PolicyStatement

class aws_cdk.aws_bedrock_agentcore_alpha.PolicyStatement(*args: Any, **kwargs)

Bases: object

(experimental) Type-safe builder for creating Cedar authorization policy statements.

This builder provides a fluent API for constructing Cedar policies without requiring knowledge of Cedar syntax. It supports:

  • Permit and forbid effects

  • Principal, action, and resource specifications

  • Conditional logic (when/unless clauses)

  • Raw Cedar for advanced cases

The builder generates valid Cedar policy statements that can be used with the Policy construct.

Stability:

experimental

Example:

from aws_cdk.aws_bedrock_agentcore_alpha import Policy, PolicyEngine, PolicyStatement
# engine: PolicyEngine


# Example 4: Raw Cedar policy
# For advanced Cedar features not supported by the builder
Policy(self, "CustomPolicy",
    policy_engine=engine,
    definition="permit(principal, action, resource) when { context.custom > 10 };"
)

# Or using fromCedar():
Policy(self, "ImportedPolicy",
    policy_engine=engine,
    statement=PolicyStatement.from_cedar("forbid(principal, action, resource) when { resource.confidential == true };")
)

Methods

for_all_principals()

(experimental) Apply to all principals (any user, service, or entity).

Generates: principal in Cedar

Stability:

experimental

Return type:

PolicyStatement

for_principal(entity_type, entity_id=None)

(experimental) Apply to a specific principal entity.

Generates: principal == EntityType::"entityId" in Cedar

Parameters:

  • entity_type (str) –

    • The entity type (e.g., ‘AgentCore::OAuthUser’).

  • entity_id (Optional[str]) –

    • Optional specific entity ID.

Stability:

experimental

Return type:

PolicyStatement

for_principal_in_group(group_type, group_id)

(experimental) Apply to principals that are members of a specific group.

Generates: principal in Group::"groupId" in Cedar

Parameters:

  • group_type (str) –

    • The group entity type (e.g., ‘Group’).

  • group_id (str) –

    • The group identifier (e.g., ‘Admins’, ‘Engineers’).

Stability:

experimental

Return type:

PolicyStatement

on_action(action)

(experimental) Apply to a single specific action.

Generates: action == Action::"name" in Cedar

Parameters:

action (str) –

  • Action name (e.g., ‘AgentCore::Action::InsuranceAPI__get_policy’).

Stability:

experimental

Return type:

PolicyStatement

on_actions(actions)

(experimental) Apply to specific action(s).

Generates: action == Action::"name" or action in [Action::"name1", Action::"name2"] in Cedar

Parameters:

actions (Sequence[str]) –

  • Array of action names (e.g., [‘AgentCore::Action::InsuranceAPI__get_policy’]).

Stability:

experimental

Return type:

PolicyStatement

on_all_actions()

(experimental) Apply to all actions (any operation).

Generates: action in Cedar

Stability:

experimental

Return type:

PolicyStatement

on_all_resources(entity_type=None)

(experimental) Apply to all resources of a specific type.

AWS Requirement: AWS Bedrock AgentCore Policy service does not allow wildcard resources (resource). This method provides type-constrained resources which are required for policy validation to succeed.

Generates: resource is EntityType in Cedar

Parameters:

entity_type (Optional[str]) –

  • The entity type (default: ‘AgentCore::Gateway’).

Stability:

experimental

Return type:

PolicyStatement

Example:

from aws_cdk.aws_bedrock_agentcore_alpha import PolicyStatement


# Constrain to Gateway resources (default)
PolicyStatement.permit().for_all_principals().on_all_actions().on_all_resources() # → "resource is AgentCore::Gateway"

# Constrain to Runtime resources
PolicyStatement.permit().for_all_principals().on_all_actions().on_all_resources("AgentCore::Runtime")
on_resource(entity_type, entity_arn)

(experimental) Apply to a specific resource instance.

AWS Requirement: When using specific actions (e.g., action == Action::"Delete"), you must constrain the resource to a specific instance, not just a type.

Generates: resource == EntityType::"arn" in Cedar

Parameters:

  • entity_type (str) –

    • The entity type (e.g., ‘AgentCore::Gateway’).

  • entity_arn (str) –

    • The resource ARN or identifier.

Stability:

experimental

Return type:

PolicyStatement

Example:

from aws_cdk.aws_bedrock_agentcore_alpha import PolicyStatement
# gateway_arn: str


PolicyStatement.forbid().for_all_principals().on_action("AgentCore::Action::Delete").on_resource("AgentCore::Gateway", gateway_arn)
on_resource_type(entity_type)

(experimental) Apply to all resources of a specific type (explicit method).

AWS Requirement: Resource type constraints are required by AWS Bedrock AgentCore when using wildcard principals or actions.

Generates: resource is EntityType in Cedar

Parameters:

entity_type (str) –

  • The entity type (e.g., ‘AgentCore::Gateway’, ‘AgentCore::Runtime’).

Stability:

experimental

Return type:

PolicyStatement

Example:

from aws_cdk.aws_bedrock_agentcore_alpha import PolicyStatement


PolicyStatement.permit().for_all_principals().on_all_actions().on_resource_type("AgentCore::Gateway")
to_cedar()

(experimental) Generate the Cedar policy statement string.

Converts the builder state into valid Cedar policy syntax. This is called internally by the Policy construct.

Return type:

str

Returns:

Valid Cedar policy statement

Stability:

experimental

unless()

(experimental) Add unless conditions - policy applies only if these conditions are false.

Unless conditions define negative requirements (exclusions). The policy applies when these conditions are NOT met.

Returns a ConditionBuilder that you can chain condition methods on. Call done() when finished to return to the PolicyStatement.

Stability:

experimental

Return type:

ConditionalPolicyStatement

when()

(experimental) Add when conditions - policy applies only if these conditions are true.

When conditions define positive requirements that must be met. Multiple conditions can be combined with AND/OR operators.

Returns a ConditionBuilder that you can chain condition methods on. Call done() when finished to return to the PolicyStatement.

Stability:

experimental

Return type:

ConditionalPolicyStatement

Static Methods

classmethod forbid()

(experimental) Create a forbid statement - denies the action if conditions are met.

Forbid statements deny access when their conditions evaluate to true. Forbid always takes precedence over permit (explicit deny).

Stability:

experimental

Return type:

PolicyStatement

classmethod from_cedar(cedar_statement)

(experimental) Create from raw Cedar policy statement string.

Use this for advanced Cedar features not supported by the builder, or when migrating existing Cedar policies.

Validation is deferred to the Policy construct’s validationMode setting.

Parameters:

cedar_statement (str) –

  • Complete Cedar policy statement including effect, principal, action, resource, and conditions.

Stability:

experimental

Return type:

PolicyStatement

classmethod permit()

(experimental) Create a permit statement - allows the action if conditions are met.

Permit statements grant access when their conditions evaluate to true. Multiple permit statements can apply; any matching permit allows access.

Stability:

experimental

Return type:

PolicyStatement