AWS bedrock-agentcore high security documentation change
Summary
Added security controls: JWT preference for production and explicit IAM denial for unverified userId path
Security assessment
Mandates cryptographic verification for production workloads and IAM policy restrictions to prevent insecure token issuance methods.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-security-best-practices.md b/bedrock-agentcore/latest/devguide/runtime-security-best-practices.md index af4111a7d..cf582abb5 100644 --- a//bedrock-agentcore/latest/devguide/runtime-security-best-practices.md +++ b//bedrock-agentcore/latest/devguide/runtime-security-best-practices.md @@ -142,0 +143,2 @@ AgentCore Runtime supports IAM SigV4 and JWT bearer token authentication. Follow + * **Prefer JWT-based user identification for production** — When your agent retrieves OAuth tokens on behalf of end users, prefer the JWT bearer token path (`GetWorkloadAccessTokenForJWT`), which validates the token’s issuer, signature, and expiry. The UserId path (`GetWorkloadAccessTokenForUserId` / `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header) treats the user identifier as an opaque string without IdP verification — use it only for development, quickstart scenarios, or enterprise architectures that resolve user identity upstream. For more information, see [Get workload access token](./get-workload-access-token.html). + @@ -147 +149,3 @@ AgentCore Runtime supports IAM SigV4 and JWT bearer token authentication. Follow - * **Derive user-id from the authenticated principal** — The `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` value should be derived from the authenticated principal’s context (IAM caller identity or user token claims), not from arbitrary client-supplied values. This prevents authenticated users from impersonating other users. + * **Derive user-id from the authenticated principal** — If you use the `X-Amzn-Bedrock-AgentCore-Runtime-User-Id` header, the value should be derived from the authenticated principal’s context (IAM caller identity or user token claims), not from arbitrary client-supplied values. This prevents authenticated users from impersonating other users. + + * **Deny ForUserId where not needed** — For workloads that always have a JWT available, explicitly deny `bedrock-agentcore:GetWorkloadAccessTokenForUserId` and `bedrock-agentcore:InvokeAgentRuntimeForUser` in IAM policies. This ensures all user identification goes through the cryptographically verified JWT path.