AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-10-22 · Security-related medium

File: bedrock-agentcore/latest/devguide/gateway-outbound-auth.md

Summary

Added security warnings about 'No authorization' option, updated authorization matrix, and expanded API key setup instructions

Security assessment

Explicitly warning against using 'No authorization' (marked as not recommended) addresses potential misconfiguration risks. The expanded API key documentation (credential storage details, secret ARNs) and authorization matrix updates provide concrete security guidance for proper authentication setup.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
index 43a920bcd..d7296cd80 100644
--- a//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
+++ b//bedrock-agentcore/latest/devguide/gateway-outbound-auth.md
@@ -12,0 +13,2 @@ AgentCore Gateway supports the following types of outbound authorization:
+  * **No authorization (not recommended)** – Some target types provide you the option to bypass outbound authorization. This less secure option is not recommended.
+
@@ -24,5 +26,12 @@ The type of outbound authorization that you can set up is dependent on the gatew
-Target Type | Iam Role | Oauth Client | Api Key  
----|---|---|---  
-Lambda function | Yes | No | No  
-OpenAPI schema | No | Yes | Yes  
-Smithy schema | Yes | No | No  
+Target type | No authorization | Gateway service role | OAuth client | API key  
+---|---|---|---|---  
+Lambda function | No | Yes | No | No  
+MCP server | Yes | No | Yes | No  
+OpenAPI schema | No | No | Yes | Yes  
+Smithy schema | No | Yes | No | No  
+  
+###### Note
+
+If you use an integration provider template as a target, review the supported authorization types for different templates at [Built-in templates from integration providers as targets](./gateway-target-integrations.html).
+
+Before adding a target to your gateway, you must set up authorization for it through one of the supported methods.
@@ -176 +185,5 @@ To set up outbound authorization with an API key, you use the AgentCore Identity
-  2. Set up an API key for the provider's service.
+  2. Set up an API key for the provider's service. Take note of the following values, which you'll specify when you add the gateway target:
+
+     * **Credential location** – Whether the API key should be placed in the header or as a query parameter.
+
+     * **Credential prefix** – The prefix for the credential (ex. Bearer).
@@ -184 +197,7 @@ To set up outbound authorization with an API key, you use the AgentCore Identity
-  4. Take note of the generated credential ARN (`credentialProviderArn` in the API) and the AWS Secrets Manager secret ARN (`secretArn` in the API). You'll use these values when you create your gateway target.
+  4. Take note of the following values, which you'll specify when you add the gateway target:
+
+     * **Credential provider ARN** – An Amazon Resource Name (ARN) generated for the credential provider.
+
+     * **Name** – The name you gave to the API key.
+
+     * **Secret ARN** – An AWS Secrets Manager secret ARN generated for the API key.