AWS Security ChangesHomeSearch

AWS solutions medium security documentation change

Service: solutions · 2025-11-22 · Security-related medium

File: solutions/latest/distributed-load-testing-on-aws/security-1.md

Summary

Added API Gateway security details and MCP Server security section describing authentication and access controls

Security assessment

The API Gateway section addresses TLS version requirements (1.0 vs 1.2/1.3) which has security implications for encryption. The MCP Server section documents security controls including Cognito authentication and read-only access patterns, directly describing security features.

Diff

diff --git a/solutions/latest/distributed-load-testing-on-aws/security-1.md b/solutions/latest/distributed-load-testing-on-aws/security-1.md
index cfaf43b19..1fc265f73 100644
--- a//solutions/latest/distributed-load-testing-on-aws/security-1.md
+++ b//solutions/latest/distributed-load-testing-on-aws/security-1.md
@@ -5 +5 @@
-IAM rolesAmazon CloudFrontAWS Fargate security groupNetwork stress testRestricting access to the public user interface
+IAM rolesAmazon CloudFrontAmazon API GatewayAWS Fargate security groupNetwork stress testRestricting access to the public user interfaceMCP Server security (Optional)
@@ -22,0 +23,6 @@ This solution uses the default CloudFront certificate, which has a minimum suppo
+## Amazon API Gateway
+
+This solution deploys edge-optimized Amazon API Gateway endpoints to provide RESTful APIs for the load testing functionality using the default API Gateway endpoint rather than a custom domain. For edge-optimized APIs using the default endpoint, API Gateway uses the TLS-1-0 security policy. For more information, refer to [Working with REST APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api.html) in the _Amazon API Gateway Developer Guide_.
+
+This solution uses the default API Gateway certificate, which has a minimum supported security protocol of TLS v1.0. To enforce the use of TLS v1.2 or TLS v1.3, you must use a custom domain with a custom SSL certificate instead of the default API Gateway certificate. For more information, refer to [Setting up custom domain names for REST APIs](https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-custom-domains.html).
+
@@ -38,0 +45,4 @@ This solution automatically deploys a set of AWS WAF rules that filter common we
+## MCP Server security (Optional)
+
+If you deploy the optional MCP Server integration, the solution uses AWS AgentCore Gateway to provide secure access to load testing data for AI agents. AgentCore Gateway validates Amazon Cognito authentication tokens for each request, ensuring that only authorized users can access the MCP Server. The MCP Server Lambda function implements read-only access patterns, preventing AI agents from modifying test configurations or results. All MCP Server interactions use the same permission boundaries and access controls as the web console.
+