GatewayPolicyEngineConfig

class aws_cdk.aws_bedrock_agentcore_alpha.GatewayPolicyEngineConfig(*, policy_engine, mode=None)

Bases: object

(experimental) Configuration for associating a policy engine with a gateway.

When configured, the policy engine intercepts all agent requests through this gateway and evaluates them against the defined Cedar policies. [disable-awslint:prefer-ref-interface]

Parameters:

• policy_engine (IPolicyEngine) – (experimental) The policy engine to associate with this gateway. [disable-awslint:prefer-ref-interface]

• mode (Optional[PolicyEngineMode]) – (experimental) The enforcement mode for the policy engine. - LOG_ONLY: Evaluates and logs decisions without enforcing them. Use for testing. - ENFORCE: Actively allows or denies requests based on Cedar policy evaluation. Default: PolicyEngineMode.LOG_ONLY

Stability:

experimental

ExampleMetadata:

fixture=default infused

Example:

# Create a Policy engine
policy_engine = agentcore.PolicyEngine(self, "MyPolicyEngine",
    policy_engine_name="my_policy_engine",
    description="Policy engine for access control"
)

gateway = agentcore.Gateway(self, "MyGateway",
    gateway_name="my-gateway",
    policy_engine_configuration=agentcore.GatewayPolicyEngineConfig(
        policy_engine=policy_engine
    )
)

# Add policy to policy engine
policy_engine.add_policy("AllowAllActions",
    definition=f"""
        permit(
          principal,
          action,
          resource == AgentCore::Gateway::"{gateway.gatewayArn}"
        );
      """,
    description="Allow all actions on specific gateway (development)",
    validation_mode=agentcore.PolicyValidationMode.IGNORE_ALL_FINDINGS
)

# you can add multiple policies to the policy engine
policy_engine.add_policy("SpecificToolPolicy",
    definition=f"""
        permit(
          principal is AgentCore::OAuthUser,
          action == AgentCore::Action::"WeatherTool__get_forecast",
          resource == AgentCore::Gateway::"{gateway.gatewayArn}"
        );
      """,
    description="Allow specific weather tool access",
    validation_mode=agentcore.PolicyValidationMode.FAIL_ON_ANY_FINDINGS
)

Attributes

mode

(experimental) The enforcement mode for the policy engine.

• LOG_ONLY: Evaluates and logs decisions without enforcing them. Use for testing.

• ENFORCE: Actively allows or denies requests based on Cedar policy evaluation.

Default:

PolicyEngineMode.LOG_ONLY

Stability:

experimental

policy_engine

(experimental) The policy engine to associate with this gateway.

[disable-awslint:prefer-ref-interface]

Stability:

experimental