AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2025-11-22 · Security-related high

File: bedrock-agentcore/latest/devguide/gateway-create-api.md

Summary

Added two new sections: 1) Creating a gateway with NONE authorizer (no authentication/authorization) with examples across multiple tools 2) Creating gateways with interceptor configurations for request processing

Security assessment

The NONE authorizer documentation explicitly states it disables all authentication/authorization, creating an inherent security risk by allowing unauthenticated access. The change includes a security warning about this configuration but introduces a high-risk option. The interceptor section enables custom request processing which could impact security validation mechanisms.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-create-api.md b/bedrock-agentcore/latest/devguide/gateway-create-api.md
index f4c359f3f..e1753e5d6 100644
--- a//bedrock-agentcore/latest/devguide/gateway-create-api.md
+++ b//bedrock-agentcore/latest/devguide/gateway-create-api.md
@@ -5 +5 @@
-Create a gateway: basic example (Custom JWT authorization)Create a gateway: basic example (IAM authorization)Create a gateway with semantic searchCreate a gateway with debugging messages
+Create a gateway: basic example (Custom JWT authorization)Create a gateway: basic example (IAM authorization)Create a gateway: basic example (NONE authorizer)Create a gateway with semantic searchCreate a gateway with debugging messagesCreate a gateway with interceptor configurations
@@ -18,0 +19,2 @@ To see examples of how to create a gateway, expand the section that corresponds
+  * Create a gateway: basic example (NONE authorizer)
+
@@ -22,0 +25,2 @@ To see examples of how to create a gateway, expand the section that corresponds
+  * Create a gateway with interceptor configurations
+
@@ -232,0 +237,90 @@ Boto3
+## Create a gateway: basic example (NONE authorizer)
+
+This section provides basic examples of creating a gateway with a NONE authorizer type. This represents a gateway that will not perform authentication or authorization for any incoming requests.
+
+###### Note
+
+  * The NONE authorizer type represents a gateway that will not perform authentication or authorization for any incoming requests. See [inbound authorization](./gateway-inbound-auth.html) for security concerns and details around using this configuration.
+
+  * If you choose an option that involves specifying an overt gateway service role ARN, ensure that you specify an existing one that you've set up. For more information, see [AgentCore Gateway service role permissions](./gateway-prerequisites-permissions.html#gateway-service-role-permissions).
+
+
+
+
+Select one of the following methods:
+
+AgentCore starter toolkit (CLI)
+    
+
+The AgentCore starter toolkit CLI provides a simple way to create a gateway with NONE authorizer type in a command line interface.
+
+The following command shows how to create a gateway with NONE authorizer type:
+    
+    
+    agentcore create_mcp_gateway \
+      --region us-west-2 \
+      --name my-gateway \
+      --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \
+      --authorizer-type NONE \
+      --enable_semantic_search
+
+The `gatewayUrl` in the response is the endpoint to use when you invoke the gateway.
+
+AgentCore starter toolkit (Python)
+    
+
+The AgentCore starter toolkit helps you easily create a gateway with NONE authorizer type. First, you initialize a client and then you use the `create_mcp_gateway` method of the client.
+
+The following example code shows how to create a gateway with NONE authorizer type:
+    
+    
+    from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient
+    
+    # Initialize the Gateway client
+    client = GatewayClient(region_name="us-west-2")
+    
+    # Create the gateway with NONE authorizer type
+    gateway = client.create_mcp_gateway(
+      name="my-gateway",
+      role_arn="arn:aws:iam::123456789012:role/my-gateway-service-role",
+      authorizer_type="NONE",
+      enable_semantic_search=False
+    )
+    
+    print(f"MCP Endpoint: {gateway['gatewayUrl']}")
+
+AWS CLI
+    
+
+Run the following code in a terminal to create a gateway with NONE authorizer type using the AWS CLI:
+    
+    
+    aws bedrock-agentcore-control create-gateway \
+      --name my-gateway \
+      --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \
+      --protocol-type MCP \
+      --authorizer-type NONE
+
+The `gatewayUrl` in the response is the endpoint to use when you invoke the gateway.
+
+AWS Python SDK (Boto3)
+    
+
+The following Python code shows how to create a gateway with NONE authorizer type using the AWS Python SDK (Boto3):
+    
+    
+    import boto3
+    
+    # Initialize the AgentCore client
+    client = boto3.client('bedrock-agentcore-control')
+    
+    # Create a gateway
+    gateway = client.create_gateway(
+      name="my-gateway",
+      roleArn="arn:aws:iam::123456789012:role/my-gateway-service-role",
+      protocolType="MCP",
+      authorizerType="NONE"
+    )
+              
+    print(f"MCP Endpoint: {gateway['gatewayUrl']}")
+
@@ -379,0 +474,144 @@ The following Python code shows how to create a basic gateway with the AWS Pytho
+## Create a gateway with interceptor configurations
+
+This section provides examples of creating a gateway that has interceptors configured. Interceptors will be invoked at runtime of the gateway for each request.
+
+###### Note
+
+  * Interceptors will be invoked at runtime of the gateway for each request.
+
+  * If you choose an option that involves specifying an overt gateway service role ARN, ensure that you specify an existing one that you've set up. For more information, see [AgentCore Gateway service role permissions](./gateway-prerequisites-permissions.html#gateway-service-role-permissions).
+
+
+
+
+Select one of the following methods:
+
+AgentCore starter toolkit (CLI)
+    
+
+The AgentCore starter toolkit CLI provides a simple way to create a gateway with interceptor configurations in a command line interface.
+
+The following command shows how to create a gateway with interceptor configurations:
+    
+    
+    agentcore create_mcp_gateway \
+      --region us-west-2 \
+      --name my-gateway \
+      --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \
+      --authorizer-config '{
+          "customJWTAuthorizer": {
+            "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration",
+            "allowedClients": ["clientId"]
+          }
+        }' \
+      --interceptor-configurations '[{
+          "interceptor": {
+              "lambda": {
+                "arn":"arn:aws:lambda:us-west-2:123456789012:function:my-interceptor-lambda"
+              }
+          },
+          "interceptionPoints": ["REQUEST"]
+      }]' \
+      --enable_semantic_search
+
+The `gatewayUrl` in the response is the endpoint to use when you invoke the gateway.
+
+AgentCore starter toolkit (Python)
+    
+
+The AgentCore starter toolkit helps you easily create a gateway with interceptor configurations. First, you initialize a client and then you use the `create_mcp_gateway` method of the client.
+
+The following example code shows how to create a gateway with interceptor configurations:
+    
+    
+    from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient
+    
+    # Initialize the Gateway client
+    client = GatewayClient(region_name="us-west-2")
+    
+    # Create the gateway with interceptor configurations
+    gateway = client.create_mcp_gateway(
+      name="my-gateway",
+      role_arn="arn:aws:iam::123456789012:role/my-gateway-service-role",
+      authorizer_config={
+        "customJWTAuthorizer": {
+          "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration",
+          "allowedClients": ["clientId"]
+        }
+      },
+      interceptor_configurations=[{
+          "interceptor": {
+              "lambda": {
+                "arn":"arn:aws:lambda:us-west-2:123456789012:function:my-interceptor-lambda"
+              }
+          },
+          "interceptionPoints": ["REQUEST"]
+      }],
+      enable_semantic_search=False
+    )
+    
+    print(f"MCP Endpoint: {gateway['gatewayUrl']}")
+
+AWS CLI
+    
+
+Run the following code in a terminal to create a gateway with interceptor configurations using the AWS CLI:
+    
+    
+    aws bedrock-agentcore-control create-gateway \
+      --name my-gateway \
+      --role-arn arn:aws:iam::123456789012:role/my-gateway-service-role \
+      --protocol-type MCP \
+      --authorizer-type CUSTOM_JWT \
+      --authorizer-configuration '{
+        "customJWTAuthorizer": {
+          "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/some-user-pool/.well-known/openid-configuration",