AWS bedrock-agentcore documentation change
Summary
Major restructuring and expansion of security documentation, including added sections on shared responsibility model, trust boundaries, input validation risks, model configuration vulnerabilities, skills security, and updated execution role policies.
Security assessment
The changes introduce detailed security guidance about risks like input validation bypass, model configuration manipulation (endpoint redirection, header injection, IAM role assumption), and untrusted skill sources. While these highlight potential vulnerabilities, they're preventative best practices rather than fixes for existing incidents. No specific CVE or incident is referenced.
Diff
diff --git a/bedrock-agentcore/latest/devguide/harness-security.md b/bedrock-agentcore/latest/devguide/harness-security.md index ef21c1ef0..8cfadd3bb 100644 --- a//bedrock-agentcore/latest/devguide/harness-security.md +++ b//bedrock-agentcore/latest/devguide/harness-security.md @@ -7 +7 @@ -Network configurationInbound OAuthGateway policiesExecution role policy +Shared responsibility modelNetwork configurationInbound OAuthGateway policiesExecution role policy @@ -28,2 +27,0 @@ The harness gives you the same security primitives as the rest of AgentCore, wir -Harness follows the AgentCore [shared responsibility model](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-security-best-practices.html#security-bp-shared-responsibility) - @@ -34 +32 @@ Harness follows the AgentCore [shared responsibility model](https://docs.aws.ama -## Network configuration +## Shared responsibility model @@ -36 +34 @@ Harness follows the AgentCore [shared responsibility model](https://docs.aws.ama -By default, harness sessions run on the public network. To access private resources (databases, internal APIs, private subnets), deploy the harness in your VPC. +The harness is built on AgentCore Runtime. The security boundary is the same: IAM or JWT authentication combined with microVM isolation. The harness does not add a security layer between the caller and the microVM. @@ -38 +36 @@ By default, harness sessions run on the public network. To access private resour -###### Example +###### AWS responsibilities: @@ -40 +38 @@ By default, harness sessions run on the public network. To access private resour -AgentCore CLI + * Secure infrastructure and microVM isolation at the hardware level @@ -41,0 +40 @@ AgentCore CLI + * OS kernel patching @@ -42,0 +42 @@ AgentCore CLI + * Language runtime patching for direct code deployments @@ -44,5 +44 @@ AgentCore CLI - agentcore add harness --name internal-agent \ - --network-mode VPC \ - --subnets subnet-0abc1234def56789a \ - --security-groups sg-0abc1234def56789a - agentcore deploy + * Network infrastructure security @@ -50 +46 @@ AgentCore CLI -AWS CLI/boto3 + * Service availability and resilience @@ -54,4 +49,0 @@ AWS CLI/boto3 - aws bedrock-agentcore-control create-harness \ - --harness-name "VpcHarness" \ - --execution-role-arn "arn:aws:iam::123456789012:role/MyHarnessRole" \ - --environment '{"agentCoreRuntimeEnvironment": {"networkConfiguration": {"networkMode": "VPC", "vpcConfig": {"securityGroupIds": ["sg-0abc1234def56789a"], "subnetIds": ["subnet-0abc1234def56789a"]}}}}' @@ -59 +51 @@ AWS CLI/boto3 -###### Important +###### Your responsibilities: @@ -61 +53 @@ AWS CLI/boto3 -The harness pulls its application container from Amazon ECR Public at the start of each session. When running in VPC mode, your VPC must allow outbound access to `public.ecr.aws`. Amazon ECR Public does not support VPC endpoints, so your VPC must have a NAT gateway with a route to an internet gateway. If this connectivity is not available, sessions will fail to start due to image pull timeouts. + * Agent code security and dependency management @@ -63 +55,68 @@ The harness pulls its application container from Amazon ECR Public at the start -For additional network configuration guidance, see [Configure AgentCore Runtime and built-in tools VPC configuration](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-vpc.html). For inbound API connectivity via PrivateLink, see [VPC interface endpoints](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/vpc-interface-endpoints.html). + * IAM access controls and resource policies + + * Security of commands executed in runtime sessions + + * Session-to-user mapping enforcement + + * Input validation and prompt injection prevention - including validating all `InvokeHarness` input (see Trust boundary and input validation) + + * Model configuration validation - such as `additionalParams`, `apiBase`, and `modelId` fields (see Model configuration parameters) + + * Skill and instruction sources - ensuring that S3 buckets, Git repositories, and URLs used for skills contain trusted content (see Skills and instructions) + + * Container image updates (for container deployments) - rebuild with the latest secure base image regularly + + * Network configuration (security groups, VPC endpoints, route tables) + + + + +For the full AgentCore Runtime shared responsibility model, see [Security best practices for AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-security-best-practices.html#security-bp-shared-responsibility). + +### Trust boundary and input validation + +All `InvokeHarness` and `InvokeAgentRuntimeCommand` input is trusted. Any principal that passes the IAM or JWT authentication and authorization gate has access to the full microVM session, including the tools and capabilities configured on the harness. The harness does not sanitize input, filter content blocks, or enforce behavioral constraints. + +If you expose the harness to end users you do not fully trust (employees, external consumers, or third-party integrations), validate and sanitize messages in your application layer before passing them to `InvokeHarness`. This includes stripping content-block types or model configuration fields you do not want dispatched. This is the same pattern as any service that accepts payloads from authorized callers, such as Lambda, Amazon API Gateway, and Amazon SQS. + +### Model configuration parameters + +The `model` field in `InvokeHarness` accepts `additionalParams` for Bedrock, OpenAI, and LiteLLM configurations. These parameters are passed through to the underlying model provider unchanged. The harness does not validate, filter, or restrict these parameters. + +Callers who can set `additionalParams` can: + + * **Redirect requests to arbitrary endpoints** \- LiteLLM’s `aws_bedrock_runtime_endpoint` parameter overrides the Bedrock endpoint URL. A caller can route the signed request - including the SigV4 signature and session credentials - to an endpoint that is specified in the trust model configuration. + + * **Override HTTP headers** \- OpenAI’s `extra_headers` parameter injects or overrides HTTP headers on the outbound request to the model provider, including the `Authorization` header. + + * **Attempt IAM role assumption** \- LiteLLM’s `aws_role_name` parameter instructs the runtime to assume a different IAM role before calling the model provider. The attempt succeeds or fails based on the execution role’s `sts:AssumeRole` permissions. + + * **Change the target model or region** \- The `modelId` and `apiBase` fields can redirect inference to a different model, region, or provider entirely. + + + + +If your application exposes `InvokeHarness` capabilities to callers you do not fully trust, consider implementing input validation in your application layer. Examples include: + + * Stripping or allowlisting the `model` field before forwarding requests + + * Validating or removing `additionalParams`, `apiBase`, and `modelId` + + * Denying `sts:AssumeRole` on the execution role if role switching is not required + + * Scoping the harness network access using VPC security groups + + + + +### Skills and instructions + +Skills are bundles of markdown and scripts that the harness fetches from Amazon S3 or Git at invocation time and injects into the agent’s context. The harness treats all skill content as trusted input. It does not validate, sanitize, or inspect the content or source of skills before providing them to the agent. + +You are responsible for: + + * Ensuring that skill sources (S3 buckets, Git repositories, URLs) are trusted and access-controlled + + * Reviewing skill content - including markdown instructions and any embedded scripts - before configuring them on the harness + + * Controlling which principals can override the `skills` field per invocation, since callers can point the harness at arbitrary S3 or Git sources @@ -65 +123,0 @@ For additional network configuration guidance, see [Configure AgentCore Runtime -## Inbound OAuth @@ -67 +125,18 @@ For additional network configuration guidance, see [Configure AgentCore Runtime -Require callers to present a valid JWT issued by a configured identity provider before they can invoke the harness. [AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) threads the end-user identity through the agent, so downstream tools can call APIs with scoped user credentials instead of a shared service account. + + +Skills can be overridden per `InvokeHarness` call. If your application forwards caller-supplied input to `InvokeHarness`, a caller can supply their own skill sources containing arbitrary instructions or scripts. Examples of mitigations include: + + * Stripping or ignoring the `skills` field from caller-supplied requests + + * Allowlisting permitted S3 prefixes or Git repositories + + + + +### Observability and trace correlation + +The harness automatically propagates correlation identifiers to downstream AgentCore primitives (Gateway, Memory, Code Interpreter, Browser) to enable unified trace views in CloudWatch. These identifiers are used for observability only - they are never used for authorization or data access decisions. + +## Network configuration + +By default, harness sessions run on the public network. To access private resources (databases, internal APIs, private subnets), deploy the harness in your VPC. @@ -70,0 +146,9 @@ Require callers to present a valid JWT issued by a configured identity provider +AWS CLI/boto3 + + + + aws bedrock-agentcore-control create-harness \ + --harness-name "VpcHarness" \ + --execution-role-arn "arn:aws:iam::123456789012:role/MyHarnessRole" \ + --environment '{"agentCoreRuntimeEnvironment": {"networkConfiguration": {"networkMode": "VPC", "vpcConfig": {"securityGroupIds": ["sg-0abc1234def56789a"], "subnetIds": ["subnet-0abc1234def56789a"]}}}}' + @@ -75,4 +159,4 @@ AgentCore CLI - agentcore add harness --name MyNewHarness \ - --authorizer-type CUSTOM_JWT \ - --discovery-url {DISCOVERY_URL} \ - --allowed-clients {CLIENT_ID} + agentcore add harness --name internal-agent \ + --network-mode VPC \ + --subnets subnet-0abc1234def56789a \ + --security-groups sg-0abc1234def56789a @@ -81 +165 @@ AgentCore CLI -Invoke with a bearer token: +###### Important @@ -82,0 +167 @@ Invoke with a bearer token: +The harness pulls its application container from Amazon ECR Public at the start of each session. When running in VPC mode, your VPC must allow outbound access to `public.ecr.aws`. Amazon ECR Public does not support VPC endpoints, so your VPC must have a NAT gateway with a route to an internet gateway. If this connectivity is not available, sessions will fail to start due to image pull timeouts. @@ -84 +169 @@ Invoke with a bearer token: - agentcore invoke --harness MyNewHarness --bearer-token "{token}" "Hello" +For additional network configuration guidance, see [Configure AgentCore Runtime and built-in tools VPC configuration](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/agentcore-vpc.html). For inbound API connectivity via PrivateLink, see [VPC interface endpoints](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/vpc-interface-endpoints.html). @@ -86 +171,5 @@ Invoke with a bearer token: -See [inbound JWT authorizer](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/inbound-jwt-authorizer.html) for the full OAuth setup flow. +## Inbound OAuth + +Require callers to present a valid JWT issued by a configured identity provider before they can invoke the harness. [AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) threads the end-user identity through the agent, so downstream tools can call APIs with scoped user credentials instead of a shared service account. + +###### Example @@ -105,0 +195,17 @@ Invoke with a Bearer token instead of SigV4 credentials: +AgentCore CLI + + + + agentcore add harness --name MyNewHarness \ + --authorizer-type CUSTOM_JWT \ + --discovery-url {DISCOVERY_URL} \ + --allowed-clients {CLIENT_ID} + agentcore deploy + +Invoke with a bearer token: + + + agentcore invoke --harness MyNewHarness --bearer-token "{token}" "Hello" + +See [inbound JWT authorizer](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/inbound-jwt-authorizer.html) for the full OAuth setup flow. + @@ -130 +236 @@ The harness assumes an IAM execution role you provide. The role’s trust policy -Harness APIs require permissions on both the harness resource and the underlying [AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-how-it-works.html) resource. The following table lists the required actions for each API: +Harness APIs require permissions on both the harness resource and the underlying [AgentCore Runtime](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-how-it-works.html) and optional [AgentCore Memory](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/memory.html) resources. The following table lists the required actions for each API: @@ -136,3 +242,3 @@ API | Required IAM actions -`CreateHarness` | `bedrock-agentcore:CreateHarness`, `bedrock-agentcore:CreateAgentRuntime` -`UpdateHarness` | `bedrock-agentcore:UpdateHarness`, `bedrock-agentcore:UpdateAgentRuntime` -`DeleteHarness` | `bedrock-agentcore:DeleteHarness`, `bedrock-agentcore:DeleteAgentRuntime` +`CreateHarness` | `bedrock-agentcore:CreateHarness`, `bedrock-agentcore:CreateAgentRuntime`, `bedrock-agentcore:CreateMemory` +`UpdateHarness` | `bedrock-agentcore:UpdateHarness`, `bedrock-agentcore:UpdateAgentRuntime`, `bedrock-agentcore:UpdateMemory`