AWS bedrock-agentcore documentation change
Summary
Added documentation for Authenticate Only authorization mode explaining JWT validation without full authorization.
Security assessment
The change documents a new security feature where the gateway performs authentication but delegates authorization decisions to target services. This improves security documentation but doesn't indicate a fix for a security vulnerability.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md b/bedrock-agentcore/latest/devguide/gateway-inbound-auth.md index a3956e540..446f9ce40 100644 --- a//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md +++ b//bedrock-agentcore/latest/devguide/gateway-inbound-auth.md @@ -16,0 +17,2 @@ Before you create your gateway, you must set up inbound authorization. Inbound a + * **Authenticate only** – The gateway validates the inbound JWT token to verify the caller’s identity but does not perform full authorization. The authenticated identity or token is passed through to the target for downstream authorization. This is useful when you want the gateway to verify authentication while delegating authorization decisions to the target service, such as when using passthrough outbound authorization with HTTP targets. +