AWS bedrock-agentcore documentation change
Summary
Added support for OTEL spans in observability data, expanded logging to include request/response bodies and tracing metadata
Security assessment
While the change enhances observability by exposing detailed request/response bodies and tracing capabilities, there's no evidence of addressing specific vulnerabilities. The logging of sensitive data in request bodies could introduce security risks if not properly documented, but the diff doesn't mention access controls or encryption for this data.
Diff
diff --git a/bedrock-agentcore/latest/devguide/observability-gateway-metrics.md b/bedrock-agentcore/latest/devguide/observability-gateway-metrics.md index 7303c3f7f..d90167dc2 100644 --- a//bedrock-agentcore/latest/devguide/observability-gateway-metrics.md +++ b//bedrock-agentcore/latest/devguide/observability-gateway-metrics.md @@ -5 +5 @@ -Provided metricsProvided log data +Provided metricsProvided log dataProvided spans @@ -9 +9 @@ Amazon Bedrock AgentCore is in preview release and is subject to change. -# AgentCore provided gateway metrics and logs +# AgentCore generated gateway observability data @@ -11 +11 @@ Amazon Bedrock AgentCore is in preview release and is subject to change. -The following sections describe the gateway metrics and logs output by AgentCore to Amazon CloudWatch. These metrics aren't available on the CloudWatch generative AI observability page. Gateway metrics are batched at one minute intervals. To learn more about viewing gateway metrics, see [View observability data for your Amazon Bedrock AgentCore agents](./observability-view.html). +The following sections describe the gateway metrics, logs, and spans output by AgentCore to Amazon CloudWatch. These metrics aren't available on the CloudWatch generative AI observability page. Gateway metrics are batched at one minute intervals. To learn more about viewing gateway metrics, see [View observability data for your Amazon Bedrock AgentCore agents](./observability-view.html). @@ -16,0 +17,11 @@ To enable service-provided logs for AgentCore gateways, you need to configure th +###### Topics + + * Provided metrics + + * Provided log data + + * Provided spans + + + + @@ -77,0 +89,63 @@ AgentCore logs the following information for gateway resources: +You can also see request and response bodies as part of your Vended Logs integration when any of the MCP Operations are performed on the Gateway. They can do further analysis on these logs, using the `span_id` and `trace_id` fields to connect the vended spans and logs being emitted. For more information about encrypting your gateways with customer-managed KMS keys, see [Advanced features and topics for Amazon Bedrock AgentCore Gateway](./gateway-advanced.html). + +Sample log: + + + { + "resource_arn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/<gatewayid>", + "event_timestamp": 1759370851622, + "body": { + "isError": false, + "log": "Started processing request with requestId: 1", + "requestBody": "{id=1, jsonrpc=2.0, method=tools/call, params={name=target-quick-start-f9scus___LocationTool, arguments={location=seattle}}}", + "id": "1" + }, + "account_id": "123456789012", + "request_id": "12345678-1234-1234-1234-123456789012", + "trace_id": "160fc209c3befef4857ab1007d041db0", + "span_id": "81346de89c725310" + } + + +Sample log with response body: + + + { + "resource_arn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/<gatewayid>", + "event_timestamp": 1759370853807, + "body": { + "isError": false, + "responseBody": "{jsonrpc=2.0, id=1, result={isError=false, content=[{type=text, text=\"good\"}]}}", + "log": "Successfully processed request with requestId: 2", + "id": "1" + }, + "account_id": "123456789012", + "request_id": "12345678-1234-1234-1234-123456789012", + "trace_id": "160fc209c3befef4857ab1007d041db0", + "span_id": "81346de89c725310" + } + + +## Provided spans + +AgentCore now supports OTEL compliant vended spans that you can use to track invocations across different primitives that are being used. + +Sample vended Spans for Tool Invocation: + + * `kind:SERVER` \- tracks the overall execution details, tool invoked, gateway details, AWS request ID, trace and span ID. + + * `kind:CLIENT` \- covers the specific target that was invoked and details around it like target type, target execution time, target execution start and end times, etc. + + + + +For other MCP method invocations, only the `kind:SERVER` span is emitted. + +While these spans emit metrics, to investigate why a failure occurred for a specific span, a Gateway user must check the logs that are vended. Various fields, for example, `spanId` or `aws.request.id` can help in stitching these spans and logs together. + +Operation | Span attributes | Description +---|---|--- +List Tools | aws.operation.name, aws.resource.arn, aws.request.id, aws.account.id, gateway.id, aws.xray.origin, aws.resource.type, aws.region, latency_ms, error_type, jsonrpc.error.code, http.method, http.response.status_code, gateway.name, url.path, overhead_latency_ms | List tools attached to a gateway +Call Tool | aws.operation.name, aws.resource.arn, aws.request.id, aws.account.id, gateway.id, aws.xray.origin, aws.resource.type, aws.region, latency_ms, error_type, jsonrpc.error.code, http.method, http.response.status_code, gateway.name, url.path, overhead_latency_ms, tool.name | Call a specific tool. Two spans are emmited: 1. `kind:SERVER` which tracks the overall execution details (success / not) , tool invoked, gateway details, AWS request ID, trace and span ID. 2. `kind:CLIENT` which covers the specific target that was invoked and details around it like target type, target execution time, target execution start and end times, etc. +Search Tools | aws.operation.name, aws.resource.arn, aws.request.id, aws.account.id, gateway.id, aws.xray.origin, aws.resource.type, aws.region, latency_ms, error_type, jsonrpc.error.code, http.method, http.response.status_code, gateway.name, url.path, overhead_latency_ms, tool.name | Search for ten most relevant tools given an input query +