AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-04-25 · Documentation low

File: bedrock-agentcore/latest/devguide/registry-sync-records.md

Summary

Added detailed console and AWS CLI instructions for synchronizing registry records from endpoints with various authentication methods (none, OAuth, IAM) and for agent records, including re-synchronization steps.

Security assessment

The changes document security features and authentication methods (OAuth, IAM) for accessing MCP servers and agent cards, emphasizing HTTPS requirements and credential management. This is routine documentation enhancement for security features, not a response to a specific security vulnerability.

Diff

diff --git a/bedrock-agentcore/latest/devguide/registry-sync-records.md b/bedrock-agentcore/latest/devguide/registry-sync-records.md
index dac7a7213..fd659e8a0 100644
--- a//bedrock-agentcore/latest/devguide/registry-sync-records.md
+++ b//bedrock-agentcore/latest/devguide/registry-sync-records.md
@@ -22,0 +23,21 @@ For Public MCP servers that don’t require authentication or authorization:
+### Console
+
+  1. Open the registry detail page.
+
+  2. In the **Registry records** section, choose **Create record**.
+
+  3. Choose **Synchronize from endpoint**.
+
+  4. Under **Record details** , choose **MCP** as the record type.
+
+  5. For **Endpoint** , enter the public MCP server URL (e.g., `https://knowledge-mcp.global.api.aws`). Must be a valid HTTPS URL.
+
+  6. Under **Credential type** , choose **None**.
+
+  7. Choose **Create record**.
+
+The record is created in CREATING status. The registry connects to the endpoint, extracts server and tool definitions, and populates the record’s descriptors. After synchronization completes, the record transitions to DRAFT. If synchronization fails, the record transitions to CREATE_FAILED status with the error details available in the Status Reason field. For troubleshooting, see [Record synchronization errors](./registry-troubleshooting.html#registry-troubleshooting-sync-errors).
+
+
+
+
@@ -65,0 +87,31 @@ When the MCP server is protected by OAuth, you will need to create an M2M client
+### Console
+
+  1. Open the registry detail page.
+
+  2. In the **Registry records** section, choose **Create record**.
+
+  3. Choose **Synchronize from endpoint**.
+
+  4. Under **Record details** , choose **MCP** as the record type.
+
+  5. For **Endpoint** , enter the OAuth-protected MCP server URL. Must be a valid HTTPS URL.
+
+  6. Under **Credential type** , choose **OAuth**.
+
+  7. For **Credential provider** , select or enter the credential provider ARN from AgentCore Identity.
+
+  8. (Optional) Expand **Additional configuration** to configure:
+
+    1. **Scopes** — OAuth scopes to request when obtaining an access token.
+
+    2. **Custom parameters** — Additional key-value parameters for the OAuth token request.
+
+  9. Choose **Create record**.
+
+The record is created in CREATING status. The registry connects to the endpoint using the OAuth credentials, extracts server and tool definitions, and populates the record’s descriptors. After synchronization completes, the record transitions to DRAFT. If synchronization fails, the record transitions to CREATE_FAILED status with the error details available in the Status Reason field. For troubleshooting, see [Record synchronization errors](./registry-troubleshooting.html#registry-troubleshooting-sync-errors).
+
+
+
+
+### AWS CLI
+    
@@ -141,0 +194,29 @@ Besides the IAM role, you must specify `service` field for SigV4 signing. If you
+### Console
+
+  1. Open the registry detail page.
+
+  2. In the **Registry records** section, choose **Create record**.
+
+  3. Choose **Synchronize from endpoint**.
+
+  4. Under **Record details** , choose **MCP** as the record type.
+
+  5. For **Endpoint** , enter the IAM-protected MCP server URL. Must be a valid HTTPS URL.
+
+  6. Under **Credential type** , choose **IAM**.
+
+  7. For **Role ARN** , enter the IAM role ARN to assume for SigV4 signing.
+
+  8. For **Service** , enter the service name for SigV4 signing (e.g., `bedrock-agentcore`, `execute-api`, `lambda`).
+
+  9. (Optional) Expand **Additional configuration** and choose a **Region** for SigV4 signing. If not specified, the registry’s own region is used.
+
+  10. Choose **Create record**.
+
+The record is created in CREATING status. The registry connects to the endpoint using IAM credentials, extracts server and tool definitions, and populates the record’s descriptors. After synchronization completes, the record transitions to DRAFT. If synchronization fails, the record transitions to CREATE_FAILED status with the error details available in the Status Reason field. For troubleshooting, see [Record synchronization errors](./registry-troubleshooting.html#registry-troubleshooting-sync-errors).
+
+
+
+
+### AWS CLI
+    
@@ -201,0 +283,29 @@ Provide the agent card URL or the agent’s base URL where `.well-known/agent-ca
+### Console
+
+  1. Open the registry detail page.
+
+  2. In the **Registry records** section, choose **Create record**.
+
+  3. Choose **Synchronize from endpoint**.
+
+  4. Under **Record details** , choose **Agent** as the record type.
+
+  5. For **Endpoint** , enter the agent card URL (e.g., `https://agent.example.com/.well-known/agent-card.json`). Must be a valid HTTPS URL.
+
+  6. Under **Credential type** , choose the appropriate authorization method:
+
+    1. **None** — For publicly accessible agent cards.
+
+    2. **IAM** — For agents hosted on AgentCore Runtime or Gateway. Provide the **Role ARN** and **Service** name.
+
+    3. **OAuth** — For OAuth-protected agents. Select or enter the **Credential provider** ARN.
+
+  7. Choose **Create record**.
+
+The record is created in CREATING status. The registry connects to the endpoint, extracts the agent card metadata, and populates the record’s descriptors. After synchronization completes, the record transitions to DRAFT. If synchronization fails, the record transitions to CREATE_FAILED status with the error details available in the Status Reason field. For troubleshooting, see [Record synchronization errors](./registry-troubleshooting.html#registry-troubleshooting-sync-errors).
+
+
+
+
+### AWS CLI
+    
@@ -235,0 +346,26 @@ You can also specify credential providers for A2A synchronization, for example y
+### Console
+
+  1. Open the record detail page for an MCP or Agent record that has synchronization configured.
+
+  2. Choose the **Sync** button in the header actions.
+
+  3. In the confirmation dialog, review the message that syncing will revert the record to draft state.
+
+  4. Choose **Sync** to confirm.
+
+
+
+
+The record transitions to UPDATING status during synchronization. After completion, it returns to DRAFT with updated descriptors from the source. If synchronization fails, the record transitions to UPDATE_FAILED status with the error details available in the Status Reason field. For troubleshooting, see [Record synchronization errors](./registry-troubleshooting.html#registry-troubleshooting-sync-errors).
+
+Alternatively, you can trigger synchronization during editing:
+
+  1. From the record detail page, choose the three-dot menu (⋮), then choose **Edit**.
+
+  2. Under **Synchronize from endpoint** , select the **Re-sync from endpoint** checkbox.
+
+  3. Choose **Save changes**.
+
+
+
+