AWS bedrock-agentcore high security documentation change
Summary
Added security warning about unverified userId usage in GetWorkloadAccessTokenForUserId API
Security assessment
Explicitly warns that userId-based authentication lacks validation and recommends JWT-based authentication for production to prevent authentication bypass risks.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md b/bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md index 93b432231..2fa6ac055 100644 --- a//bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md +++ b//bedrock-agentcore/latest/devguide/identity-getting-started-cognito.md @@ -440,0 +441,4 @@ The agent will then return a URL to your `agentcore invoke` command. Copy and pa +###### Important + +The `--user-id` parameter uses the `GetWorkloadAccessTokenForUserId` API path, which treats the userId as an opaque string without verifying it against an authenticated end-user identity. This is appropriate for quickstart and development scenarios where you don’t have an IdP token available. For production deployments where you have a JWT identifying the end user, use the JWT-based authentication path (`GetWorkloadAccessTokenForJWT`) instead, which validates the token’s issuer, signature, and expiry. For more information, see [Get workload access token](./get-workload-access-token.html). +