AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/runtime-execute-command.md

Summary

Updated documentation formatting and typographical corrections for the InvokeAgentRuntimeCommand guide, including changes to headings, list formatting, and example code block labels.

Security assessment

The changes are purely editorial and formatting in nature, involving typographical fixes (e.g., changing 'doesn't' to 'doesn’t'), restructuring headings (changing '######' to '**' for bold), and reorganizing example code sections. There is no mention of patching vulnerabilities, addressing security incidents, or introducing new security controls. The existing security sections (e.g., 'Security boundary' and 'Auditing') only received minor typographical updates, not substantive security content additions.

Diff

diff --git a/bedrock-agentcore/latest/devguide/runtime-execute-command.md b/bedrock-agentcore/latest/devguide/runtime-execute-command.md
index d77524e68..0e0dfd09c 100644
--- a//bedrock-agentcore/latest/devguide/runtime-execute-command.md
+++ b//bedrock-agentcore/latest/devguide/runtime-execute-command.md
@@ -15 +15 @@ To call `InvokeAgentRuntimeCommand`, you need `bedrock-agentcore:InvokeAgentRunt
-Choosing between InvokeAgentRuntimeCommand and InvokeAgentRuntime Use InvokeAgentRuntimeCommand | Use InvokeAgentRuntime  
+Use InvokeAgentRuntimeCommand | Use InvokeAgentRuntime  
@@ -21 +21 @@ The operation is a validation gate in your workflow | The operation is the creat
-You're bootstrapping the environment before the agent starts | You're asking the agent to work on a task  
+You’re bootstrapping the environment before the agent starts |  You’re asking the agent to work on a task  
@@ -27 +27 @@ You're bootstrapping the environment before the agent starts | You're asking the
-###### Same agent, same session
+**Same agent, same session**
@@ -29 +29 @@ You're bootstrapping the environment before the agent starts | You're asking the
-`InvokeAgentRuntimeCommand` operates on the same agent runtime and session as `InvokeAgentRuntime`. You don't create separate resources. The agent you deployed with `CreateAgentRuntime` accepts both agent invocations and command execution on any active session.
+`InvokeAgentRuntimeCommand` operates on the same agent runtime and session as `InvokeAgentRuntime` . You don’t create separate resources. The agent you deployed with `CreateAgentRuntime` accepts both agent invocations and command execution on any active session.
@@ -37 +37 @@ The response is a stream of three event types:
-Command execution event types Event | When | Contains  
+Event | When | Contains  
@@ -60 +60 @@ Agents created after March 17, 2026 support command execution automatically. If
-Python
+###### Example
@@ -61,0 +62 @@ Python
+Python
@@ -63 +63,0 @@ Python
-The following example shows how to use boto3 to execute a command in a AgentCore Runtime session.
@@ -64,0 +65 @@ The following example shows how to use boto3 to execute a command in a AgentCore
+  1. The following example shows how to use boto3 to execute a command in a AgentCore Runtime session.
@@ -103 +103,0 @@ The following example shows how to use boto3 to execute a command in a AgentCore
-Java
@@ -106 +106,2 @@ Java
-The following example shows how to use the AWS SDK for Java to execute a command in a AgentCore Runtime session.
+Java
+    
@@ -107,0 +109 @@ The following example shows how to use the AWS SDK for Java to execute a command
+  1. The following example shows how to use the AWS SDK for Java to execute a command in a AgentCore Runtime session.
@@ -165 +166,0 @@ The following example shows how to use the AWS SDK for Java to execute a command
-JavaScript
@@ -168 +169,2 @@ JavaScript
-The following example shows how to use the AWS SDK for JavaScript v3 to execute a command in a AgentCore Runtime session.
+JavaScript
+    
@@ -169,0 +172 @@ The following example shows how to use the AWS SDK for JavaScript v3 to execute
+  1. The following example shows how to use the AWS SDK for JavaScript v3 to execute a command in a AgentCore Runtime session.
@@ -222 +227 @@ A common pattern is to use `InvokeAgentRuntime` for reasoning and `InvokeAgentRu
-###### Example End-to-end coding agent workflow
+**Example End-to-end coding agent workflow**
@@ -264,2 +269 @@ A common pattern is to use `InvokeAgentRuntime` for reasoning and `InvokeAgentRu
-
-The agent writes the code. The platform runs the commands. Each does what it's best at.
+The agent writes the code. The platform runs the commands. Each does what it’s best at.
@@ -272 +276 @@ Running test suites
-After the agent writes code, run the project's test suite as a command. The streaming response lets you detect failures early and feed specific error output back to the agent for iteration.
+After the agent writes code, run the project’s test suite as a command. The streaming response lets you detect failures early and feed specific error output back to the agent for iteration.
@@ -335 +339 @@ Streaming response over HTTP/2
-Output arrives as it's produced, not buffered until completion. A `npm test` that takes two minutes streams results in real time. Your application can detect a failure in the first few seconds and cancel early rather than waiting for the full run.
+Output arrives as it’s produced, not buffered until completion. A `npm test` that takes two minutes streams results in real time. Your application can detect a failure in the first few seconds and cancel early rather than waiting for the full run.
@@ -345 +349 @@ Non-blocking to the runtime
-Command execution doesn't block agent invocations. You can invoke the agent and run commands concurrently on the same session. The platform handles the concurrency.
+Command execution doesn’t block agent invocations. You can invoke the agent and run commands concurrently on the same session. The platform handles the concurrency.
@@ -360 +364 @@ The security boundary for command execution is the microVM. Each AgentCore Runti
-###### Auditing with CloudWatch Logs
+**Auditing with CloudWatch Logs**
@@ -362 +366 @@ The security boundary for command execution is the microVM. Each AgentCore Runti
-AgentCore Runtime sends the request ID and the input command to your agent's Amazon CloudWatch Logs log group. You can use these logs to monitor command activity and maintain an audit trail of what commands were executed in your sessions. The command execution output (stdout and stderr) is streamed back to your application and is not logged by the service.
+AgentCore Runtime sends the request ID and the input command to your agent’s Amazon CloudWatch Logs log group. You can use these logs to monitor command activity and maintain an audit trail of what commands were executed in your sessions. The command execution output (stdout and stderr) is streamed back to your application and is not logged by the service.
@@ -364 +368 @@ AgentCore Runtime sends the request ID and the input command to your agent's Ama
-###### Auditing with CloudTrail
+**Auditing with CloudTrail**
@@ -398 +402 @@ Occurs when the specified agent runtime or session cannot be found. Verify that
-Occurs when you don't have the necessary permissions. Ensure that your IAM policy includes the `bedrock-agentcore:InvokeAgentRuntimeCommand` permission.
+Occurs when you don’t have the necessary permissions. Ensure that your IAM policy includes the `bedrock-agentcore:InvokeAgentRuntimeCommand` permission.
@@ -411 +415 @@ Follow these best practices when using the `InvokeAgentRuntimeCommand` operation
-  * Use `InvokeAgentRuntimeCommand` for deterministic operations (tests, git, builds) and `InvokeAgentRuntime` for reasoning tasks. Don't route deterministic operations through the LLM.
+  * Use `InvokeAgentRuntimeCommand` for deterministic operations (tests, git, builds) and `InvokeAgentRuntime` for reasoning tasks. Don’t route deterministic operations through the LLM.