AWS bedrock-agentcore high security documentation change
Summary
Expanded security guidance for X-Amzn-Bedrock-AgentCore-Runtime-User-Id header with specific implementation steps including IAM restrictions, user-id derivation, audit logging, and explicit deny policies.
Security assessment
The changes explicitly address security risks of user impersonation by mandating IAM permission scoping, principal-based user-id derivation, and audit logging. It provides concrete countermeasures against authenticated users spoofing identities via header manipulation.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-oauth.md b/bedrock-agentcore/latest/devguide/runtime-oauth.md index ef5064798..6752f227e 100644 --- a//bedrock-agentcore/latest/devguide/runtime-oauth.md +++ b//bedrock-agentcore/latest/devguide/runtime-oauth.md @@ -34 +34 @@ Invoking InvokeAgentRuntime with the `X-Amzn-Bedrock-AgentCore-Runtime-User-Id h -While IAM authentication secures the API access, the `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header requires additional security considerations. Only trusted principals with the `bedrock-agentcore:InvokeAgentRuntimeForUser` permission should be allowed to set this header. The user-id value should ideally be derived from the authenticated principal’s context (for example, IAM context or user token) rather than accepting arbitrary values. This prevents scenarios where an authenticated user could potentially impersonate another user by manually specifying a different `user-id`. +While IAM authentication secures the API access, the `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header requires additional security considerations: @@ -36 +36,18 @@ While IAM authentication secures the API access, the `X-Amzn-Bedrock-AgentCore-R -Implement audit logging to track the relationship between the authenticated principal and the `user-id` being passed. + * **Restrict the IAM permission** — Only trusted principals should have the `bedrock-agentcore:InvokeAgentRuntimeForUser` permission. Scope this permission to specific runtime resources using IAM resource conditions. Do not grant it broadly via managed policies or wildcard resource statements. + + * **Derive user-id from the authenticated principal** — The user-id value should be derived from the authenticated principal’s context (for example, IAM caller identity or user token claims) rather than accepting arbitrary client-supplied values. This prevents an authenticated user from impersonating another user by manually specifying a different `user-id` . + + * **Implement audit logging** — Log the relationship between the authenticated IAM principal (from SigV4 context) and the `user-id` value being passed. Use AWS CloudTrail to monitor `InvokeAgentRuntime` calls that include the `runtimeUserId` parameter. + + * **Deny the header in untrusted contexts** — For runtimes where user-id delegation is not needed, explicitly deny the `bedrock-agentcore:InvokeAgentRuntimeForUser` action in IAM policies to prevent the header from being accepted: + + { + "Statement": [ + { + "Sid": "DenyUserIdDelegation", + "Effect": "Deny", + "Action": "bedrock-agentcore:InvokeAgentRuntimeForUser", + "Resource": "arn:aws:bedrock-agentcore:REGION:ACCOUNT_ID:runtime/*" + } + ] + }