AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-11-16 · Security-related medium

File: bedrock-agentcore/latest/devguide/gateway-inbound-auth.md

Summary

Clarified JWT validation requirements by specifying Client ID validation against `client_id` claim and audience validation via `aud` claim

Security assessment

The changes explicitly document security validation mechanisms for JWT tokens, specifically highlighting claim-based validation which is critical for proper authentication security. This helps prevent token misuse by ensuring proper claim verification.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
index 232511dec..7cb216cb4 100644
--- a//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
+++ b//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
@@ -129 +129 @@ In the process of creating the JWT, you should record the following values that
-  * **Client ID** – The public identifier of a client application that requests a token.
+  * **Client ID** – The public identifier of a client application that requests a token, validated against the `client_id` claim.
@@ -133 +133 @@ In the process of creating the JWT, you should record the following values that
-  * **Allowed audience** – The identifier that validates the intended recipients or consumers of a token.
+  * **Allowed audience** – The identifier that validates the intended recipients or consumers of a token via the `aud` claim.