class PolicyStatement
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.PolicyStatement |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#PolicyStatement |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.PolicyStatement |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.PolicyStatement |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป PolicyStatement |
Type-safe builder for creating Cedar authorization policy statements.
This builder provides a fluent API for constructing Cedar policies without requiring knowledge of Cedar syntax. It supports:
- Permit and forbid effects
- Principal, action, and resource specifications
- Conditional logic (when/unless clauses)
- Raw Cedar for advanced cases
The builder generates valid Cedar policy statements that can be used with the Policy construct.
Example
import { Policy, PolicyEngine, PolicyStatement } from '@aws-cdk/aws-bedrock-agentcore-alpha';
declare const engine: PolicyEngine;
// Example 4: Raw Cedar policy
// For advanced Cedar features not supported by the builder
new Policy(this, 'CustomPolicy', {
policyEngine: engine,
definition: 'permit(principal, action, resource) when { context.custom > 10 };',
});
// Or using fromCedar():
new Policy(this, 'ImportedPolicy', {
policyEngine: engine,
statement: PolicyStatement.fromCedar(
'forbid(principal, action, resource) when { resource.confidential == true };'
),
});
Methods
| Name | Description |
|---|---|
| for | Apply to all principals (any user, service, or entity). |
| for | Apply to a specific principal entity. |
| for | Apply to principals that are members of a specific group. |
| on | Apply to a single specific action. |
| on | Apply to specific action(s). |
| on | Apply to all actions (any operation). |
| on | Apply to all resources of a specific type. |
| on | Apply to a specific resource instance. |
| on | Apply to all resources of a specific type (explicit method). |
| to | Generate the Cedar policy statement string. |
| unless() | Add unless conditions - policy applies only if these conditions are false. |
| when() | Add when conditions - policy applies only if these conditions are true. |
| static forbid() | Create a forbid statement - denies the action if conditions are met. |
| static from | Create from raw Cedar policy statement string. |
| static permit() | Create a permit statement - allows the action if conditions are met. |
forAllPrincipals()
public forAllPrincipals(): PolicyStatement
Returns
Apply to all principals (any user, service, or entity).
Generates: principal in Cedar
forPrincipal(entityType, entityId?)
public forPrincipal(entityType: string, entityId?: string): PolicyStatement
Parameters
- entityType
stringโ - The entity type (e.g., 'AgentCore::OAuthUser'). - entityId
stringโ - Optional specific entity ID.
Returns
Apply to a specific principal entity.
Generates: principal == EntityType::"entityId" in Cedar
forPrincipalInGroup(groupType, groupId)
public forPrincipalInGroup(groupType: string, groupId: string): PolicyStatement
Parameters
- groupType
stringโ - The group entity type (e.g., 'Group'). - groupId
stringโ - The group identifier (e.g., 'Admins', 'Engineers').
Returns
Apply to principals that are members of a specific group.
Generates: principal in Group::"groupId" in Cedar
onAction(action)
public onAction(action: string): PolicyStatement
Parameters
- action
stringโ - Action name (e.g., 'AgentCore::Action::InsuranceAPI__get_policy').
Returns
Apply to a single specific action.
Generates: action == Action::"name" in Cedar
onActions(actions)
public onActions(actions: string[]): PolicyStatement
Parameters
- actions
string[]โ - Array of action names (e.g., ['AgentCore::Action::InsuranceAPI__get_policy']).
Returns
Apply to specific action(s).
Generates: action == Action::"name" or action in [Action::"name1", Action::"name2"] in Cedar
onAllActions()
public onAllActions(): PolicyStatement
Returns
Apply to all actions (any operation).
Generates: action in Cedar
onAllResources(entityType?)
public onAllResources(entityType?: string): PolicyStatement
Parameters
- entityType
stringโ - The entity type (default: 'AgentCore::Gateway').
Returns
Apply to all resources of a specific type.
AWS Requirement: AWS Bedrock AgentCore Policy service does not allow wildcard
resources (resource). This method provides type-constrained resources which are
required for policy validation to succeed.
Generates: resource is EntityType in Cedar
Example
import { PolicyStatement } from '@aws-cdk/aws-bedrock-agentcore-alpha';
// Constrain to Gateway resources (default)
PolicyStatement.permit()
.forAllPrincipals()
.onAllActions()
.onAllResources() // โ "resource is AgentCore::Gateway"
// Constrain to Runtime resources
PolicyStatement.permit()
.forAllPrincipals()
.onAllActions()
.onAllResources('AgentCore::Runtime') // โ "resource is AgentCore::Runtime"
onResource(entityType, entityArn)
public onResource(entityType: string, entityArn: string): PolicyStatement
Parameters
- entityType
stringโ - The entity type (e.g., 'AgentCore::Gateway'). - entityArn
stringโ - The resource ARN or identifier.
Returns
Apply to a specific resource instance.
AWS Requirement: When using specific actions (e.g., action == Action::"Delete"),
you must constrain the resource to a specific instance, not just a type.
Generates: resource == EntityType::"arn" in Cedar
Example
import { PolicyStatement } from '@aws-cdk/aws-bedrock-agentcore-alpha';
declare const gatewayArn: string;
PolicyStatement.forbid()
.forAllPrincipals()
.onAction('AgentCore::Action::Delete')
.onResource('AgentCore::Gateway', gatewayArn) // Must be specific resource
onResourceType(entityType)
public onResourceType(entityType: string): PolicyStatement
Parameters
- entityType
stringโ - The entity type (e.g., 'AgentCore::Gateway', 'AgentCore::Runtime').
Returns
Apply to all resources of a specific type (explicit method).
AWS Requirement: Resource type constraints are required by AWS Bedrock AgentCore when using wildcard principals or actions.
Generates: resource is EntityType in Cedar
Example
import { PolicyStatement } from '@aws-cdk/aws-bedrock-agentcore-alpha';
PolicyStatement.permit()
.forAllPrincipals()
.onAllActions()
.onResourceType('AgentCore::Gateway') // โ "resource is AgentCore::Gateway"
toCedar()
public toCedar(): string
Returns
string
Generate the Cedar policy statement string.
Converts the builder state into valid Cedar policy syntax. This is called internally by the Policy construct.
unless()
public unless(): ConditionalPolicyStatement
Returns
Add unless conditions - policy applies only if these conditions are false.
Unless conditions define negative requirements (exclusions). The policy applies when these conditions are NOT met.
Returns a ConditionBuilder that you can chain condition methods on. Call done() when finished to return to the PolicyStatement.
when()
public when(): ConditionalPolicyStatement
Returns
Add when conditions - policy applies only if these conditions are true.
When conditions define positive requirements that must be met. Multiple conditions can be combined with AND/OR operators.
Returns a ConditionBuilder that you can chain condition methods on. Call done() when finished to return to the PolicyStatement.
static forbid()
public static forbid(): PolicyStatement
Returns
Create a forbid statement - denies the action if conditions are met.
Forbid statements deny access when their conditions evaluate to true. Forbid always takes precedence over permit (explicit deny).
static fromCedar(cedarStatement)
public static fromCedar(cedarStatement: string): PolicyStatement
Parameters
- cedarStatement
stringโ - Complete Cedar policy statement including effect, principal, action, resource, and conditions.
Returns
Create from raw Cedar policy statement string.
Use this for advanced Cedar features not supported by the builder, or when migrating existing Cedar policies.
Validation is deferred to the Policy construct's validationMode setting.
static permit()
public static permit(): PolicyStatement
Returns
Create a permit statement - allows the action if conditions are met.
Permit statements grant access when their conditions evaluate to true. Multiple permit statements can apply; any matching permit allows access.