AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-10 · Documentation low

File: bedrock-agentcore/latest/devguide/vpc-egress-private-endpoints.md

Summary

Updated formatting of subsection headings from markdown '######' to bold '**', fixed punctuation (apostrophes and spacing), and corrected table headers by removing redundant text.

Security assessment

The changes are purely cosmetic and editorial, involving formatting adjustments, punctuation fixes, and table header corrections. There is no evidence of addressing a security vulnerability, weakness, or incident. The content remains about VPC egress and private endpoints setup, but no new security features or security-specific documentation is added.

Diff

diff --git a/bedrock-agentcore/latest/devguide/vpc-egress-private-endpoints.md b/bedrock-agentcore/latest/devguide/vpc-egress-private-endpoints.md
index 741534c3b..ff19dbf70 100644
--- a//bedrock-agentcore/latest/devguide/vpc-egress-private-endpoints.md
+++ b//bedrock-agentcore/latest/devguide/vpc-egress-private-endpoints.md
@@ -229 +229 @@ Before creating a gateway target with a self-managed private endpoint, complete
-###### Set up VPC Lattice resources for self-managed connectivity
+**Set up VPC Lattice resources for self-managed connectivity**
@@ -310 +310 @@ The following steps summarize the cross-account setup:
-###### Set up cross-account private connectivity
+**Set up cross-account private connectivity**
@@ -397 +397 @@ The following steps describe the traffic flow:
-  3. VPC Lattice routes traffic to the ALB via the routing domain. The TLS SNI is set to `my-server.my-company.com`, which matches the ALB's public ACM certificate, so the TLS handshake succeeds.
+  3. VPC Lattice routes traffic to the ALB via the routing domain. The TLS SNI is set to `my-server.my-company.com` , which matches the ALB’s public ACM certificate, so the TLS handshake succeeds.
@@ -399 +399 @@ The following steps describe the traffic flow:
-  4. The ALB terminates TLS and applies a host header transform to rewrite the Host header from `my-server.my-company.com` to the private resource's domain (for example, `my-server.my-company.internal`).
+  4. The ALB terminates TLS and applies a host header transform to rewrite the Host header from `my-server.my-company.com` to the private resource’s domain (for example, `my-server.my-company.internal` ).
@@ -406 +406 @@ The following steps describe the traffic flow:
-###### Step 1: Request a public ACM certificate
+**Step 1: Request a public ACM certificate**
@@ -410 +410 @@ Request a public certificate from ACM for a domain you own. This domain will be
-###### Step 2: Create an internal ALB
+**Step 2: Create an internal ALB**
@@ -414 +414 @@ Create an internal Application Load Balancer in the same VPC as your private res
-###### Step 3: Create an IP-based target group
+**Step 3: Create an IP-based target group**
@@ -416 +416 @@ Create an internal Application Load Balancer in the same VPC as your private res
-Create a target group with target type `ip` that points to your private resource's IP address on port 443 (HTTPS), and register your private resource as a target. For instructions, see [Create a target group](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html) in the Elastic Load Balancing User Guide.
+Create a target group with target type `ip` that points to your private resource’s IP address on port 443 (HTTPS), and register your private resource as a target. For instructions, see [Create a target group](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-target-group.html) in the Elastic Load Balancing User Guide.
@@ -418 +418 @@ Create a target group with target type `ip` that points to your private resource
-###### Step 4: Create an HTTPS listener with host header transform
+**Step 4: Create an HTTPS listener with host header transform**
@@ -420 +420 @@ Create a target group with target type `ip` that points to your private resource
-Create an HTTPS listener on port 443 using the public ACM certificate. Add a listener rule that transforms the Host header from the public domain to the private resource's domain before forwarding.
+Create an HTTPS listener on port 443 using the public ACM certificate. Add a listener rule that transforms the Host header from the public domain to the private resource’s domain before forwarding.
@@ -455 +455 @@ Then modify the listener rule to add the host header transform:
-###### Step 5: Configure the private endpoint
+**Step 5: Configure the private endpoint**
@@ -498 +498 @@ The following table describes common status values and their meanings:
-Status values for private endpoints Status | Description  
+Status | Description  
@@ -506 +506 @@ The following table describes common issues and their solutions:
-Common issues with VPC egress targets Issue | Solution  
+Issue | Solution  
@@ -510 +510 @@ Tool invocations fail with a connection error after target creation | Verify tha
-Tool invocations fail with a TLS error | If your private resource uses a certificate issued by a private CA, ensure that the certificate's Subject Alternative Name (SAN) matches the domain in your MCP endpoint or OpenAPI server URL. If using a routing domain, ensure the routing domain correctly forwards TLS to your private resource.  
+Tool invocations fail with a TLS error |  If your private resource uses a certificate issued by a private CA, ensure that the certificate’s Subject Alternative Name (SAN) matches the domain in your MCP endpoint or OpenAPI server URL. If using a routing domain, ensure the routing domain correctly forwards TLS to your private resource.