AWS Security ChangesHomeSearch

AWS bedrock-agentcore low security documentation change

Service: bedrock-agentcore · 2025-10-16 · Security-related low

File: bedrock-agentcore/latest/devguide/identity-idp-salesforce.md

Summary

Updated Salesforce OAuth2 configuration steps with clearer instructions, corrected callback URL format, and fixed documentation links

Security assessment

The callback URL template changed to use `region` instead of {region} placeholder (https://bedrock-agentcore.`region`.amazonaws.com/...), which could lead to misconfigured OAuth2 redirect URIs if not properly substituted. This impacts security by potentially breaking authentication flows or exposing callback endpoints.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-idp-salesforce.md b/bedrock-agentcore/latest/devguide/identity-idp-salesforce.md
index 083fe62e7..3444cd8f2 100644
--- a//bedrock-agentcore/latest/devguide/identity-idp-salesforce.md
+++ b//bedrock-agentcore/latest/devguide/identity-idp-salesforce.md
@@ -5,3 +5 @@
-Configuring a Salesforce OAuth2 applicationOutbound
-
-Amazon Bedrock AgentCore is in preview release and is subject to change. 
+Outbound
@@ -11 +9,3 @@ Amazon Bedrock AgentCore is in preview release and is subject to change.
-You can set up Salesforce as an outbound provider using Salesforce OAuth 2.0.
+Salesforce can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Salesforce's OAuth2 service and obtain access tokens for Salesforce API resources.
+
+## Outbound
@@ -13 +13,3 @@ You can set up Salesforce as an outbound provider using Salesforce OAuth 2.0.
-## Configuring a Salesforce OAuth2 application
+**Step 1**
+
+Use the following procedure to set up a Salesforce OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
@@ -17 +19 @@ You can set up Salesforce as an outbound provider using Salesforce OAuth 2.0.
-  1. In the developer portal for Salesforce, create a connected app and provide the name and other requested information specific to your application.
+  1. In the developer portal for Salesforce, create a connected app and enter the name and other requested information specific to your application.
@@ -21 +23 @@ You can set up Salesforce as an outbound provider using Salesforce OAuth 2.0.
-     * `https://bedrock-agentcore.{region}.amazonaws.com/identities/oauth2/callback`
+     * `https://bedrock-agentcore.`region`.amazonaws.com/identities/oauth2/callback`
@@ -38 +40 @@ You can set up Salesforce as an outbound provider using Salesforce OAuth 2.0.
-For more details, refer to Salesforce's documentation [Define an OpenID Connect Provider](https://docs.aws.amazon.com/https://help.salesforce.com/s/articleView?id=xcloud.service_provider_define_oid.htm).
+For more details, refer to Salesforce's documentation [Define an OpenID Connect Provider](https://help.salesforce.com/s/articleView?id=xcloud.service_provider_define_oid.htm).
@@ -40 +42 @@ For more details, refer to Salesforce's documentation [Define an OpenID Connect
-## Outbound
+**Step 2**
@@ -62 +64 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Google
+Reddit