AWS bedrock-agentcore high security documentation change
Summary
Added security-focused steps including callback URL configuration, password complexity improvement, and session binding documentation
Security assessment
Changes include: 1) Mandating callback URL registration to prevent unauthorized redirects, 2) Enhanced password generation with additional numeric character for better complexity, 3) Explicit documentation about session binding flow security requirements. These changes directly address authentication security best practices and potential misconfiguration risks.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md b/bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md index 484238b4a..f846555ef 100644 --- a//bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md +++ b//bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md @@ -5 +5 @@ -PrerequisitesStep 1: Create a Cognito user pool (Optional)Step 2: Create a credential providerStep 3: Create a sample agent that initiates an OAuth 2.0 flowStep 4: Deploy the agent to AgentCore RuntimeStep 5: Invoke the agentClean upSecurity best practices +PrerequisitesStep 1: Create a Cognito user pool (Optional)Step 2: Create a credential providerStep 2.5: Add the callback URL to your OAuth 2.0 authorization serverStep 3: Create a sample agent that initiates an OAuth 2.0 flowStep 4: Deploy the agent to AgentCore RuntimeStep 5: Invoke the agentClean upSecurity best practices @@ -20,0 +21,2 @@ By the end of this tutorial, you'll have a fully deployed agent that can authent + * Step 2.5: Add the callback URL to your OAuth 2.0 authorization server + @@ -42 +44 @@ Before you begin, ensure you have: - * The latest AWS CLI installed + * The latest AWS CLI and `jq` installed @@ -112 +113,0 @@ You may choose to save this script as create_cognito.sh and execute it from your - --callback-urls "https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback" \ @@ -125 +126 @@ You may choose to save this script as create_cognito.sh and execute it from your - PASSWORD="$(LC_ALL=C tr -dc 'A-Za-z0-9!@#$%^&*()_+-=[]{}|;:,.<>?' < /dev/urandom | head -c 16)" + PASSWORD="$(LC_ALL=C tr -dc 'A-Za-z0-9!@#$%^&*()_+-=[]{}|;:,.<>?' < /dev/urandom | head -c 16)$(LC_ALL=C tr -dc '0-9' < /dev/urandom | head -c 1)" @@ -175 +176 @@ This credential provider will be used by your agent's code to get access tokens - aws bedrock-agentcore-control create-oauth2-credential-provider \ + OAUTH2_CREDENTIAL_PROVIDER_RESPONSE=$(aws bedrock-agentcore-control create-oauth2-credential-provider \ @@ -178 +178,0 @@ This credential provider will be used by your agent's code to get access tokens - --no-cli-pager \ @@ -187 +187,24 @@ This credential provider will be used by your agent's code to get access tokens - }' + }' \ + --output json) + + OAUTH2_CALLBACK_URL=$(echo $OAUTH2_CREDENTIAL_PROVIDER_RESPONSE | jq -r '.callbackUrl') + + echo "OAuth2 Callback URL: $OAUTH2_CALLBACK_URL" + +## Step 2.5: Add the callback URL to your OAuth 2.0 authorization server + +To prevent unauthorized redirects, add the callback URL retrieved from [ CreateOauth2CredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateOauth2CredentialProvider.html) or [ GetOauth2CredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_GetOauth2CredentialProvider.html) to your OAuth 2.0 authorization server. + +If you are using the previous script to create an authorization server with Cognito, copy the EXPORT statements from the output into your terminal to set the environment variables and update the Cognito user pool client with the OAuth2 credential provider callback URL. + + + #!/bin/bash + aws cognito-idp update-user-pool-client \ + --user-pool-id $USER_POOL_ID \ + --client-id $CLIENT_ID \ + --client-name AgentCoreQuickStart \ + --allowed-o-auth-flows "code" \ + --allowed-o-auth-scopes "openid" "profile" "email" \ + --allowed-o-auth-flows-user-pool-client \ + --supported-identity-providers "COGNITO" \ + --callback-urls "$OAUTH2_CALLBACK_URL" @@ -253 +276,2 @@ Create a file named `agentcoreidentityquickstart.py`, and save this code. - force_authentication=True + force_authentication=True, + callback_url='insert_oauth2_callback_url_for_session_binding', @@ -360 +384 @@ Enter the username and password for your user on your authorization server when -Your browser should redirect you to the AgentCore Identity Success Page, and you should have a success message in your terminal. +Your browser should redirect to your configured OAuth2 callback URL, which handles the [ session binding flow](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.html). Ensure your OAuth2 callback server provides clear success and error responses to indicate the authorization status.