AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-04-01 · Security-related high

File: bedrock-agentcore/latest/devguide/gateway-inbound-auth.md

Summary

Updated guidance on No Authorization gateways, reversing previous recommendations to now advise against using them in production and only for testing/development. Also updated references from 'AgentCore starter toolkit' to 'AgentCore CLI' with simplified code examples.

Security assessment

The change explicitly reverses security guidance about No Authorization gateways, indicating a security concern with using them in production. The previous version incorrectly suggested they could be used in production after implementing security best practices, while the new version correctly states they should not be used in production at all. This represents a security documentation correction to prevent insecure configurations.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
index 094d71c6c..b0e76369c 100644
--- a//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
+++ b//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md
@@ -22 +22 @@ Before you create your gateway, you must set up inbound authorization. Inbound a
-Do not use No Authorization gateways for testing or development purposes. No Authorization gateways should only be used for production gateways that you intend to make public after you have implemented all the security best practices listed later on in this page.
+Do not use No Authorization gateways for production workloads. No Authorization gateways should only be used for testing and development purposes where security is not a primary concern.
@@ -26 +26 @@ Do not use No Authorization gateways for testing or development purposes. No Aut
-If use the AWS Management Console or AgentCore starter toolkit to create your gateway, you can create a default inbound authorization configuration using Amazon Cognito during gateway creation. If you plan to use the default authorization configuration, you can skip this prerequisite.
+If you use the AWS Management Console or AgentCore CLI to create your gateway, you can create a default inbound authorization configuration using Amazon Cognito during gateway creation. If you plan to use the default authorization configuration, you can skip this prerequisite.
@@ -96 +96 @@ Using inbound authorization based on JWT tokens will result in logging of some c
-You can use the AgentCore starter toolkit to set up a default JWT, or create one manually with a supported identity provider. To learn more about different methods for setting up a JWT, select from the following topics:
+You can use the AgentCore CLI to set up a default JWT, or create one manually with a supported identity provider. To learn more about different methods for setting up a JWT, select from the following topics:
@@ -109 +109 @@ You can use the AgentCore starter toolkit to set up a default JWT, or create one
-The AgentCore starter toolkit lets you easily create a default authorization configuration using Amazon Cognito that you can then use when creating a gateway. To create this default JWT, run the following code example:
+The AgentCore CLI lets you easily create a default authorization configuration using Amazon Cognito that you can then use when creating a gateway. When you run `agentcore create`, the CLI prompts you to configure inbound authorization and can automatically set up a Amazon Cognito user pool for you.
@@ -112,3 +112 @@ The AgentCore starter toolkit lets you easily create a default authorization con
-    # Initialize gateway client from starter toolkit
-    from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient
-    client = GatewayClient()
+    agentcore create
@@ -116,5 +114 @@ The AgentCore starter toolkit lets you easily create a default authorization con
-    # Retrieve JWT from the create response and store as the authorization configuration. When you create the gateway, specify it in the authorizer_config field
-    cognito_result = client.create_oauth_authorizer_with_cognito("my-gateway")
-    authorizer_configuration = cognito_result["authorizer_config"]
-
-The `cognito_result` contains authentication and authorization information:
+After the command completes, the AgentCore CLI provides authentication and authorization information:
@@ -165 +159 @@ You can create a gateway that is configured with no authorization by using `auth
-Do not use No Authorization gateways for testing or development purposes. No Authorization gateways should only be used for production gateways that you intend to make public after you have implemented all the security best practices listed below.
+Do not use No Authorization gateways for production workloads unless you have implemented all the security best practices listed below. No Authorization gateways are most appropriate for testing and development purposes.