PolicyEngine

class aws_cdk.aws_bedrock_agentcore_alpha.PolicyEngine(scope, id, *, description=None, kms_key=None, policy_engine_name=None, tags=None)

Bases: PolicyEngineBase

(experimental) Container that manages Cedar authorization policies associated with gateways.

PolicyEngine enables deterministic authorization control for Bedrock agents, allowing fine-grained access control to tools and actions via Cedar policy language.

See:

https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-engine.html

Stability:

experimental

Resource:

AWS::BedrockAgentCore::PolicyEngine

ExampleMetadata:

fixture=default infused

Example:

imported_engine = agentcore.PolicyEngine.from_policy_engine_attributes(self, "ImportedEngine",
    policy_engine_arn="policy-engine/my-engine-id"
)

imported_policy = agentcore.Policy.from_policy_attributes(self, "ImportedPolicy",
    policy_arn="my-policy-arn",
    policy_engine=imported_engine
)

# Grant permissions to the imported policy
role = iam.Role(self, "PolicyRole",
    assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
)

imported_policy.grant_read(role)
Parameters:

  • scope (Construct)

  • id (str)

  • description (Optional[str]) – (experimental) Optional description for the policy engine. Maximum 4,096 characters. Default: - No description

  • kms_key (Optional[IKey]) – (experimental) Custom KMS key for encryption. [disable-awslint:prefer-ref-interface] Default: - AWS owned key

  • policy_engine_name (Optional[str]) – (experimental) The name of the policy engine. Valid characters: a-z, A-Z, 0-9, _ (underscore) Must start with a letter, 1-48 characters Pattern: ^[A-Za-z][A-Za-z0-9_]*$ Default: - Auto-generated unique name

  • tags (Optional[Mapping[str, str]]) – (experimental) Tags for the policy engine. Maximum 50 tags. Default: - No tags

Stability:

experimental

Methods

add_policy(id, *, definition=None, description=None, policy_name=None, statement=None, validation_mode=None)

(experimental) Add a policy to this policy engine. Convenience method that creates a Policy construct with this engine as the parent.

Automatic Sequential Chaining: By default, policies are automatically chained sequentially to prevent concurrent creation issues with the AWS Bedrock AgentCore service. Each new policy will depend on the previous policy added to this engine.

This ensures policies are created one at a time, avoiding “Resource stabilization failed” errors that occur with concurrent policy operations.

Parameters:

  • id (str) –

    • Unique identifier for the policy construct.

  • definition (Optional[str]) – (experimental) Cedar policy statement (35-153,600 characters). You must specify either definition or statement, but not both. Default: - Must provide either definition or statement

  • description (Optional[str]) – (experimental) Optional description for the policy (max 4,096 characters). Default: - No description

  • policy_name (Optional[str]) – (experimental) The name of the policy. Valid characters: a-z, A-Z, 0-9, _ (underscore) Must start with a letter, 1-48 characters Default: - Auto-generated unique name

  • statement (Optional[PolicyStatement]) – (experimental) Type-safe Cedar policy statement built using PolicyStatement builder. Use this for a type-safe, form-like API to build Cedar policies without writing raw Cedar syntax. The builder validates at synthesis time. You must specify either definition or statement, but not both. Default: - Must provide either definition or statement

  • validation_mode (Optional[PolicyValidationMode]) – (experimental) Validation mode for the policy. Default: PolicyValidationMode.FAIL_ON_ANY_FINDINGS

Return type:

Policy

Returns:

The created Policy construct

Stability:

experimental

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy)

Return type:

None

grant(grantee, *actions)

(experimental) Grants IAM actions to the IAM Principal.

[disable-awslint:no-grants]

Parameters:

  • grantee (IGrantable) –

    • The IAM principal to grant permissions to.

  • actions (str) –

    • The actions to grant.

Return type:

Grant

Returns:

An IAM Grant object representing the granted permissions

Stability:

experimental

grant_evaluate(grantee)

(experimental) Grants permissions to evaluate policies at runtime (data plane operations).

This is the primary permission needed by Gateway execution roles to evaluate authorization decisions during agent requests. Grant this to roles that need to call AuthorizeAction or PartiallyAuthorizeActions at runtime.

[disable-awslint:no-grants]

Parameters:

grantee (IGrantable) –

  • The IAM principal to grant evaluation permissions to.

Return type:

Grant

Returns:

An IAM Grant object representing the granted permissions

Stability:

experimental

grant_evaluate_for_gateway(grantee, gateway)

(experimental) Grants the full set of permissions required for a gateway execution role to use this policy engine, correctly scoped to both the policy engine and gateway ARNs.

Per the AWS docs:

  • GetPolicyEngine → policy engine ARN only

  • AuthorizeAction + PartiallyAuthorizeActions → policy engine ARN and gateway ARN

[disable-awslint:no-grants]

Parameters:

  • grantee (IGrantable) –

    • The IAM principal (gateway execution role) to grant permissions to.

  • gateway (IGateway) –

    • The gateway that will use this policy engine [disable-awslint:prefer-ref-interface].

Return type:

Grant

Returns:

A combined IAM Grant representing all granted permissions

Stability:

experimental

grant_read(grantee)

(experimental) Grants read permissions on the PolicyEngine (data plane).

This grants runtime read access to policy engine configuration. Use this for monitoring, observability, or read-only administrative roles that need to inspect policy engine settings at runtime.

[disable-awslint:no-grants]

Parameters:

grantee (IGrantable) –

  • The IAM principal to grant read permissions to.

Return type:

Grant

Returns:

An IAM Grant object representing the granted permissions

Stability:

experimental

metric(metric_name, dimensions, *, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return the given named metric for this policy engine.

By default, the metric will be calculated as a sum over a period of 5 minutes. You can customize this by using the statistic and period properties.

Parameters:

  • metric_name (str) – The name of the metric.

  • dimensions (Mapping[str, str]) – Additional dimensions for the metric.

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) – Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

metric_authorization_latency(*, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return a metric measuring the authorization latency for this policy engine.

This metric represents the time taken to evaluate authorization policies.

Parameters:

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) –

    Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

metric_authorizations(*, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return a metric containing the total number of authorizations for this policy engine.

This metric tracks all authorization requests processed by the policy engine.

Parameters:

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) –

    Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

metric_denied_requests(*, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return a metric containing the number of denied authorization requests for this policy engine.

This metric tracks authorization requests that were explicitly denied by policies.

Parameters:

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) –

    Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

metric_errors(*, account=None, color=None, dimensions_map=None, id=None, label=None, period=None, region=None, stack_account=None, stack_region=None, statistic=None, unit=None, visible=None)

(experimental) Return a metric containing the number of errors during authorization for this policy engine.

This metric tracks errors encountered during policy evaluation.

Parameters:

  • account (Optional[str]) – Account which this metric comes from. Default: - Deployment account.

  • color (Optional[str]) – The hex color code, prefixed with ‘#’ (e.g. ‘#00ff00’), to use when this metric is rendered on a graph. The Color class has a set of standard colors that can be used here. Default: - Automatic color

  • dimensions_map (Optional[Mapping[str, str]]) – Dimensions of the metric. Default: - No dimensions.

  • id (Optional[str]) – Unique identifier for this metric when used in dashboard widgets. The id can be used as a variable to represent this metric in math expressions. Valid characters are letters, numbers, and underscore. The first character must be a lowercase letter. Default: - No ID

  • label (Optional[str]) –

    Label for this metric when added to a Graph in a Dashboard. You can use dynamic labels to show summary information about the entire displayed time series in the legend. For example, if you use:: [max: ${MAX}] MyMetric As the metric label, the maximum value in the visible range will be shown next to the time series name in the graph’s legend. Default: - No label

  • period (Optional[Duration]) – The period over which the specified statistic is applied. Default: Duration.minutes(5)

  • region (Optional[str]) – Region which this metric comes from. Default: - Deployment region.

  • stack_account (Optional[str]) – Account of the stack this metric is attached to. Default: - Deployment account.

  • stack_region (Optional[str]) – Region of the stack this metric is attached to. Default: - Deployment region.

  • statistic (Optional[str]) – What function to use for aggregating. Use the aws_cloudwatch.Stats helper class to construct valid input strings. Can be one of the following: - “Minimum” | “min” - “Maximum” | “max” - “Average” | “avg” - “Sum” | “sum” - “SampleCount | “n” - “pNN.NN” - “tmNN.NN” | “tm(NN.NN%:NN.NN%)” - “iqm” - “wmNN.NN” | “wm(NN.NN%:NN.NN%)” - “tcNN.NN” | “tc(NN.NN%:NN.NN%)” - “tsNN.NN” | “ts(NN.NN%:NN.NN%)” Default: Average

  • unit (Optional[Unit]) – Unit used to filter the metric stream. Only refer to datums emitted to the metric stream with the given unit and ignore all others. Only useful when datums are being emitted to the same metric stream under different units. The default is to use all matric datums in the stream, regardless of unit, which is recommended in nearly all cases. CloudWatch does not honor this property for graphs. Default: - All metric datums in the given metric stream

  • visible (Optional[bool]) – Whether this metric should be visible in dashboard graphs. Setting this to false is useful when you want to hide raw metrics that are used in math expressions, and show only the expression results. Default: true

Stability:

experimental

Return type:

Metric

to_string()

Returns a string representation of this construct.

Return type:

str

with_(*mixins)

Applies one or more mixins to this construct.

Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited. Use multiple with() calls if subsequent mixins should apply to added constructs.

Parameters:

mixins (IMixin)

Return type:

IConstruct

Attributes

PROPERTY_INJECTION_ID = '@aws-cdk.aws-bedrock-agentcore-alpha.PolicyEngine'
description

(experimental) The description of the policy engine.

Stability:

experimental

env

The environment this resource belongs to.

For resources that are created and managed in a Stack (those created by creating new class instances like new Role(), new Bucket(), etc.), this is always the same as the environment of the stack they belong to.

For referenced resources (those obtained from referencing methods like Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be different than the stack they were imported into.

grant_principal

(experimental) The principal to grant permissions to.

Stability:

experimental

kms_key

(experimental) The KMS key used to encrypt the policy engine.

Stability:

experimental

node

The tree node.

policies

(experimental) Get the list of policies added to this policy engine.

Returns an array of Policy constructs that were added using addPolicy(). This allows you to iterate over all policies associated with this engine.

Returns:

A copy of the policies array

Stability:

experimental

policy_engine_arn

(experimental) The ARN of the policy engine resource.

Stability:

experimental

Attribute:

true

policy_engine_id

(experimental) The ID of the policy engine.

Stability:

experimental

Attribute:

true

policy_engine_name

(experimental) The name of the policy engine.

[disable-awslint:attribute-tag]

Stability:

experimental

policy_engine_ref

(experimental) A reference to this PolicyEngine resource.

Stability:

experimental

stack

The stack in which this resource is defined.

tags

(experimental) Tags applied to this policy engine resource.

Default:

  • No tags applied

Stability:

experimental

Static Methods

classmethod from_policy_engine_attributes(scope, id, *, policy_engine_arn, kms_key_arn=None)

(experimental) Creates a PolicyEngine reference from an existing policy engine’s attributes.

Parameters:

  • scope (Construct) –

    • The construct scope.

  • id (str) –

    • Identifier of the construct.

  • policy_engine_arn (str) – (experimental) The ARN of the policy engine.

  • kms_key_arn (Optional[str]) – (experimental) The KMS key ARN used for encryption (optional). Default: - No KMS key

Return type:

IPolicyEngine

Returns:

An IPolicyEngine reference to the existing policy engine

Stability:

experimental

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Construct.

classmethod is_owned_resource(construct)

Returns true if the construct was created by CDK, and false otherwise.

Parameters:

construct (IConstruct)

Return type:

bool

classmethod is_resource(construct)

Check whether the given construct is a Resource.

Parameters:

construct (IConstruct)

Return type:

bool