No, the skill supports Natural Language Authoring which automatically converts plain English instructions into valid Cedar policy code, though manual Cedar editing is also supported for advanced users.

Question 5

What is the performance impact of policy enforcement?

Accepted Answer

Enforcement is designed for high performance with a latency of less than 10ms per tool call, occurring at the Gateway layer before the tool is even executed.

Bedrock AgentCore Policy

주요 기능

사용 사례

Bedrock AgentCore Policy

주요 기능

사용 사례