AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-10-25 · Security-related medium

File: bedrock-agentcore/latest/devguide/get-workload-access-token.md

Summary

Added documentation about user ID partitioning for multiple identity providers to prevent collisions

Security assessment

The change explicitly documents a security control to prevent user collisions between identity providers, which could lead to authorization bypass or privilege escalation if not properly handled. The specific guidance about using provider_id+user_id patterns directly addresses a potential security vulnerability in multi-provider environments.

Diff

diff --git a/bedrock-agentcore/latest/devguide/get-workload-access-token.md b/bedrock-agentcore/latest/devguide/get-workload-access-token.md
index 66b79e4ad..e89def8da 100644
--- a//bedrock-agentcore/latest/devguide/get-workload-access-token.md
+++ b//bedrock-agentcore/latest/devguide/get-workload-access-token.md
@@ -93,0 +94,2 @@ The `GetWorkloadAccessTokenForUserId` API implements several security controls t
+  * **User ID partitioning for multiple identity providers** – When using multiple identity providers, partition your user IDs using the pattern ``provider_id`+`user_id`` to prevent user collisions between different providers. For example, use `cognito+user123` and `auth0+user123` to distinguish users with the same identifier across different identity providers
+