class Policy (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.Policy |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#Policy |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.Policy |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.Policy |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป Policy |
Implements
IConstruct, IDependable, IResource, IEnvironment, IPolicy, IPolicy, IGrantable
Individual Cedar policy defining what agents can access.
Policies use Cedar language to specify precise access control rules that are evaluated deterministically by the PolicyEngine.
See also: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy.html
Example
const importedEngine = agentcore.PolicyEngine.fromPolicyEngineAttributes(
this,
"ImportedEngine",
{
policyEngineArn: "policy-engine/my-engine-id",
}
);
const importedPolicy = agentcore.Policy.fromPolicyAttributes(
this,
"ImportedPolicy",
{
policyArn: "my-policy-arn",
policyEngine: importedEngine,
}
);
// Grant permissions to the imported policy
const role = new iam.Role(this, "PolicyRole", {
assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com"),
});
importedPolicy.grantRead(role);
Initializer
new Policy(scope: Construct, id: string, props: PolicyProps)
Parameters
- scope
Construct - id
string - props
PolicyProps
Construct Props
| Name | Type | Description |
|---|---|---|
| policy | IPolicy | The policy engine this policy belongs to. |
| definition? | string | Cedar policy statement. The authorization policy written in Cedar policy language. |
| description? | string | Optional description for the policy. |
| policy | string | The name of the policy. |
| statement? | Policy | Type-safe Cedar policy statement built using PolicyStatement builder. |
| validation | Policy | Validation mode for the policy. |
policyEngine
Type:
IPolicy
The policy engine this policy belongs to.
[disable-awslint:prefer-ref-interface]
definition?
Type:
string
(optional, default: Must provide either definition or statement)
Cedar policy statement. The authorization policy written in Cedar policy language.
Cedar supports permit and forbid rules with conditions. The statement will be wrapped in a PolicyDefinition structure internally.
Pass the raw Cedar statement as a string. For example:
- "permit(principal, action, resource);"
- "permit(principal in Group::"Admins", action == Action::"InvokeModel", resource) when { context.environment == "production" };"
You must specify either definition or statement, but not both.
description?
Type:
string
(optional, default: No description)
Optional description for the policy.
Maximum length of 4096.
policyName?
Type:
string
(optional, default: Auto-generated unique name)
The name of the policy.
Valid characters: a-z, A-Z, 0-9, _ (underscore) Must start with a letter, 1-48 characters Pattern: ^[A-Za-z][A-Za-z0-9_]*$
statement?
Type:
Policy
(optional, default: Must provide either definition or statement)
Type-safe Cedar policy statement built using PolicyStatement builder.
Use this for a type-safe, form-like API to build Cedar policies without writing raw Cedar syntax. The builder validates at synthesis time.
You must specify either definition or statement, but not both.
validationMode?
Type:
Policy
(optional, default: PolicyValidationMode.FAIL_ON_ANY_FINDINGS)
Validation mode for the policy.
Controls how Cedar analyzer validation findings are handled.
Properties
| Name | Type | Description |
|---|---|---|
| definition | string | The Cedar policy definition. |
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| policy | string | The ARN of the policy resource. |
| policy | IPolicy | The policy engine this policy belongs to. |
| policy | string | The ID of the policy. |
| policy | string | The name of the policy. |
| policy | Policy | A reference to this Policy resource. |
| stack | Stack | The stack in which this resource is defined. |
| description? | string | The description of the policy. |
| validation | Policy | The validation mode for the policy. |
| static PROPERTY_INJECTION_ID | string | Uniquely identifies this class. |
definition
Type:
string
The Cedar policy definition.
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed in a Stack (those created by
creating new class instances like new Role(), new Bucket(), etc.), this
is always the same as the environment of the stack they belong to.
For referenced resources (those obtained from referencing methods like
Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be
different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
policyArn
Type:
string
The ARN of the policy resource.
policyEngine
Type:
IPolicy
The policy engine this policy belongs to.
[disable-awslint:attribute-tag]
policyId
Type:
string
The ID of the policy.
policyName
Type:
string
The name of the policy.
[disable-awslint:attribute-tag]
policyRef
Type:
Policy
A reference to this Policy resource.
stack
Type:
Stack
The stack in which this resource is defined.
description?
Type:
string
(optional)
The description of the policy.
validationMode?
Type:
Policy
(optional)
The validation mode for the policy.
static PROPERTY_INJECTION_ID
Type:
string
Uniquely identifies this class.
Methods
| Name | Description |
|---|---|
| apply | Apply the given removal policy to this resource. |
| grant(grantee, ...actions) | Grants IAM actions to the IAM Principal. |
| grant | Grants read permissions on the Policy (data plane). |
| metric(metricName, dimensions, props?) | Return the given named metric for this policy. |
| metric | Return a metric measuring the evaluation latency for this policy. |
| metric | Return a metric containing the total number of evaluations for this policy. |
| to | Returns a string representation of this construct. |
| with(...mixins) | Applies one or more mixins to this construct. |
| static from | Creates a Policy reference from an existing policy's attributes. |
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
grant(grantee, ...actions)
public grant(grantee: IGrantable, ...actions: string[]): Grant
Parameters
- grantee
IGrantableโ - The IAM principal to grant permissions to. - actions
stringโ - The actions to grant.
Returns
Grants IAM actions to the IAM Principal.
[disable-awslint:no-grants]
grantRead(grantee)
public grantRead(grantee: IGrantable): Grant
Parameters
- grantee
IGrantableโ - The IAM principal to grant read permissions to.
Returns
Grants read permissions on the Policy (data plane).
This grants runtime read access to policy configuration. Use this for monitoring, audit, or read-only administrative roles that need to inspect policy definitions and Cedar statements at runtime.
IMPORTANT: This does NOT grant permissions to create/update/delete the Policy
resource itself. Those are control plane operations performed by CloudFormation
during cdk deploy, not by your application at runtime.
[disable-awslint:no-grants]
metric(metricName, dimensions, props?)
public metric(metricName: string, dimensions: { [string]: string }, props?: MetricOptions): Metric
Parameters
- metricName
stringโ The name of the metric. - dimensions
{ [string]: string }โ Additional dimensions for the metric. - props
Metricโ Optional metric configuration.Options
Returns
Return the given named metric for this policy.
By default, the metric will be calculated as a sum over a period of 5 minutes.
You can customize this by using the statistic and period properties.
metricEvaluationLatency(props?)
public metricEvaluationLatency(props?: MetricOptions): Metric
Parameters
- props
Metricโ Optional metric configuration.Options
Returns
Return a metric measuring the evaluation latency for this policy.
This metric represents the time taken to evaluate this specific policy.
metricEvaluations(props?)
public metricEvaluations(props?: MetricOptions): Metric
Parameters
- props
Metricโ Optional metric configuration.Options
Returns
Return a metric containing the total number of evaluations for this policy.
This metric tracks how many times this policy has been evaluated.
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
with(...mixins)
public with(...mixins: IMixin[]): IConstruct
Parameters
- mixins
IMixin
Returns
Applies one or more mixins to this construct.
Mixins are applied in order. The list of constructs is captured at the
start of the call, so constructs added by a mixin will not be visited.
Use multiple with() calls if subsequent mixins should apply to added
constructs.
static fromPolicyAttributes(scope, id, attrs)
public static fromPolicyAttributes(scope: Construct, id: string, attrs: PolicyAttributes): IPolicy
Parameters
- scope
Constructโ - The construct scope. - id
stringโ - Identifier of the construct. - attrs
Policyโ - Attributes of the existing policy.Attributes
Returns
Creates a Policy reference from an existing policy's attributes.