AWS bedrock-agentcore medium security documentation change
Summary
Added new section 'Troubleshooting Root Certificate Authority issues' with error resolution table, updated table of contents, and fixed broken links
Security assessment
This change adds comprehensive documentation about Root Certificate Authority (CA) configuration and troubleshooting for Amazon Bedrock AgentCore Browser. The documentation addresses security-related certificate management including: certificate format validation, expiration checks, access permissions (secretsmanager:GetSecretValue), certificate validity periods, and maximum certificate limits. This directly relates to TLS/SSL security implementation and certificate-based authentication security features.
Diff
diff --git a/bedrock-agentcore/latest/devguide/browser-tool-troubleshooting.md b/bedrock-agentcore/latest/devguide/browser-tool-troubleshooting.md index fea42836d..58cc67768 100644 --- a//bedrock-agentcore/latest/devguide/browser-tool-troubleshooting.md +++ b//bedrock-agentcore/latest/devguide/browser-tool-troubleshooting.md @@ -5 +5 @@ -Permission denied errorsModel access deniedBrowser session timeoutRecording not appearing in Amazon S3Playwright connection errorsAgent cannot make progress due to CAPTCHA checksCORS errors when integrating with browser applicationsSession Replay and Web Bot Auth don't work in new browser windows or contextsBrowser extensions issuesBrowser profile issuesTroubleshooting browser proxies +Permission denied errorsModel access deniedBrowser session timeoutRecording not appearing in Amazon S3Playwright connection errorsAgent cannot make progress due to CAPTCHA checksCORS errors when integrating with browser applicationsSession Replay and Web Bot Auth don't work in new browser windows or contextsBrowser extensions issuesBrowser profile issuesTroubleshooting Root Certificate Authority issuesTroubleshooting browser proxies @@ -257,0 +258,15 @@ Cookie expiration times are set by websites and cannot be modified by browser pr +## Troubleshooting Root Certificate Authority issues + +The following table describes common errors and their resolutions when configuring root CA certificates for Amazon Bedrock AgentCore Browser. + +Certificate configuration errors Error | Cause | Resolution +---|---|--- +Certificate secret not found in Secrets Manager | The secret ARN does not exist or the secret has been deleted. | Verify the secret ARN is correct and the secret exists in the specified Region. +Access denied to certificate secret in Secrets Manager | The caller does not have `secretsmanager:GetSecretValue` permission on the secret. | Add the `secretsmanager:GetSecretValue` permission to your IAM policy for the specified secret ARN. +Certificate content is not valid PEM/X.509 format | The secret value is not a valid PEM-encoded X.509 certificate. | Ensure the secret contains a properly formatted PEM certificate starting with `-----BEGIN CERTIFICATE-----` and ending with `-----END CERTIFICATE-----`. +Certificate has expired | The certificate's `notAfter` date is in the past. | Replace the expired certificate with a valid one in AWS Secrets Manager and retry. +Certificate is not yet valid | The certificate's `notBefore` date is in the future. | Wait until the certificate's validity period begins, or use a certificate that is currently valid. +Number of certificates exceeds the maximum allowed | More than 10 certificates were provided at the session level or tool level. | Reduce the number of certificates to 10 or fewer per session and 10 or fewer per tool. +Certificate location is required | A certificate entry was provided without a location. | Ensure each certificate in the array includes a `location` with a `secretsManager` entry containing a valid `secretArn`. +Certificates configuration is not enabled | The certificates feature is not enabled for your account. | Contact AWS Support to enable the certificates feature for your account. + @@ -270 +285 @@ Cookie expiration times are set by websites and cannot be modified by browser pr - * `Invalid proxy credentials secret configuration (check encryption key for cross-account access)` – The secret exists but cannot be accessed. Ensure the calling identity has `secretsmanager:GetSecretValue` permission. For cross-account secrets, see [](./.html#browser-proxies-cross-account). + * `Invalid proxy credentials secret configuration (check encryption key for cross-account access)` – The secret exists but cannot be accessed. Ensure the calling identity has `secretsmanager:GetSecretValue` permission. For cross-account secrets, see [Cross-account secret access](./browser-proxies.html#browser-proxies-cross-account). @@ -278 +293 @@ Cookie expiration times are set by websites and cannot be modified by browser pr - * `Field 'username' contains invalid characters` or `Field 'password' contains invalid characters` – Use only the characters listed in the error message. See [](./.html#browser-proxies-step1) for allowed characters. + * `Field 'username' contains invalid characters` or `Field 'password' contains invalid characters` – Use only the characters listed in the error message. See [Step 1: Create a credentials secret (if using authentication)](./browser-proxies.html#browser-proxies-step1) for allowed characters. @@ -312 +327 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -CloudWatch Metrics +Root Certificate Authority