interface PolicyProps
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.PolicyProps |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#PolicyProps |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.PolicyProps |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.PolicyProps |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป PolicyProps |
Properties for creating a Policy resource.
Example
declare const policyEngine: agentcore.PolicyEngine;
// Option 1: Using definition property
const advancedPolicy = new agentcore.Policy(this, "AdvancedPolicy", {
policyEngine: policyEngine,
definition: 'permit(principal, action, resource) when { context.custom > 10 };',
description: "Advanced policy with custom Cedar logic",
});
// Option 2: Using fromCedar() with statement property
policyEngine.addPolicy("CustomPolicy", {
statement: agentcore.PolicyStatement.fromCedar(
'forbid(principal, action, resource) when { resource.confidential == true };'
),
description: "Custom policy from Cedar string",
});
Properties
| Name | Type | Description |
|---|---|---|
| policy | IPolicy | The policy engine this policy belongs to. |
| definition? | string | Cedar policy statement. The authorization policy written in Cedar policy language. |
| description? | string | Optional description for the policy. |
| policy | string | The name of the policy. |
| statement? | Policy | Type-safe Cedar policy statement built using PolicyStatement builder. |
| validation | Policy | Validation mode for the policy. |
policyEngine
Type:
IPolicy
The policy engine this policy belongs to.
[disable-awslint:prefer-ref-interface]
definition?
Type:
string
(optional, default: Must provide either definition or statement)
Cedar policy statement. The authorization policy written in Cedar policy language.
Cedar supports permit and forbid rules with conditions. The statement will be wrapped in a PolicyDefinition structure internally.
Pass the raw Cedar statement as a string. For example:
- "permit(principal, action, resource);"
- "permit(principal in Group::"Admins", action == Action::"InvokeModel", resource) when { context.environment == "production" };"
You must specify either definition or statement, but not both.
description?
Type:
string
(optional, default: No description)
Optional description for the policy.
Maximum length of 4096.
policyName?
Type:
string
(optional, default: Auto-generated unique name)
The name of the policy.
Valid characters: a-z, A-Z, 0-9, _ (underscore) Must start with a letter, 1-48 characters Pattern: ^[A-Za-z][A-Za-z0-9_]*$
statement?
Type:
Policy
(optional, default: Must provide either definition or statement)
Type-safe Cedar policy statement built using PolicyStatement builder.
Use this for a type-safe, form-like API to build Cedar policies without writing raw Cedar syntax. The builder validates at synthesis time.
You must specify either definition or statement, but not both.
validationMode?
Type:
Policy
(optional, default: PolicyValidationMode.FAIL_ON_ANY_FINDINGS)
Validation mode for the policy.
Controls how Cedar analyzer validation findings are handled.