AWS cli documentation change
Summary
Updated AWS CLI version reference; modified name pattern constraint; added workload restriction configuration for authorization; added custom transformation configuration; updated Lambda ARN pattern; added payload filtering for interceptors; added WAF integration configuration.
Security assessment
The changes primarily document new security features: 1) Workload restrictions (allowedWorkloadConfiguration) for fine-grained access control, 2) Payload filtering (payloadFilter) to limit sensitive data exposure to interceptors, 3) WAF integration (webAclArn and wafConfiguration) for web application protection. There's no evidence these address existing vulnerabilities; they appear to be new security capability documentation. The WAF failure modes (FAIL_CLOSE/FAIL_OPEN) and workload restrictions represent significant security enhancements.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/get-gateway.md b/cli/latest/reference/bedrock-agentcore-control/get-gateway.md index 282faceef..99ad600f0 100644 --- a//cli/latest/reference/bedrock-agentcore-control/get-gateway.md +++ b//cli/latest/reference/bedrock-agentcore-control/get-gateway.md @@ -15 +15 @@ - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) » @@ -296 +296 @@ name -> (string) -> * pattern: `([0-9a-zA-Z][-]?){1,100}` +> * pattern: `([0-9a-zA-Z][-]?){1,48}` @@ -848,0 +849,51 @@ authorizerConfiguration -> (tagged union structure) +>> +>> allowedWorkloadConfiguration -> (structure) +>> +>>> The configuration that restricts which workloads in the request’s identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways. +>>> +>>> hostingEnvironments -> (list) +>>> +>>>> The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `10` +>>>> + +>>>> +>>>> (structure) +>>>> +>>>>> A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway. +>>>>> +>>>>> arn -> (string) [required] +>>>>> +>>>>>> The Amazon Resource Name (ARN) of the hosting environment. +>>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `20` +>>>>>> * max: `1011` +>>>>>> + +>>> +>>> workloadIdentities -> (list) +>>> +>>>> The list of workload identities that are allowed to invoke the target. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `10` +>>>> + +>>>> +>>>> (string) +>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `3` +>>>>> * max: `255` +>>>>> * pattern: `[A-Za-z0-9_.-]+` +>>>>> + @@ -861,0 +913,20 @@ kmsKeyArn -> (string) +customTransformConfiguration -> (structure) + +> The custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses. +> +> lambda -> (structure) +> +>> The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data. +>> +>> arn -> (string) +>> +>>> The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `170` +>>> * pattern: `arn:(aws[a-zA-Z-]*)?:lambda:([a-z]{2}(-gov)?-[a-z]+-\d{1}):(\d{12}):function:([a-zA-Z0-9-_.]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?` +>>> + + @@ -897 +968 @@ interceptorConfigurations -> (list) ->>>>> * pattern: `arn:(aws[a-zA-Z-]*)?:lambda:([a-z]{2}(-gov)?-[a-z]+-\d{1}):(\d{12}):function:([a-zA-Z0-9-_.]+)(:(\$LATEST|[a-zA-Z0-9-]+))?` +>>>>> * pattern: `arn:(aws[a-zA-Z-]*)?:lambda:([a-z]{2}(-gov)?-[a-z]+-\d{1}):(\d{12}):function:([a-zA-Z0-9-_.]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?` @@ -927,0 +999,33 @@ interceptorConfigurations -> (list) +>>> +>>> payloadFilter -> (structure) +>>> +>>>> The filter that determines which parts of the request or response payload are passed as input to the interceptor. +>>>> +>>>> exclude -> (list) [required] +>>>> +>>>>> The list of selectors that identify payload fields to exclude from the interceptor input. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `1` +>>>>> + +>>>>> +>>>>> (tagged union structure) +>>>>> +>>>>>> A selector that identifies a payload field to exclude from the interceptor input. +>>>>>> +>>>>>> ### Note +>>>>>> +>>>>>> This is a Tagged Union structure. Only one of the following top level keys can be set: `field`. +>>>>>> +>>>>>> field -> (string) +>>>>>> +>>>>>>> The field to exclude from the interceptor input. +>>>>>>> +>>>>>>> Possible values: +>>>>>>> +>>>>>>> * `RESPONSE_BODY` +>>>>>>> + @@ -990,0 +1095,32 @@ exceptionLevel -> (string) +webAclArn -> (string) + +> The Amazon Resource Name (ARN) of the Amazon Web Services WAF web ACL associated with the gateway. +> +> Constraints: +> +> * min: `1` +> * max: `2048` +> * pattern: `arn:[a-z0-9\-]+:wafv2:[a-z0-9\-]+:[0-9]{12}:regional/webacl/.+` +> + + +wafConfiguration -> (structure) + +> The Amazon Web Services WAF configuration for the gateway. +> +> failureMode -> (string) +> +>> The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include: +>> +>> * `FAIL_CLOSE` \- The gateway blocks requests when Amazon Web Services WAF cannot be evaluated. +>> * `FAIL_OPEN` \- The gateway allows requests when Amazon Web Services WAF cannot be evaluated. +>> + +>> +>> Possible values: +>> +>> * `FAIL_CLOSE` +>> * `FAIL_OPEN` +>> + + @@ -1001 +1137 @@ exceptionLevel -> (string) - * [AWS CLI 2.35.5 Command Reference](../../index.html) » + * [AWS CLI 2.35.8 Command Reference](../../index.html) »