AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2025-10-16 · Documentation low

File: bedrock-agentcore/latest/devguide/get-workload-access-token.md

Summary

Removed preview notice, reformatted security controls documentation with consistent bullet point styling

Security assessment

Formatting changes to existing security documentation about workload access tokens and API controls. No new security features added or vulnerabilities addressed - maintains existing security guidance with improved readability.

Diff

diff --git a/bedrock-agentcore/latest/devguide/get-workload-access-token.md b/bedrock-agentcore/latest/devguide/get-workload-access-token.md
index b2ada551f..66b79e4ad 100644
--- a//bedrock-agentcore/latest/devguide/get-workload-access-token.md
+++ b//bedrock-agentcore/latest/devguide/get-workload-access-token.md
@@ -7,2 +6,0 @@ What is a workload access token?How Runtime and Gateway automatically obtain tok
-Amazon Bedrock AgentCore is in preview release and is subject to change. 
-
@@ -30 +28 @@ A workload access token is an AWS-signed opaque access token that enables agents
-**Key characteristics:**
+**Key characteristics**
@@ -32 +30 @@ A workload access token is an AWS-signed opaque access token that enables agents
-  * **First-party services only:** Workload access tokens are exclusively for accessing AWS first-party AgentCore services and cannot be used for external services
+  * **First-party services only** – Workload access tokens are exclusively for accessing AWS first-party AgentCore services and cannot be used for external services
@@ -34 +32 @@ A workload access token is an AWS-signed opaque access token that enables agents
-  * **Automatic delivery:** Runtime and Gateway automatically provide these tokens to agents during execution
+  * **Automatic delivery** – Runtime and Gateway automatically provide these tokens to agents during execution
@@ -36 +34 @@ A workload access token is an AWS-signed opaque access token that enables agents
-  * **Security by design:** Runtime-managed agent identities cannot retrieve workload access tokens directly, preventing token extraction and misuse
+  * **Security by design** – Runtime-managed agent identities cannot retrieve workload access tokens directly, preventing token extraction and misuse
@@ -38 +36 @@ A workload access token is an AWS-signed opaque access token that enables agents
-  * **User and agent identity binding:** Tokens contain both user identity and agent identity information for secure credential access
+  * **User and agent identity binding** – Tokens contain both user identity and agent identity information for secure credential access
@@ -88 +86 @@ The `GetWorkloadAccessTokenForUserId` API implements several security controls t
-  * **Workload identity validation:** The API verifies that the requesting identity has permission to act on behalf of the specified workload identity
+  * **Workload identity validation** – The API verifies that the requesting identity has permission to act on behalf of the specified workload identity
@@ -90 +88 @@ The `GetWorkloadAccessTokenForUserId` API implements several security controls t
-  * **Service-managed identity restriction:** Runtime-managed and Gateway-managed workload identities cannot retrieve tokens directly. This prevents agents from extracting tokens for misuse
+  * **Service-managed identity restriction** – Runtime-managed and Gateway-managed workload identities cannot retrieve tokens directly. This prevents agents from extracting tokens for misuse
@@ -92 +90 @@ The `GetWorkloadAccessTokenForUserId` API implements several security controls t
-  * **IAM permission requirements:** Callers must have appropriate IAM permissions including `GetWorkloadAccessToken`, `GetWorkloadAccessTokenForUserId`, and `GetWorkloadAccessTokenForJWT`
+  * **IAM permission requirements** – Callers must have appropriate IAM permissions including `GetWorkloadAccessToken`, `GetWorkloadAccessTokenForUserId`, and `GetWorkloadAccessTokenForJWT`
@@ -94 +92 @@ The `GetWorkloadAccessTokenForUserId` API implements several security controls t
-  * **Token scoping:** Tokens are scoped to the specific user-agent pair, ensuring credentials stored under one user cannot be accessed by another
+  * **Token scoping** – Tokens are scoped to the specific user-agent pair, ensuring credentials stored under one user cannot be accessed by another