BedrockAgentCoreControl / Client / list_policy_engines

list_policy_engines

BedrockAgentCoreControl.Client.list_policy_engines(**kwargs)

Retrieves a list of policy engines within the AgentCore Policy system. This operation supports pagination to help administrators discover and manage policy engines across their account. Each policy engine serves as a container for related policies.

See also: AWS API Documentation

Request Syntax

response = client.list_policy_engines(
    nextToken='string',
    maxResults=123
)
Parameters:

  • nextToken (string) – A pagination token returned from a previous ListPolicyEngines call. Use this token to retrieve the next page of results when the response is paginated.

  • maxResults (integer) – The maximum number of policy engines to return in a single response. If not specified, the default is 10 policy engines per page, with a maximum of 100 per page.

Return type:

dict

Returns:

Response Syntax

{
    'policyEngines': [
        {
            'policyEngineId': 'string',
            'name': 'string',
            'description': 'string',
            'createdAt': datetime(2015, 1, 1),
            'updatedAt': datetime(2015, 1, 1),
            'policyEngineArn': 'string',
            'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
            'statusReasons': [
                'string',
            ]
        },
    ],
    'nextToken': 'string'
}

Response Structure

  • (dict) –

    • policyEngines (list) –

      An array of policy engine objects that exist in the account. Each policy engine object contains the engine metadata, status, and key identifiers for further operations.

      • (dict) –

        Represents a policy engine resource within the AgentCore Policy system. Policy engines serve as containers for grouping related policies and provide the execution context for policy evaluation and management. Each policy engine can be associated with one Gateway (one engine per Gateway), where it intercepts all agent tool calls and evaluates them against the contained policies before allowing tools to execute. The policy engine maintains the Cedar schema generated from the Gateway’s tool manifest, ensuring that policies are validated against the actual tools and parameters available. Policy engines support two enforcement modes that can be configured when associating with a Gateway: log-only mode for testing (evaluates decisions without blocking) and enforce mode for production (actively allows or denies based on policy evaluation).

        • policyEngineId (string) –

          The unique identifier for the policy engine. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy engine operations.

        • name (string) –

          The customer-assigned immutable name for the policy engine. This human-readable identifier must be unique within the account and cannot exceed 48 characters.

        • description (string) –

          A human-readable description of the policy engine’s purpose and scope. Limited to 4,096 characters, this helps administrators understand the policy engine’s role in the overall governance strategy.

        • createdAt (datetime) –

          The timestamp when the policy engine was originally created. This is automatically set by the service and used for auditing and lifecycle management.

        • updatedAt (datetime) –

          The timestamp when the policy engine was last modified. This tracks the most recent changes to the policy engine configuration or metadata.

        • policyEngineArn (string) –

          The Amazon Resource Name (ARN) of the policy engine. This globally unique identifier can be used for cross-service references and IAM policy statements.

        • status (string) –

          The current status of the policy engine.

        • statusReasons (list) –

          Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine lifecycle.

          • (string) –

    • nextToken (string) –

      A pagination token that can be used in subsequent ListPolicyEngines calls to retrieve additional results. This token is only present when there are more results available.

Exceptions

  • BedrockAgentCoreControl.Client.exceptions.AccessDeniedException

  • BedrockAgentCoreControl.Client.exceptions.ValidationException

  • BedrockAgentCoreControl.Client.exceptions.ThrottlingException

  • BedrockAgentCoreControl.Client.exceptions.InternalServerException