AgentCore Policy support in the agentcore cli #553
Description
Description
AgentCore Policy Support in the CLI
Overview
AgentCore policies use Cedar to define authorization rules that govern what actions agents can perform against resources. Policies are organized into policy engines, which act as named containers. Each policy engine holds one or more Cedar policies and is deployed as a managed resource in Amazon Bedrock AgentCore.
This document describes the scope of policy support in agentcore-cli and how it is exposed to users.
We will expose the abilities below in Scope in the agentcore cli when Policy is released.
Scope
| Capability | If we will support |
|---|---|
| Add policy engine (CLI + TUI) | Supported |
| Add policy with inline statement | Supported |
| Add policy from Cedar file | Supported |
| Add policy via AI generation | Supported |
| Remove policy engine (CLI + TUI) | Supported |
| Remove policy (CLI + TUI) | Supported |
| Deploy policy engines and policies | Supported |
| Policy engine encryption (KMS) | Supported |
| Cross-engine policy disambiguation | Supported |
| Cascade removal (engine removes its policies) | Supported |
| Schema validation | Supported |
Acceptance Criteria
- [] create a policy engine
- [] create a policy
- [] associate a policy engine to a gateway
- [] remove a policy engine
- [] remove a policy
Additional Context
No response