AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-05-13 · Security-related high

File: bedrock-agentcore/latest/devguide/harness-security.md

Summary

Added critical networking requirements for VPC mode: outbound access to ECR Public via NAT gateway, with warnings about session failures if not configured.

Security assessment

Documents essential security configuration for VPC deployments. Explicitly warns about session startup vulnerabilities due to network misconfiguration, providing concrete mitigation guidance.

Diff

diff --git a/bedrock-agentcore/latest/devguide/harness-security.md b/bedrock-agentcore/latest/devguide/harness-security.md
index f739282ae..f0801d1ad 100644
--- a//bedrock-agentcore/latest/devguide/harness-security.md
+++ b//bedrock-agentcore/latest/devguide/harness-security.md
@@ -57 +57,5 @@ AWS CLI/boto3
-Learn more: [AgentCore VPC](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-vpc.html) · [VPC interface endpoints](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/vpc-interface-endpoints.html)
+###### Important
+
+The harness pulls its application container from Amazon ECR Public at the start of each session. When running in VPC mode, your VPC must allow outbound access to `public.ecr.aws`. Amazon ECR Public does not support VPC endpoints, so your VPC must have a NAT gateway with a route to an internet gateway. If this connectivity is not available, sessions will fail to start due to image pull timeouts.
+
+For additional network configuration guidance, see [Configure AgentCore Runtime and built-in tools VPC configuration](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-vpc.html). For inbound API connectivity via PrivateLink, see [VPC interface endpoints](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/vpc-interface-endpoints.html).