AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-10-01 · Security-related medium

File: bedrock-agentcore/latest/devguide/identity-idp-cognito.md

Summary

Replaced hardcoded passwords with variables and added security warning about production usage

Security assessment

Addresses security weakness by removing default credentials ('Temp123!', 'MyPassword123!') from examples. Explicit warning against using script in production shows security awareness.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-idp-cognito.md b/bedrock-agentcore/latest/devguide/identity-idp-cognito.md
index 5778c139d..0f3a16c94 100644
--- a//bedrock-agentcore/latest/devguide/identity-idp-cognito.md
+++ b//bedrock-agentcore/latest/devguide/identity-idp-cognito.md
@@ -27,0 +28,4 @@ Create a file named `setup_cognito.sh` with the following content:
+###### Note
+
+The following script is only meant as an example. You should customize the user pool settings and user credentials as needed for your application. Do not use this script directly in production environments.
+    
@@ -45 +49 @@ Create a file named `setup_cognito.sh` with the following content:
-      --temporary-password "Temp123!" \
+      --temporary-password "${temp-password}" \
@@ -53 +57 @@ Create a file named `setup_cognito.sh` with the following content:
-      --password "MyPassword123!" \
+      --password "${permanent-user-password}" \
@@ -61 +65 @@ Create a file named `setup_cognito.sh` with the following content:
-      --auth-parameters USERNAME= 'testuser',PASSWORD= 'MyPassword123!' \
+      --auth-parameters USERNAME= 'testuser',PASSWORD= '${permanent-user-password}' \
@@ -83 +87 @@ You'll need these values in the next steps.
-This script creates a Cognito user pool, a user pool client, adds a user, and generates a bearer token for the user. The token is valid for 60 minutes by default.
+Following these steps will create a Cognito user pool, a user pool client, adds a user, and generates a bearer token for the user. The token is valid for 60 minutes by default.