AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-02-13 · Documentation low

File: cli/latest/reference/bedrock-agentcore/start-browser-session.md

Summary

Added proxy configuration option for routing browser traffic through customer-managed proxies with domain-based routing and HTTP Basic authentication via AWS Secrets Manager

Security assessment

The change introduces new documentation for proxy configuration capabilities, including authentication via Secrets Manager and domain-based routing rules. This adds security documentation about secure proxy management and credential handling, but there's no evidence of fixing an existing security vulnerability.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore/start-browser-session.md b/cli/latest/reference/bedrock-agentcore/start-browser-session.md
index a0f691e9f..38554339c 100644
--- a//cli/latest/reference/bedrock-agentcore/start-browser-session.md
+++ b//cli/latest/reference/bedrock-agentcore/start-browser-session.md
@@ -15 +15 @@
-  * [AWS CLI 2.33.18 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.21 Command Reference](../../index.html) »
@@ -85,0 +86 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc
+    [--proxy-configuration <value>]
@@ -311,0 +313,143 @@ JSON Syntax:
+`--proxy-configuration` (structure)
+
+> Optional proxy configuration for routing browser traffic through customer-specified proxy servers. When provided, enables HTTP Basic authentication via Amazon Web Services Secrets Manager and domain-based routing rules. Requires `secretsmanager:GetSecretValue` IAM permission for the specified secret ARNs.
+> 
+> proxies -> (list) [required]
+>
+>> An array of 1-5 proxy server configurations for domain-based routing. Each proxy can specify which domains it handles via `domainPatterns` , enabling flexible routing of different traffic through different proxies based on destination domain.
+>> 
+>> Constraints:
+>> 
+>>   * min: `1`
+>>   * max: `5`
+>> 
+
+>> 
+>> (tagged union structure)
+>>
+>>> Union type representing different proxy configurations. Currently supports external customer-managed proxies.
+>>> 
+>>> ### Note
+>>> 
+>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `externalProxy`.
+>>> 
+>>> externalProxy -> (structure)
+>>>
+>>>> Configuration for an external customer-managed proxy server.
+>>>> 
+>>>> server -> (string) [required]
+>>>>
+>>>>> The hostname of the proxy server. Must be a valid DNS hostname (maximum 253 characters).
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `253`
+>>>>>   * pattern: `[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*`
+>>>>> 
+
+>>>> 
+>>>> port -> (integer) [required]
+>>>>
+>>>>> The port number of the proxy server. Valid range: 1-65535.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `65535`
+>>>>> 
+
+>>>> 
+>>>> domainPatterns -> (list)
+>>>>
+>>>>> Optional array of domain patterns that should route through this specific proxy. Supports `.example.com` for subdomain matching (matches any subdomain of example.com) or `example.com` for exact domain matching. If omitted, this proxy acts as a catch-all for domains not matched by other proxies. Maximum 100 patterns per proxy, each up to 253 characters.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `100`
+>>>>> 
+
+>>>>> 
+>>>>> (string)
+>>>>>
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `1`
+>>>>>>   * max: `253`
+>>>>>>   * pattern: `(\.)?[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*`
+>>>>>> 
+
+>>>> 
+>>>> credentials -> (tagged union structure)
+>>>>
+>>>>> Optional authentication credentials for the proxy server. If omitted, the proxy is accessed without authentication (useful for IP-allowlisted proxies).
+>>>>> 
+>>>>> ### Note
+>>>>> 
+>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `basicAuth`.
+>>>>> 
+>>>>> basicAuth -> (structure)
+>>>>>
+>>>>>> HTTP Basic Authentication credentials (username and password) stored in Amazon Web Services Secrets Manager.
+>>>>>> 
+>>>>>> secretArn -> (string) [required]
+>>>>>>
+>>>>>>> The Amazon Resource Name (ARN) of the Amazon Web Services Secrets Manager secret containing proxy credentials. The secret must be a JSON object with `username` and `password` string fields that meet validation requirements. The caller must have `secretsmanager:GetSecretValue` permission for this ARN. Example secret format: `{"username": "proxy_user", "password": "secure_password"}`
+>>>>>>> 
+>>>>>>> Constraints:
+>>>>>>> 
+>>>>>>>   * pattern: `arn:aws:secretsmanager:[a-z0-9-]+:[0-9]{12}:secret:[a-zA-Z0-9/_+=.@-]+`
+>>>>>>> 
+
+> 
+> bypass -> (structure)
+>
+>> Optional configuration for domains that should bypass all proxies and connect directly to their destination, like the internet. Takes precedence over all proxy routing rules.
+>> 
+>> domainPatterns -> (list)
+>>
+>>> Array of domain patterns that should bypass the proxy. Supports `.amazonaws.com` for subdomain matching or `amazonaws.com` for exact domain matching. Requests to these domains connect directly without using any proxy. Maximum 253 characters per pattern.
+>>> 
+>>> Constraints:
+>>> 
+>>>   * min: `1`
+>>>   * max: `100`
+>>> 
+
+>>> 
+>>> (string)
+>>>
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `253`
+>>>>   * pattern: `(\.)?[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9\-]{0,61}[a-zA-Z0-9])?)*`
+>>>> 
+
+
+JSON Syntax:
+    
+    
+    {
+      "proxies": [
+        {
+          "externalProxy": {
+            "server": "string",
+            "port": integer,
+            "domainPatterns": ["string", ...],
+            "credentials": {
+              "basicAuth": {
+                "secretArn": "string"
+              }
+            }
+          }
+        }
+        ...
+      ],
+      "bypass": {
+        "domainPatterns": ["string", ...]
+      }
+    }
+    
+
@@ -496 +640 @@ streams -> (structure)
-  * [AWS CLI 2.33.18 Command Reference](../../index.html) »
+  * [AWS CLI 2.33.21 Command Reference](../../index.html) »