AWS bedrock-agentcore documentation change
Summary
Reformatted terminology table from multi-line definitions to a more compact two-column layout with terms and definitions on the same line, removing section headers as separate rows and integrating them into the table structure.
Security assessment
This is purely a formatting change that reorganizes existing content into a more compact table structure. No new security information was added, and no security vulnerabilities or weaknesses were addressed. The content about OAuth, authentication, and security concepts remains the same but is presented differently. There is no evidence of addressing a specific security incident or vulnerability.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-terminology.md b/bedrock-agentcore/latest/devguide/identity-terminology.md index 5e4344583..d29630696 100644 --- a//bedrock-agentcore/latest/devguide/identity-terminology.md +++ b//bedrock-agentcore/latest/devguide/identity-terminology.md @@ -9 +9 @@ AgentCore Identity uses specific terminology to describe the components, process -AgentCore Identity terminology definitions Term | Definition +Term | Definition @@ -11,7 +11,6 @@ AgentCore Identity terminology definitions Term | Definition -**Identity and Authentication** -Agent | An AI-powered application or automated workload that performs tasks on behalf of users by accessing AWS resources and third-party services. Agents act with pre-authorized user consent, to accomplish user goals, such as retrieving data from APIs, processing information, or integrating with third-party systems. Unlike traditional applications that run with static credentials, agents require dynamic identity management to securely access resources across multiple trust domains while maintaining proper authentication and authorization boundaries. -Agent identity | A unique identifier and associated metadata for an AI agent or automated workload. Agent identities are implemented as workload identities with specific attributes that identify them as agents, enabling specialized agent capabilities while maintaining compatibility with broader workload identity standards. Agent identities enable agents to authenticate as themselves rather than impersonating users, supporting delegation-based access patterns. -Agent identity directory | A centralized registry that manages agent identities and their associated metadata and access policies. Similar to Cognito User Pools, it acts as a unit of governance for organizing agent identities within an account or region. -Workload identity | The underlying technical implementation for agent identities, representing a logical application or workload that is independent of specific hardware or infrastructure. Workload identities can operate across different environments while maintaining consistent authentication. Agent identities are a specialized type of workload identity with additional agent-specific attributes and capabilities. -**Integration and Protocols** -Cross-service agents | AI agents that perform actions across multiple services, which may include accessing system resources (using machine-to-machine authentication) or user-specific data (using user-delegated access). Examples include agents that integrate with multiple backend systems for data processing or agents that access a user's calendar, email, and document storage. These agents require sophisticated identity management to operate securely across different trust domains. +**Identity and Authentication** | Agent +An AI-powered application or automated workload that performs tasks on behalf of users by accessing AWS resources and third-party services. Agents act with pre-authorized user consent, to accomplish user goals, such as retrieving data from APIs, processing information, or integrating with third-party systems. Unlike traditional applications that run with static credentials, agents require dynamic identity management to securely access resources across multiple trust domains while maintaining proper authentication and authorization boundaries. | Agent identity +A unique identifier and associated metadata for an AI agent or automated workload. Agent identities are implemented as workload identities with specific attributes that identify them as agents, enabling specialized agent capabilities while maintaining compatibility with broader workload identity standards. Agent identities enable agents to authenticate as themselves rather than impersonating users, supporting delegation-based access patterns. | Agent identity directory +A centralized registry that manages agent identities and their associated metadata and access policies. Similar to Cognito User Pools, it acts as a unit of governance for organizing agent identities within an account or region. | Workload identity +The underlying technical implementation for agent identities, representing a logical application or workload that is independent of specific hardware or infrastructure. Workload identities can operate across different environments while maintaining consistent authentication. Agent identities are a specialized type of workload identity with additional agent-specific attributes and capabilities. | **Integration and Protocols** +Cross-service agents | AI agents that perform actions across multiple services, which may include accessing system resources (using machine-to-machine authentication) or user-specific data (using user-delegated access). Examples include agents that integrate with multiple backend systems for data processing or agents that access a user’s calendar, email, and document storage. These agents require sophisticated identity management to operate securely across different trust domains. @@ -21,7 +20,6 @@ Model context protocol (MCP) | MCP is an open protocol that standardizes how app -**OAuth and Token Management** -OAuth 2.0 | An industry-standard authorization framework (defined in [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749)) that enables applications to obtain limited access to user accounts on external services without exposing user credentials. OAuth 2.0 provides secure delegation by allowing users to grant third-party applications access to their resources through access tokens rather than sharing passwords. For agent applications, OAuth 2.0 enables secure access to user data across multiple services while maintaining proper authentication boundaries and user consent mechanisms. -OAuth 2.0 authorizer | An SDK component that authenticates and authorizes incoming OAuth 2.0 API requests to agent endpoints. It validates tokens before allowing access to agent services. -OAuth 2.0 client credentials grant (2LO) | OAuth client credentials grant used for machine-to-machine authentication where no user interaction is required. Agents use 2LO to authenticate themselves directly with resource servers. -OAuth 2.0 authorization code grant (3LO) | OAuth authorization code grant that involves user consent and interaction. Agents use 3LO when they need explicit user permission to access user-specific data from external services like Google Calendar or Salesforce. -Agent access token | An AWS-signed token that contains both workload identity and user identity information, enabling downstream services to make authorization decisions based on both identities. These tokens are created through the token exchange process. -**Security and Trust** +**OAuth and Token Management** | OAuth 2.0 +An industry-standard authorization framework (defined in [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749) ) that enables applications to obtain limited access to user accounts on external services without exposing user credentials. OAuth 2.0 provides secure delegation by allowing users to grant third-party applications access to their resources through access tokens rather than sharing passwords. For agent applications, OAuth 2.0 enables secure access to user data across multiple services while maintaining proper authentication boundaries and user consent mechanisms. | OAuth 2.0 authorizer +An SDK component that authenticates and authorizes incoming OAuth 2.0 API requests to agent endpoints. It validates tokens before allowing access to agent services. | OAuth 2.0 client credentials grant (2LO) +OAuth client credentials grant used for machine-to-machine authentication where no user interaction is required. Agents use 2LO to authenticate themselves directly with resource servers. | OAuth 2.0 authorization code grant (3LO) +OAuth authorization code grant that involves user consent and interaction. Agents use 3LO when they need explicit user permission to access user-specific data from external services like Google Calendar or Salesforce. | Agent access token +An AWS-signed token that contains both workload identity and user identity information, enabling downstream services to make authorization decisions based on both identities. These tokens are created through the token exchange process. | **Security and Trust** @@ -31,3 +29,2 @@ Request verification security | A security model where every request is authenti -**Service Components** -Resource credential provider | A component that manages connections to external identity providers and resource servers, handling OAuth 2.0 authorization flows and credential retrieval. It orchestrates the complex process of obtaining and refreshing credentials from third-party services. For detailed configuration information, see [Configure credential provider](./resource-providers.html). -Token vault | A secure storage system for OAuth 2.0 tokens, API keys, and other credentials that operates with strict access controls. The token vault ensures credentials can only be accessed by the specific agent and user combination that originally obtained them. +**Service Components** | Resource credential provider +A component that manages connections to external identity providers and resource servers, handling OAuth 2.0 authorization flows and credential retrieval. It orchestrates the complex process of obtaining and refreshing credentials from third-party services. For detailed configuration information, see [Configure credential provider](./resource-providers.html). | Token vault