AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/common-use-cases.md

Summary

Updated authentication documentation to explicitly specify OAuth 2.0 grant types (authorization code grant for user-delegated access and client credentials grant for machine-to-machine authentication) and made minor typographical fixes

Security assessment

The change clarifies authentication patterns by explicitly naming OAuth 2.0 grant types, which improves security documentation by providing more specific technical details about authentication mechanisms. However, there is no evidence this addresses a specific security vulnerability or incident - it appears to be routine documentation improvement.

Diff

diff --git a/bedrock-agentcore/latest/devguide/common-use-cases.md b/bedrock-agentcore/latest/devguide/common-use-cases.md
index 0e7f3ac8b..14b403c5c 100644
--- a//bedrock-agentcore/latest/devguide/common-use-cases.md
+++ b//bedrock-agentcore/latest/devguide/common-use-cases.md
@@ -5 +5 @@
-User-delegated accessMachine-to-machine authChoosing the right authentication pattern
+User-delegated access (OAuth 2.0 authorization code grant)Machine-to-machine authentication (OAuth 2.0 client credentials grant)Choosing the right authentication pattern
@@ -41 +41 @@ The OAuth 2.0 authorization code grant flow enables agents to access user-specif
-**Example scenario** – A productivity agent needs to access a user's Google Calendar to schedule meetings, their Gmail to send emails, and their Google Drive to store documents. The agent uses the OAuth 2.0 authorization code grant to obtain user consent for each service, with specific scopes that limit access to only the necessary data. The user explicitly authorizes the agent through Google's consent screen, and AgentCore Identity securely stores the resulting credentials for future use.
+**Example scenario** – A productivity agent needs to access a user’s Google Calendar to schedule meetings, their Gmail to send emails, and their Google Drive to store documents. The agent uses the OAuth 2.0 authorization code grant to obtain user consent for each service, with specific scopes that limit access to only the necessary data. The user explicitly authorizes the agent through Google’s consent screen, and AgentCore Identity securely stores the resulting credentials for future use.
@@ -47 +47 @@ This pattern is ideal for personal assistant agents, customer service agents, an
-The OAuth 2.0 client credentials grant flow enables direct authentication between systems without user interaction. This pattern is appropriate when agents need to access resources that aren't user-specific or when agents act themselves with pre-authorized user consent.
+The OAuth 2.0 client credentials grant flow enables direct authentication between systems without user interaction. This pattern is appropriate when agents need to access resources that aren’t user-specific or when agents act themselves with pre-authorized user consent.
@@ -70 +70 @@ When designing your agent authentication strategy, consider these factors to det
-Authentication pattern selection guide Factor | User-delegated access (OAuth 2.0 authorization code grant) | Machine-to-machine authentication (OAuth 2.0 client credentials grant)  
+Factor | User-delegated access (OAuth 2.0 authorization code grant) | Machine-to-machine authentication (OAuth 2.0 client credentials grant)  
@@ -77 +77 @@ Permission scope | Permissions vary by user and their consent choices | Consiste
-Many agent implementations will require both patterns for different aspects of their functionality. For example, a customer service agent might use user-delegated access to retrieve a specific customer's data while using machine-to-machine authentication to access company knowledge bases and internal systems. AgentCore Identity supports both patterns simultaneously, allowing agents to use the most appropriate authentication mechanism for each resource they need to access.
+Many agent implementations will require both patterns for different aspects of their functionality. For example, a customer service agent might use user-delegated access to retrieve a specific customer’s data while using machine-to-machine authentication to access company knowledge bases and internal systems. AgentCore Identity supports both patterns simultaneously, allowing agents to use the most appropriate authentication mechanism for each resource they need to access.
@@ -79 +79 @@ Many agent implementations will require both patterns for different aspects of t
-Both authentication patterns benefit from AgentCore Identity's core capabilities:
+Both authentication patterns benefit from AgentCore Identity’s core capabilities: