AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2025-12-07 · Documentation medium

File: bedrock-agentcore/latest/devguide/runtime-oauth.md

Summary

Enhanced JWT configuration documentation with allowed scopes and required custom claims validation details

Security assessment

Adds documentation about security controls (scope validation and custom claims checks) for JWT token handling, improving security documentation but not addressing a specific vulnerability.

Diff

diff --git a/bedrock-agentcore/latest/devguide/runtime-oauth.md b/bedrock-agentcore/latest/devguide/runtime-oauth.md
index 11d0119af..9af2579c1 100644
--- a//bedrock-agentcore/latest/devguide/runtime-oauth.md
+++ b//bedrock-agentcore/latest/devguide/runtime-oauth.md
@@ -43 +43 @@ You can configure your agent runtime to accept JWT bearer tokens by providing au
-This configuration requires:
+This configuration includes:
@@ -50,0 +51,4 @@ This configuration requires:
+  * Allowed scopes - A list of permitted scopes that will be validated against the scope claim in the JWT token. The `allowedScopes` authorization field will be configured as a list of strings.
+
+  * Required custom claims - A list of required claims that will be validated against the claim name and value contained in the incoming JWT token. For details on configuring the authorizer, see [Configure inbound JWT authorizer](./inbound-jwt-authorizer.html)
+