AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2026-05-01 · Security-related medium

File: bedrock-agentcore/latest/devguide/vpc-interface-endpoints.md

Summary

Added documentation for Protected Resource Metadata (PRM) endpoint policies including OAuth 2.0 RFC 9728 implementation details and VPC endpoint policy examples for authorization server discovery.

Security assessment

The changes address security implications of unauthenticated PRM endpoints by providing explicit VPC policy controls to prevent cross-account metadata leakage. Sample policies demonstrate how to restrict discovery endpoints to prevent unauthorized access to authorization server information.

Diff

diff --git a/bedrock-agentcore/latest/devguide/vpc-interface-endpoints.md b/bedrock-agentcore/latest/devguide/vpc-interface-endpoints.md
index a9141437a..cf3a770ee 100644
--- a//bedrock-agentcore/latest/devguide/vpc-interface-endpoints.md
+++ b//bedrock-agentcore/latest/devguide/vpc-interface-endpoints.md
@@ -142,0 +143,73 @@ The above policy allows only the IAM principal to make `InvokeAgentRuntime` call
+**Protected Resource Metadata (PRM) endpoint policies**
+
+The `GetRuntimeProtectedResourceMetadata` API implements [OAuth 2.0 Protected Resource Metadata (RFC 9728)](https://datatracker.ietf.org/doc/html/rfc9728). Clients call this endpoint _before_ they have credentials, to discover which authorization server protects a given agent runtime. This endpoint is unauthenticated by design, so the `Principal` must be set to * in the endpoint policy.
+
+VPC endpoint policies are enforced on PRM requests. If your endpoint policy does not explicitly allow `bedrock-agentcore:GetRuntimeProtectedResourceMetadata` , PRM requests through that endpoint are denied with HTTP 403. Any OAuth-configured agent runtime accessed through a VPC endpoint requires PRM access for authorization server discovery.
+
+###### Note
+
+If you have a deny-all endpoint policy for data perimeter enforcement and do not use OAuth or JWT authentication, PRM requests are denied automatically. No additional configuration is needed.
+
+The following endpoint policy allows any caller to discover the authorization server (PRM) while restricting runtime invocations to a specific IAM principal:
+    
+        {
+       "Statement": [
+          {
+             "Sid": "AllowPRMDiscovery",
+             "Effect": "Allow",
+             "Principal": "*",
+             "Action": [
+                "bedrock-agentcore:GetRuntimeProtectedResourceMetadata"
+             ],
+             "Resource": "arn:aws:bedrock-agentcore:REGION:ACCOUNT_ID:runtime/*"
+          },
+          {
+             "Sid": "AllowInvoke",
+             "Effect": "Allow",
+             "Principal": {
+                "AWS": "arn:aws:iam::ACCOUNT_ID:root"
+             },
+             "Action": [
+                "bedrock-agentcore:InvokeAgentRuntime"
+             ],
+             "Resource": "arn:aws:bedrock-agentcore:REGION:ACCOUNT_ID:runtime/RUNTIME_ID"
+          }
+       ]
+    }
+
+To block cross-account PRM lookups through your VPC endpoint (data perimeter enforcement), scope the PRM allow statement to only your account’s runtimes:
+    
+        {
+       "Statement": [
+          {
+             "Sid": "AllowPRMOwnAccountOnly",
+             "Effect": "Allow",
+             "Principal": "*",
+             "Action": [
+                "bedrock-agentcore:GetRuntimeProtectedResourceMetadata"
+             ],
+             "Resource": "arn:aws:bedrock-agentcore:REGION:ACCOUNT_ID:runtime/*"
+          },
+          {
+             "Sid": "DenyCrossAccountPRM",
+             "Effect": "Deny",
+             "Principal": "*",
+             "Action": [
+                "bedrock-agentcore:GetRuntimeProtectedResourceMetadata"
+             ],
+             "NotResource": "arn:aws:bedrock-agentcore:REGION:ACCOUNT_ID:runtime/*"
+          },
+          {
+             "Sid": "AllowInvoke",
+             "Effect": "Allow",
+             "Principal": {
+                "AWS": "arn:aws:iam::ACCOUNT_ID:root"
+             },
+             "Action": [
+                "bedrock-agentcore:InvokeAgentRuntime"
+             ],
+             "Resource": "arn:aws:bedrock-agentcore:REGION:ACCOUNT_ID:runtime/*"
+          }
+       ]
+    }
+