IPolicyEngine

class aws_cdk.aws_bedrock_agentcore_alpha.IPolicyEngine(*args, **kwargs)

Bases: IResource, IPolicyEngineRef, IGrantable, Protocol

(experimental) Contains all properties and methods for both created and imported policy engines.

Stability:

experimental

Methods

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy)

Return type:

None

grant(grantee, *actions)

(experimental) Grants IAM actions to the IAM Principal.

Parameters:

  • grantee (IGrantable) –

    • The IAM principal to grant permissions to.

  • actions (str) –

    • The actions to grant.

Stability:

experimental

Return type:

Grant

grant_evaluate(grantee)

(experimental) Grants permissions to evaluate policies at runtime .

This is the primary permission needed by Gateway execution roles to evaluate authorization decisions during agent requests. Grant this to roles that need to call AuthorizeAction or PartiallyAuthorizeActions.

Parameters:

grantee (IGrantable) –

  • The IAM principal to grant evaluation permissions to.

Stability:

experimental

Return type:

Grant

grant_evaluate_for_gateway(grantee, gateway)

(experimental) Grants the full set of permissions required for a gateway execution role to use this policy engine, correctly scoped to both the policy engine and gateway ARNs.

Per the AWS docs, AuthorizeAction and PartiallyAuthorizeActions require both the policy engine ARN and the gateway ARN as resources, while GetPolicyEngine only needs the policy engine ARN.

This follows the same pattern as Lambda’s grantInvokeVersion(grantee, version).

Parameters:

  • grantee (IGrantable) –

    • The IAM principal (gateway execution role) to grant permissions to.

  • gateway (IGateway) –

    • The gateway that will use this policy engine [disable-awslint:prefer-ref-interface].

Stability:

experimental

Return type:

Grant

grant_read(grantee)

(experimental) Grants read permissions on the PolicyEngine.

This grants runtime read access to policy engine configuration. Use this for monitoring, observability, or read-only administrative roles.

Parameters:

grantee (IGrantable) –

  • The IAM principal to grant read permissions to.

Stability:

experimental

Return type:

Grant

metric(metric_name, dimensions, *, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return the given named metric for this policy engine.

Parameters:

  • metric_name (str) – The name of the metric.

  • dimensions (Mapping[str, str]) – Additional dimensions for the metric.

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) – Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

metric_authorization_latency(*, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return a metric measuring the authorization latency for this policy engine.

This metric represents the time taken to evaluate authorization policies.

Parameters:

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) –

    Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

metric_denied_requests(*, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return a metric containing the number of denied authorization requests for this policy engine.

This metric tracks authorization requests that were explicitly denied by policies.

Parameters:

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) –

    Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

metric_errors(*, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return a metric containing the number of errors during authorization for this policy engine.

This metric tracks errors encountered during policy evaluation.

Parameters:

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) –

    Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

with_(*mixins)

Applies one or more mixins to this construct.

Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited.

Parameters:

mixins (IMixin) – The mixins to apply.

Return type:

IConstruct

Returns:

This construct for chaining

Attributes

description

(experimental) The description of the policy engine.

Stability:

experimental

env

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.

grant_principal

The principal to grant permissions to.

kms_key

(experimental) The KMS key used for encryption.

Stability:

experimental

node

The tree node.

policy_engine_arn

(experimental) The ARN of the policy engine resource.

Stability:

experimental

Attribute:

true

policy_engine_id

(experimental) The ID of the policy engine.

Stability:

experimental

Attribute:

true

policy_engine_name

(experimental) The name of the policy engine.

Stability:

experimental

Attribute:

true

policy_engine_ref

(experimental) A reference to a PolicyEngine resource.

Stability:

experimental

stack

The stack in which this resource is defined.