AWS bedrock-agentcore medium security documentation change
Summary
Added detailed section about authorization strategies for OpenAPI targets including OAuth, API keys, and IAM SigV4 authentication, plus compatibility requirements
Security assessment
The change explicitly documents authentication methods and security requirements for securing API access. It warns against insecure practices ('No authorization is not recommended') and specifies services compatible with IAM authentication. This provides concrete security guidance.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-schema-openapi.md b/bedrock-agentcore/latest/devguide/gateway-schema-openapi.md index 089d9ad1e..d8e4b5eae 100644 --- a//bedrock-agentcore/latest/devguide/gateway-schema-openapi.md +++ b//bedrock-agentcore/latest/devguide/gateway-schema-openapi.md @@ -7 +7 @@ -Key considerations and limitationsOpenAPI schema specification +Key considerations and limitationsAuthorization strategyOpenAPI schema specification @@ -20,0 +21,2 @@ Review the key considerations and limitations, including feature support, to hel + * Authorization strategy + @@ -152,0 +155,34 @@ Supported Features | Unsupported Features +## Authorization strategy + +The following types of outbound authorization are supported for OpenAPI targets: + + * No authorization – The gateway invokes the OpenAPI target without preconfigured authorization. This approach is not recommended. + + * OAuth – The gateway supports both two-legged OAuth (Client Credentials grant type) and three-legged OAuth (Authorization Code grant type). You configure the authorization provider in Amazon Bedrock AgentCore Identity in the same account and Region as the gateway. + + * API key – The gateway uses an API key credential provider to authenticate with the OpenAPI target. You configure the API key provider in Amazon Bedrock AgentCore Identity in the same account and Region as the gateway. + + * IAM ( [AWS Signature Version 4 (Sig V4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) ) – The gateway signs requests to the OpenAPI target using SigV4 with the gateway service role credentials. You configure an `IamCredentialProvider` with a required service name for SigV4 signing and an optional Region (defaults to the gateway Region). + + + + +###### Important + +IAM (SigV4) outbound authorization requires that the OpenAPI target is hosted behind an AWS service that natively supports IAM authentication. The gateway signs outbound requests with SigV4 but does not modify the authentication configuration on the target. The target service must be able to verify SigV4 signatures. + +The following AWS services natively support IAM authentication and are compatible with IAM outbound authorization for OpenAPI targets: + + * Amazon API Gateway + + * Lambda Function URLs + + * Amazon Bedrock AgentCore Gateway + + + + +Services that do not natively verify SigV4 signatures, such as Application Load Balancer or direct Amazon EC2 endpoints, are not compatible with IAM outbound authorization. If your OpenAPI target is hosted behind one of these services, use OAuth or API key authorization instead. + +For more information about setting up outbound authorization, see [Set up outbound authorization for your gateway](./gateway-outbound-auth.html). +