AWS bedrock-agentcore high security documentation change
Summary
Added warning note about non-redaction of custom fields in CloudTrail management events
Security assessment
Explicitly warns against including passwords/sensitive info in non-API fields since they're not redacted in logs. This directly addresses potential exposure of credentials in CloudTrail.
Diff
diff --git a/bedrock-agentcore/latest/devguide/understanding-gateway-cloudtrail-log-entries.md b/bedrock-agentcore/latest/devguide/understanding-gateway-cloudtrail-log-entries.md index 831bc8813..562a76c2f 100644 --- a//bedrock-agentcore/latest/devguide/understanding-gateway-cloudtrail-log-entries.md +++ b//bedrock-agentcore/latest/devguide/understanding-gateway-cloudtrail-log-entries.md @@ -16,0 +17,4 @@ The contents of the requests and responses for data events are redacted, and the +###### Note + +For management events, only request parameters that are defined by the Gateway API are eligible for redaction. Any additional fields that you include in a request that are not part of the API are recorded in CloudTrail exactly as you sent them and are not redacted. Do not include passwords or other sensitive information in fields that are not part of the API. +