AWS bedrock-agentcore high security documentation change
Summary
Added 'No Authorization' option with security warnings and best practices
Security assessment
The change introduces documentation about unauthenticated access (authorizerType=NONE) with explicit warnings about security risks. It adds security best practices to mitigate risks of public exposure, making this a security-related documentation update.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md index 7cb216cb4..c1bb537ff 100644 --- a//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md +++ b//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md @@ -5 +5 @@ -IAM-based inbound authorizationJSON Web Token (JWT)-based inbound authorization +IAM-based inbound authorizationJSON Web Token (JWT)-based inbound authorizationNo Authorization @@ -14,0 +15 @@ Before you create your gateway, you must set up inbound authorization. Inbound a + * **No Authorization** – The gateway will not perform any inbound authorization. This makes your gateway accessible to all users to be invoked. @@ -17,0 +19,5 @@ Before you create your gateway, you must set up inbound authorization. Inbound a + +###### Important + +Do not use No Authorization gateways for testing or development purposes. No Authorization gateways should only be used for production gateways that you intend to make public after you have implemented all the security best practices listed later on in this page. + @@ -29,0 +36,2 @@ If you don't plan to use the default authorization configuration using Amazon Co + * No Authorization + @@ -146,0 +155,19 @@ You'll need these values to do the following: +## No Authorization + +You can create a gateway that is configured with no authorization by using `authorizerType=NONE`. The gateway will not perform any authorization on the incoming gateway request and the request can be unauthenticated. + +###### Important + +Do not use No Authorization gateways for testing or development purposes. No Authorization gateways should only be used for production gateways that you intend to make public after you have implemented all the security best practices listed below. + +###### Security Best Practices + + 1. Use the `bedrock-agentcore:GatewayAuthorizerType` condition key to selectively allow/deny access within your organization for creating gateways with `authorizerType=NONE` + + 2. Do not use No Authorization gateways out of convenience for testing. They should be used for gateways you intend to make public but have implemented your own custom throttling rules and checks to ensure your public gateway can handle unauthenticated users + + 3. Do not use No Authorization gateways with targets that may respond with sensitive information. Although targets are configured with their own authorization configurations, it is best to add another security layer on the gateway. + + + +