AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2025-09-19 · Documentation low

File: bedrock-agentcore/latest/devguide/observability-configure.md

Summary

Restructured observability configuration documentation by moving 'other observability platforms' section to end, updated CloudWatch Transaction Search setup instructions to use CloudWatch console/API instead of AgentCore console, and added detailed API configuration examples for trace collection

Security assessment

The changes add documentation about configuring resource-based policies (PutResourcePolicy) and service permissions for X-Ray trace collection, which are security-related configurations. However, there is no evidence this addresses an existing security vulnerability - it appears to be routine documentation improvements for observability integration options.

Diff

diff --git a/bedrock-agentcore/latest/devguide/observability-configure.md b/bedrock-agentcore/latest/devguide/observability-configure.md
index 12fb42791..e2138cc96 100644
--- a//bedrock-agentcore/latest/devguide/observability-configure.md
+++ b//bedrock-agentcore/latest/devguide/observability-configure.md
@@ -5 +5 @@
-Enabling AgentCore runtime observabilityEnabling observability in agent code for AgentCore-hosted agentsConfigure Observability for agents hosted outside of the AgentCore runtimeEnable observability for AgentCore memory, gateway, and built-in tool resourcesEnhanced AgentCore observability with custom headersObservability best practices
+Enabling AgentCore runtime observabilityEnabling observability in agent code for AgentCore-hosted agentsConfigure Observability for agents hosted outside of the AgentCore runtimeEnable observability for AgentCore memory, gateway, and built-in tool resourcesEnhanced AgentCore observability with custom headersObservability best practicesUsing other observability platforms
@@ -17,7 +16,0 @@ See the following sections to learn more about configuring your resources to vie
-You can also integrate agents hosted in the AgentCore runtime with other observability platforms to capture and view telemetry outputs. To use another observability provider, set the following environment variable:
-    
-    
-    DISABLE_ADOT_OBSERVABILITY=true
-
-Setting this variable to `true` unsets the AgentCore runtime's default ADOT environment variables, ensuring that none of the default ADOT configurations are set.
-
@@ -36 +29 @@ The following sections describe how to perform these setup actions and to enable
-If you have created a memory resource, you can enable CloudWatch transaction search from the AgentCore console Memory page. Otherwise, you must enable observability by using the CloudWatch console to enable Transaction Search.
+You can enable CloudWatch Transaction Search either by using the CloudWatch console, or by using an API through the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs.
@@ -38 +31 @@ If you have created a memory resource, you can enable CloudWatch transaction sea
-Use one of the following procedures to enable transaction search.
+Use one of the following procedures to enable Transaction Search.
@@ -40,4 +33 @@ Use one of the following procedures to enable transaction search.
-AgentCore console
-    
-
-###### Note
+CloudWatch console
@@ -45 +34,0 @@ AgentCore console
-To use this procedure, you must have already created a memory resource.
@@ -47 +36 @@ To use this procedure, you must have already created a memory resource.
-###### To enable CloudWatch Transaction Search from the AgentCore console
+###### To enable CloudWatch Transaction Search in the CloudWatch console
@@ -49 +38 @@ To use this procedure, you must have already created a memory resource.
-  1. Open the [Memory](https://console.aws.amazon.com/bedrock-agentcore/memory) page of the AgentCore console.
+  1. Open the [CloudWatch](https://console.aws.amazon.com/cloudwatch) console.
@@ -51 +40 @@ To use this procedure, you must have already created a memory resource.
-  2. Select a memory to open its summary page.
+  2. In the navigation pane, expand **Application Signals (APM)** and choose **Transaction search**.
@@ -53 +42 @@ To use this procedure, you must have already created a memory resource.
-  3. Scroll down to the **Tracing** pane and choose **Configure**. This opens the CloudWatch console.
+  3. Choose **Enable Transaction Search**.
@@ -64 +53 @@ To use this procedure, you must have already created a memory resource.
-CloudWatch console
+API
@@ -67 +56 @@ CloudWatch console
-###### To enable CloudWatch Transaction Search in the CloudWatch console
+###### To enable CloudWatch Transaction Search using an API
@@ -69 +58 @@ CloudWatch console
-  1. Open the [CloudWatch](https://console.aws.amazon.com/cloudwatch) console.
+  1. When using the AWS CLI or an AWS SDK to enable Transaction Search, first configure the necessary permissions to ingest spans in CloudWatch Logs by adding a resource-based policy with [PutResourcePolicy](https://docs.aws.amazon.com/xray/latest/api/API_PutResourcePolicy.html). 
@@ -71 +60 @@ CloudWatch console
-  2. In the navigation pane, expand **Application Signals (APM)** and choose **Transaction search**.
+The following AWS CLI command adds a resource policy that gives AWS X-Ray permissions to send traces to CloudWatch Logs.
@@ -73 +62 @@ CloudWatch console
-  3. Choose **Enable Transaction Search**.
+        aws logs put-resource-policy --policy-name MyResourcePolicy --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "TransactionSearchXRayAccess", "Effect": "Allow", "Principal": { "Service": "xray.amazonaws.com" }, "Action": "logs:PutLogEvents", "Resource": [ "arn:partition:logs:region:account-id:log-group:aws/spans:*", "arn:partition:logs:region:account-id:log-group:/aws/application-signals/data:*" ], "Condition": { "ArnLike": { "aws:SourceArn": "arn:partition:logs:region:account-id:*" }, "StringEquals": { "aws:SourceAccount": "account-id" } } } ]}'
@@ -75 +64 @@ CloudWatch console
-  4. Select the checkbox to ingest spans as structured logs.
+For clarity, the inline JSON policy in this command is shown expanded in the following example:
@@ -77 +66 @@ CloudWatch console
-  5. (Optional) Change the percentage of spans you want to be indexed as trace summaries by entering a value under **X-Ray trace indexing**. By default, 1% of spans are indexed as trace summaries for free, but you can alter the percentage to generate more trace summaries for end-to-end transaction analysis.
+****
@@ -79 +68,40 @@ CloudWatch console
-  6. Choose **Save**.
+    
+        {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "TransactionSearchXRayAccess",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "xray.amazonaws.com"
+                },
+                "Action": "logs:PutLogEvents",
+                "Resource": [
+                    "arn:aws:logs:us-east-1:123456789012:log-group:aws/spans:*",
+                    "arn:aws:logs:us-east-1:123456789012:log-group:/aws/application-signals/data:*"
+                ],
+                "Condition": {
+                    "ArnLike": {
+                        "aws:SourceArn": "arn:aws:xray:us-east-1:123456789012:*"
+                    },
+                    "StringEquals": {
+                        "aws:SourceAccount": "123456789012"
+                    }
+                }
+            }
+        ]
+    }
+    
+    
+
+  2. Configure the destination of your trace segments using [UpdateTraceSegmentDestination](https://docs.aws.amazon.com/xray/latest/api/API_UpdateTraceSegmentDestination.html).
+
+To use the AWS CLI, run the following command.
+    
+        aws xray update-trace-segment-destination --destination CloudWatchLogs
+
+  3. (Optional) Configure your desired sampling percentage using [UpdateIndexingRule](https://docs.aws.amazon.com/xray/latest/api/API_UpdateIndexingRule.html).
+
+To use the AWS CLI, run the following command.
+    
+        aws xray update-indexing-rule --name "Default" --rule '{"Probabilistic": {"DesiredSamplingPercentage": number}}'
@@ -369,0 +398,9 @@ Consider the following best practices when implementing observability for agents
+## Using other observability platforms
+
+To integrate agents hosted in the AgentCore runtime with other observability platforms to capture and view telemetry outputs, set the following environment variable:
+    
+    
+    DISABLE_ADOT_OBSERVABILITY=true
+
+Setting this variable to `true` unsets the AgentCore runtime's default ADOT environment variables, ensuring that none of the default ADOT configurations are set.
+