AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/browser-web-bot-auth.md

Summary

Updated documentation for Amazon Bedrock AgentCore Browser Web Bot Auth (Preview) with formatting changes, added warnings about WAF provider support and domain owner control, and restructured console setup instructions.

Security assessment

The changes add explicit warnings about limitations of the Web Bot Auth feature, noting that WAF provider support varies and domain owners may block or rate-limit agent traffic regardless of cryptographic signatures. This clarifies security expectations but does not address a specific security vulnerability. The documentation continues to describe a security feature (cryptographic signing for bot authentication).

Diff

diff --git a/bedrock-agentcore/latest/devguide/browser-web-bot-auth.md b/bedrock-agentcore/latest/devguide/browser-web-bot-auth.md
index 0c8cc9f0e..aa096481c 100644
--- a//bedrock-agentcore/latest/devguide/browser-web-bot-auth.md
+++ b//bedrock-agentcore/latest/devguide/browser-web-bot-auth.md
@@ -13 +13 @@ Amazon Bedrock AgentCore Browser Web Bot Auth (Preview) is based on the draft IE
-**Current Implementation:**
+\+ **Current Implementation:**
@@ -15 +15 @@ Amazon Bedrock AgentCore Browser Web Bot Auth (Preview) is based on the draft IE
-  * Implementation details, API parameters, and signing mechanisms may change as we align with the finalized protocol specification
+\+ * Implementation details, API parameters, and signing mechanisms may change as we align with the finalized protocol specification * WAF provider support and policies vary. Not all websites will recognize or allow signed agent traffic * Domain owners retain full control over their bot policies and may block, monitor, or rate-limit agent traffic regardless of cryptographic signatures
@@ -17,8 +17 @@ Amazon Bedrock AgentCore Browser Web Bot Auth (Preview) is based on the draft IE
-  * WAF provider support and policies vary. Not all websites will recognize or allow signed agent traffic
-
-  * Domain owners retain full control over their bot policies and may block, monitor, or rate-limit agent traffic regardless of cryptographic signatures
-
-
-
-
-For the latest protocol specification, see the [IETF draft](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture).
+\+ For the latest protocol specification, see the [IETF draft](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture).
@@ -34 +27 @@ Websites implement these defenses because they cannot reliably distinguish betwe
-Web Bot Auth addresses this challenge by implementing the [IETF HTTP Message Signatures for automated traffic Architecture](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture) draft protocol. This protocol enables AI agents to cryptographically sign their HTTP requests, providing websites with verifiable proof of the agent's identity.
+Web Bot Auth addresses this challenge by implementing the [IETF HTTP Message Signatures for automated traffic Architecture](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture) draft protocol. This protocol enables AI agents to cryptographically sign their HTTP requests, providing websites with verifiable proof of the agent’s identity.
@@ -56 +49 @@ Web Bot Auth uses the IETF HTTP Message Signatures standard to cryptographically
-  4. **Verification** : The website's bot control system fetches the public key and verifies the signature to confirm the request comes from Amazon Bedrock AgentCore
+  4. **Verification** : The website’s bot control system fetches the public key and verifies the signature to confirm the request comes from Amazon Bedrock AgentCore
@@ -73 +66 @@ To enable Web Bot Auth, you need to configure it when creating a Browser Tool:
-AWS CLI
+###### Example
@@ -74,0 +68 @@ AWS CLI
+AWS CLI
@@ -76 +69,0 @@ AWS CLI
-To create a Browser Tool with Web Bot Auth enabled using the AWS CLI:
@@ -77,0 +71 @@ To create a Browser Tool with Web Bot Auth enabled using the AWS CLI:
+  1. To create a Browser Tool with Web Bot Auth enabled using the AWS CLI:
@@ -88 +81,0 @@ To create a Browser Tool with Web Bot Auth enabled using the AWS CLI:
-Boto3
@@ -91 +84,2 @@ Boto3
-To create a Browser Tool with Web Bot Auth enabled using Boto3:
+Boto3
+    
@@ -92,0 +87 @@ To create a Browser Tool with Web Bot Auth enabled using Boto3:
+  1. To create a Browser Tool with Web Bot Auth enabled using Boto3:
@@ -111,4 +105,0 @@ To create a Browser Tool with Web Bot Auth enabled using Boto3:
-Console
-    
-
-###### To enable Web Bot Auth in the console
@@ -116 +106,0 @@ Console
-  1. Open the AgentCore console at [https://console.aws.amazon.com/bedrock-agentcore/home#](https://console.aws.amazon.com/bedrock-agentcore/home#).
@@ -118,9 +108 @@ Console
-  2. In the navigation pane, choose **Built-in tools**.
-
-  3. Choose **Create browser tool**.
-
-  4. Provide a unique **Tool name** and optional **Description**.
-
-  5. Under **Network settings** , choose **Public network**.
-
-  6. In the **Web Bot Auth configuration** section, select the **Use Web Bot Auth** check box.
+Console
@@ -128 +109,0 @@ Console
-  7. Under **Permissions** , specify an IAM execution role that defines what AWS resources the Browser Tool can access.
@@ -130 +111 @@ Console
-  8. Configure other browser settings as needed and choose **Create**.
+  1. ====== To enable Web Bot Auth in the console
@@ -131,0 +113 @@ Console
+  2. Open the AgentCore console at [https://console.aws.amazon.com/bedrock-agentcore/home#](https://console.aws.amazon.com/bedrock-agentcore/home#).
@@ -132,0 +115 @@ Console
+  3. In the navigation pane, choose **Built-in tools**.
@@ -133,0 +117 @@ Console
+  4. Choose **Create browser tool**.
@@ -135 +119 @@ Console
-###### Important
+  5. Provide a unique **Tool name** and optional **Description**.
@@ -137 +121 @@ Console
-Web Bot Auth requires an execution role with a trust policy, but does not require any managed or inline policies. The feature is disabled by default and must be explicitly enabled during browser creation.
+  6. Under **Network settings** , choose **Public network**.
@@ -139 +123 @@ Web Bot Auth requires an execution role with a trust policy, but does not requir
-You should add the following trust policy to the execution role:
+  7. In the **Web Bot Auth configuration** section, select the **Use Web Bot Auth** check box.
@@ -141 +125 @@ You should add the following trust policy to the execution role:
-JSON
+  8. Under **Permissions** , specify an IAM execution role that defines what AWS resources the Browser Tool can access.
@@ -142,0 +127 @@ JSON
+  9. Configure other browser settings as needed and choose **Create**.
@@ -144 +128,0 @@ JSON
-****
@@ -148,19 +132 @@ JSON
-    {
-        "Version":"2012-10-17",
-        "Statement": [{
-            "Sid": "BedrockAgentCoreBuiltInTools",
-            "Effect": "Allow",
-            "Principal": {
-                "Service": "bedrock-agentcore.amazonaws.com"
-            },
-            "Action": "sts:AssumeRole",
-            "Condition": {
-                "StringEquals": {
-                    "aws:SourceAccount": "111122223333"
-                },
-                "ArnLike": {
-                    "aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:111122223333:*"
-                }
-            }
-        }]
-    }
+###### Important
@@ -167,0 +134 @@ JSON
+Web Bot Auth requires an execution role with a trust policy, but does not require any managed or inline policies. The feature is disabled by default and must be explicitly enabled during browser creation. You should add the following trust policy to the execution role: [source,json,subs="verbatim,attributes"] ---- { "Version":"2012-10-17", "Statement": [{ "Sid": "BedrockAgentCoreBuiltInTools", "Effect": "Allow", "Principal": { "Service": "bedrock-agentcore.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:111122223333:*" } } }] } ----