AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-22 · Documentation high

File: bedrock-agentcore/latest/devguide/runtime-security-best-practices.md

Summary

Added new section 'VM platform server' explaining security responsibilities and best practices for restricting access to the platform server within microVMs

Security assessment

The change adds new security documentation about restricting localhost access and auditing network tools, but doesn't address a specific vulnerability. It proactively documents security best practices for the platform server feature.

Diff

diff --git a/bedrock-agentcore/latest/devguide/runtime-security-best-practices.md b/bedrock-agentcore/latest/devguide/runtime-security-best-practices.md
index a013ed74e..af4111a7d 100644
--- a//bedrock-agentcore/latest/devguide/runtime-security-best-practices.md
+++ b//bedrock-agentcore/latest/devguide/runtime-security-best-practices.md
@@ -7 +7 @@
-Session isolation and data protectionIAM and least privilegeResource-based policies and cross-account accessConfused deputy preventionAuthentication best practicesCredential and secret managementNetwork securityEncryptionAuditing and monitoringShared responsibility modelCommand execution security
+Session isolation and data protectionIAM and least privilegeResource-based policies and cross-account accessConfused deputy preventionAuthentication best practicesCredential and secret managementNetwork securityEncryptionAuditing and monitoringShared responsibility modelCommand execution securityVM platform server
@@ -36,0 +37,2 @@ This topic consolidates security best practices for Amazon Bedrock AgentCore Run
+  * VM platform server
+
@@ -328,0 +331,19 @@ For complete details, see [Execute commands in runtime sessions](./runtime-execu
+## VM platform server
+
+Each AgentCore Runtime microVM includes a platform server running on localhost. This server manages VM session lifecycle, storage operations, and provides shell access to support runtime operations. The platform server runs entirely within the agent’s microVM, which is the isolation boundary — it contains no service-critical infrastructure code and has no access to other sessions or customers' workloads.
+
+###### Important
+
+Everything running within the microVM, including interactions with the platform server, is your responsibility under the shared responsibility model. If agent code or tools interact with the platform server, the impact is limited to the current VM session — it cannot affect other sessions or cross isolation boundaries. However, unauthorized access can disrupt the session’s VM lifecycle or provide shell access within that session.
+
+Follow these practices to limit unnecessary access to the platform server:
+
+  * **Restrict localhost access in agent code** — Configure your agent and any networking tools to prevent unrestricted access to localhost. Agent code should not make arbitrary HTTP calls to localhost unless required for a specific integration.
+
+  * **Allowlist only required ports for sidecar setups** — If your architecture uses a container-in-container or sidecar pattern on localhost, explicitly allowlist only the specific ports your sidecar services use. Do not open broad localhost access.
+
+  * **Audit network tools for localhost reach** — Review any tools you provide to your agent (such as HTTP request tools or general networking utilities) to ensure they cannot make unintended requests to localhost endpoints. Apply URL filtering or allowlisting at the tool level.
+
+
+
+