AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-10-16 · Security-related medium

File: bedrock-agentcore/latest/devguide/identity-idp-cognito.md

Summary

Updated Cognito integration documentation to add outbound configuration details, restructure inbound authentication guidance, and provide explicit JSON configuration examples for OAuth2

Security assessment

The changes add explicit configuration requirements for OAuth2 token validation (clientId/aud claims), client secret management, and authorization endpoints. The addition of 'Allowed clients' field and detailed credential provider configuration improves access control documentation. The security implications include proper guidance for token validation and credential management, which are critical for authentication security.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-idp-cognito.md b/bedrock-agentcore/latest/devguide/identity-idp-cognito.md
index 0f3a16c94..f09fcb0a0 100644
--- a//bedrock-agentcore/latest/devguide/identity-idp-cognito.md
+++ b//bedrock-agentcore/latest/devguide/identity-idp-cognito.md
@@ -5,3 +5 @@
-Inbound
-
-Amazon Bedrock AgentCore is in preview release and is subject to change. 
+InboundOutbound
@@ -11 +9 @@ Amazon Bedrock AgentCore is in preview release and is subject to change.
-To add Cognito as an identity provider for accessing AgentCore Gateway and Runtime, you must:
+Amazon Cognito can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Cognito as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Cognito.
@@ -13 +11 @@ To add Cognito as an identity provider for accessing AgentCore Gateway and Runti
-  * Configure discovery URL from your IDP directory. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
+## Inbound
@@ -15 +13 @@ To add Cognito as an identity provider for accessing AgentCore Gateway and Runti
-  * Provide valid `clientId` or `aud` claims for the token. This helps validate the tokens coming from your IDP and allow access for tokens that contain expected claims.
+To add Cognito as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must:
@@ -16,0 +15 @@ To add Cognito as an identity provider for accessing AgentCore Gateway and Runti
+  * Configure discovery URL from your IDP directory. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
@@ -17,0 +17 @@ To add Cognito as an identity provider for accessing AgentCore Gateway and Runti
+  * Enter valid `clientId` or `aud` claims for the token. This helps validate the tokens coming from your IDP and allow access for tokens that contain expected claims.
@@ -20 +19,0 @@ To add Cognito as an identity provider for accessing AgentCore Gateway and Runti
-Amazon Cognito can be used as an identity provider for inbound authentication.
@@ -22 +20,0 @@ Amazon Cognito can be used as an identity provider for inbound authentication.
-## Inbound
@@ -24 +22 @@ Amazon Cognito can be used as an identity provider for inbound authentication.
-### To create a Cognito user pool as an inbound identity provider for user authentication with AgentCore Runtime
+Use the following procedure to create a Cognito user pool as an inbound identity provider for user authentication with AgentCore Runtime. The following steps will create a Cognito user pool, a user pool client, add a user, and generate a bearer token for the user. The token is valid for 60 minutes by default.
@@ -26 +24,3 @@ Amazon Cognito can be used as an identity provider for inbound authentication.
-Create a file named `setup_cognito.sh` with the following content:
+###### To create a Cognito user pool as an inbound identity provider for Runtime authentication
+
+  1. Create a file named `setup_cognito.sh` with the following content:
@@ -39 +38,3 @@ The following script is only meant as an example. You should customize the user
-      --region us-east-1 | jq -r '.UserPool.Id')# Create App Client and capture Client ID directly
+      --region us-east-1 | jq -r '.UserPool.Id')
+    
+    # Create App Client and capture Client ID directly
@@ -45 +46,3 @@ The following script is only meant as an example. You should customize the user
-      --region us-east-1 | jq -r '.UserPoolClient.ClientId')# Create User
+      --region us-east-1 | jq -r '.UserPoolClient.ClientId')
+    
+    # Create User
@@ -66 +69,3 @@ The following script is only meant as an example. You should customize the user
-      --region us-east-1 | jq -r '.AuthenticationResult.AccessToken')# Output the required values
+      --region us-east-1 | jq -r '.AuthenticationResult.AccessToken')
+    
+    # Output the required values
@@ -72,2 +77 @@ The following script is only meant as an example. You should customize the user
-Run the script to create the Cognito resources:
-    
+  2. Run the script to create the Cognito resources:
@@ -77,2 +81 @@ Run the script to create the Cognito resources:
-Note the output values, which will look similar to:
-    
+  3. Record the output values, which will look similar to:
@@ -87 +89,0 @@ You'll need these values in the next steps.
-Following these steps will create a Cognito user pool, a user pool client, adds a user, and generates a bearer token for the user. The token is valid for 60 minutes by default.
@@ -89 +91,5 @@ Following these steps will create a Cognito user pool, a user pool client, adds
-### To create a Cognito user pool as an inbound identity provider for machine-to-machine authentication with AgentCore Gateway
+
+
+Use the following procedure to create a Cognito user pool as an inbound identity provider for machine-to-machine authentication with AgentCore Gateway. The following steps will create a user pool, resource server, client credentials, and discovery URL configuration. This setup enables M2M authentication flows for Gateway access.
+
+###### To create a Cognito user pool as an inbound identity provider for Gateway authentication
@@ -97 +103 @@ Following these steps will create a Cognito user pool, a user pool client, adds
-  2. Note the user pool ID from the response or retrieve it using:
+  2. Record the user pool ID from the response or retrieve it using:
@@ -124 +130 @@ Following these steps will create a Cognito user pool, a user pool client, adds
-Note the client ID and client secret from the response.
+Record the client ID and client secret from the response. You'll need these values to configure the Cognito provider in AgentCore Identity.
@@ -143 +149,6 @@ Remove any underscore from the `UserPoolId` when creating the domain. For exampl
-     * **Discovery URL** : The URL constructed in the previous step
+    1. **Discovery URL** : The URL constructed in the previous step
+
+    2. **Allowed clients** : The client ID obtained when creating the user pool client
+
+
+
@@ -145 +156 @@ Remove any underscore from the `UserPoolId` when creating the domain. For exampl
-     * **Allowed clients** : The client ID obtained when creating the user pool client
+## Outbound
@@ -146,0 +158 @@ Remove any underscore from the `UserPoolId` when creating the domain. For exampl
+To configure Cognito user pools as an outbound resource provider, use the following configuration:
@@ -148,0 +161,13 @@ Remove any underscore from the `UserPoolId` when creating the domain. For exampl
+    {
+      "name": "Cognito",
+      "credentialProviderVendor": "CognitoOauth2",
+      "oauth2ProviderConfigInput" : {
+        "includedOauth2ProviderConfig": {
+          "clientId": "your-client-id",
+          "clientSecret": "your-client-secret",
+          "authorizeEndpoint": "https://{your-cognito-domain}.auth.us-east-1.amazoncognito.com/oauth2/authorize",
+          "tokenEndpoint": "https://{your-cognito-domain}.auth.us-east-1.amazoncognito.com/oauth2/token",
+          "issuer": "https://cognito-idp.us-east-1.amazonaws.com/{your-user-pool-id}"
+        }
+      }
+    }
@@ -156 +181 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Identity provider setup
+Provider setup
@@ -158 +183 @@ Identity provider setup
-Microsoft
+Auth0 by Okta