AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2025-08-16 · Security-related high

File: bedrock-agentcore/latest/devguide/gateway-inbound-auth.md

Summary

Added security warning about JWT token logging in CloudTrail and PII avoidance in Subject field, updated Cognito setup instructions

Security assessment

The change explicitly adds documentation about security considerations for JWT token handling, specifically warning against PII exposure in audit logs. This directly addresses potential security/privacy risks.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
index 7bd990836..0fe631dcb 100644
--- a//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
+++ b//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
@@ -34 +34,7 @@ You need to specify an OAuth discovery server and client IDs/audiences when you
-Choose your preferred identity provider from the options below. For general information about setting up different identity providers, see [Identity provider setup and configuration](./identity-idps.html).
+For general information about setting up different identity providers, see [Identity provider setup and configuration](./identity-idps.html).
+
+###### Important
+
+Using Inbound Auth based on JWT tokens will result in logging of some claims of the JWT token in CloudTrail. The entry includes the [Subject](http://openid.net/specs/openid-connect-core-1_0.html#Claims) of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
+
+Choose your preferred identity provider from the options below:
@@ -39 +45 @@ Amazon Cognito EZ Auth with AgentCore SDK
-You can also set up Cognito EZ Auth with AgentCore SDK. This eliminates the complexity of OAuth setup. You only need to run the following command.
+You can also set up Cognito EZ Auth with the AgentCore Python SDK. This eliminates the complexity of OAuth setup. You only need to run the following command:
@@ -42 +48,5 @@ You can also set up Cognito EZ Auth with AgentCore SDK. This eliminates the comp
-    cognito_result = client.create_oauth_authorizer_with_cognito("my-gateway")
+    # Import SDK and set up client
+    from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient
+    client = GatewayClient()
+    
+    client.create_oauth_authorizer_with_cognito("my-gateway")
@@ -135,4 +144,0 @@ Auth0 can be used as an identity provider for Gateway Inbound Auth. Follow these
-###### Important
-
-Using Inbound Auth based on JWT tokens will result in logging of some claims of the JWT token in CloudTrail. The entry includes the [Subject](http://openid.net/specs/openid-connect-core-1_0.html#Claims) of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
-