PolicyProps

class aws_cdk.aws_bedrock_agentcore_alpha.PolicyProps(*, policy_engine, definition=None, description=None, policy_name=None, statement=None, validation_mode=None)

Bases: object

(experimental) Properties for creating a Policy resource.

Parameters:

  • policy_engine (IPolicyEngine) – (experimental) The policy engine this policy belongs to. [disable-awslint:prefer-ref-interface]

  • definition (Optional[str]) – (experimental) Cedar policy statement. The authorization policy written in Cedar policy language. Cedar supports permit and forbid rules with conditions. The statement will be wrapped in a PolicyDefinition structure internally. Pass the raw Cedar statement as a string. For example: - “permit(principal, action, resource);” - “permit(principal in Group::”Admins”, action == Action::”InvokeModel”, resource) when { context.environment == “production” };” You must specify either definition or statement, but not both. Default: - Must provide either definition or statement

  • description (Optional[str]) – (experimental) Optional description for the policy. Maximum length of 4096. Default: - No description

  • policy_name (Optional[str]) – (experimental) The name of the policy. Valid characters: a-z, A-Z, 0-9, _ (underscore) Must start with a letter, 1-48 characters Pattern: ^[A-Za-z][A-Za-z0-9_]*$ Default: - Auto-generated unique name

  • statement (Optional[PolicyStatement]) – (experimental) Type-safe Cedar policy statement built using PolicyStatement builder. Use this for a type-safe, form-like API to build Cedar policies without writing raw Cedar syntax. The builder validates at synthesis time. You must specify either definition or statement, but not both. Default: - Must provide either definition or statement

  • validation_mode (Optional[PolicyValidationMode]) – (experimental) Validation mode for the policy. Controls how Cedar analyzer validation findings are handled. Default: PolicyValidationMode.FAIL_ON_ANY_FINDINGS

Stability:

experimental

ExampleMetadata:

fixture=default infused

Example:

# policy_engine: agentcore.PolicyEngine


# Option 1: Using definition property
advanced_policy = agentcore.Policy(self, "AdvancedPolicy",
    policy_engine=policy_engine,
    definition="permit(principal, action, resource) when { context.custom > 10 };",
    description="Advanced policy with custom Cedar logic"
)

# Option 2: Using fromCedar() with statement property
policy_engine.add_policy("CustomPolicy",
    statement=agentcore.PolicyStatement.from_cedar("forbid(principal, action, resource) when { resource.confidential == true };"),
    description="Custom policy from Cedar string"
)

Attributes

definition

(experimental) Cedar policy statement. The authorization policy written in Cedar policy language.

Cedar supports permit and forbid rules with conditions. The statement will be wrapped in a PolicyDefinition structure internally.

Pass the raw Cedar statement as a string. For example:

  • “permit(principal, action, resource);”

  • “permit(principal in Group::”Admins”, action == Action::”InvokeModel”, resource) when { context.environment == “production” };”

You must specify either definition or statement, but not both.

Default:

  • Must provide either definition or statement

Stability:

experimental

description

(experimental) Optional description for the policy.

Maximum length of 4096.

Default:

  • No description

Stability:

experimental

policy_engine

(experimental) The policy engine this policy belongs to.

[disable-awslint:prefer-ref-interface]

Stability:

experimental

policy_name

(experimental) The name of the policy.

Valid characters: a-z, A-Z, 0-9, _ (underscore) Must start with a letter, 1-48 characters Pattern: ^[A-Za-z][A-Za-z0-9_]*$

Default:

  • Auto-generated unique name

Stability:

experimental

statement

(experimental) Type-safe Cedar policy statement built using PolicyStatement builder.

Use this for a type-safe, form-like API to build Cedar policies without writing raw Cedar syntax. The builder validates at synthesis time.

You must specify either definition or statement, but not both.

Default:

  • Must provide either definition or statement

Stability:

experimental

validation_mode

(experimental) Validation mode for the policy.

Controls how Cedar analyzer validation findings are handled.

Default:

PolicyValidationMode.FAIL_ON_ANY_FINDINGS

Stability:

experimental