AWS bedrock-agentcore medium security documentation change
Summary
Updated terminology from 'Inbound Auth' to 'inbound authorization' and added code example details for Cognito EZ Auth configuration. Added guidance about avoiding PII in JWT token claims logged to CloudTrail.
Security assessment
The change explicitly warns against using PII in JWT token Subject fields due to CloudTrail logging, which directly addresses data privacy and security best practices. This mitigates risks of exposing sensitive user information in logs.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md index 0fe631dcb..c2e81a9a1 100644 --- a//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md +++ b//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md @@ -11 +11 @@ Amazon Bedrock AgentCore is in preview release and is subject to change. -Before creating your Gateway, you need to set up inbound auth to validate callers attempting to access targets through your Amazon Bedrock AgentCore Gateway. +Before creating your Gateway, you need to set up inbound authorization to validate callers attempting to access targets through your Amazon Bedrock AgentCore Gateway. @@ -17 +17 @@ If you're using the AgentCore SDK, the Cognito EZ Auth can configure this automa -Inbound Auth works with OAuth authorization, where the client application must authenticate with the OAuth authorizer before using the Gateway. Your client would receive an access token which is used at runtime. +Inbound authorization works with OAuth authorization, where the client application must authenticate with the OAuth authorizer before using the Gateway. Your client would receive an access token which is used at runtime. @@ -38 +38 @@ For general information about setting up different identity providers, see [Iden -Using Inbound Auth based on JWT tokens will result in logging of some claims of the JWT token in CloudTrail. The entry includes the [Subject](http://openid.net/specs/openid-connect-core-1_0.html#Claims) of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). +Using inbound authorization based on JWT tokens will result in logging of some claims of the JWT token in CloudTrail. The entry includes the [Subject](http://openid.net/specs/openid-connect-core-1_0.html#Claims) of the provided web identity token. We recommend that you avoid using any personally identifiable information (PII) in this field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification](http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). @@ -52 +52,3 @@ You can also set up Cognito EZ Auth with the AgentCore Python SDK. This eliminat - client.create_oauth_authorizer_with_cognito("my-gateway") + # Retrieve the authorization configuration from the create response. When you create the gateway, specify it in the authorizer_config field + cognito_result = client.create_oauth_authorizer_with_cognito("my-gateway") + authorizer_configuration = cognito_result["authorizer_config"] @@ -113 +115 @@ Note the client ID and client secret from the response. - 7. Configure the Gateway Inbound Auth with the following values: + 7. Configure the Gateway Inbound authorization with the following values: @@ -186 +188 @@ Where `<your-domain>` is your Auth0 tenant domain (e.g., "dev-example.us.auth0.c - 6. Configure the Gateway Inbound Auth with the following values: + 6. Configure the Gateway Inbound authorization with the following values: