AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-06-19 · Documentation medium

File: cli/latest/reference/bedrock-agentcore-control/update-harness.md

Summary

Updated documentation for AWS Bedrock AgentCore Control's update-harness command. Changes include: 1) Added 'allowedWorkloadConfiguration' to define permitted invokers, 2) Added 'awsSkills' option in skills configuration, 3) Expanded memory configuration options including customer-managed keys, 4) Added harness version tracking, 5) Updated git URL validation pattern, 6) Navigation and version updates.

Security assessment

The changes introduce new security features: 1) 'allowedWorkloadConfiguration' restricts which workloads can invoke targets, improving access control. 2) 'encryptionKeyArn' allows customer-managed KMS keys for memory encryption. 3) Git URL pattern updated to prevent potentially dangerous characters. While these enhance security, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/cli/latest/reference/bedrock-agentcore-control/update-harness.md b/cli/latest/reference/bedrock-agentcore-control/update-harness.md
index 044a75d10..85e0dca13 100644
--- a//cli/latest/reference/bedrock-agentcore-control/update-harness.md
+++ b//cli/latest/reference/bedrock-agentcore-control/update-harness.md
@@ -13 +13 @@
-  * [next](update-memory.html "update-memory") |
+  * [next](update-harness-endpoint.html "update-harness-endpoint") |
@@ -15 +15 @@
-  * [AWS CLI 2.35.5 Command Reference](../../index.html) »
+  * [AWS CLI 2.35.8 Command Reference](../../index.html) »
@@ -23 +23 @@
-  * [update-memory →](update-memory.html "next chapter \(use the right arrow\)")
+  * [update-harness-endpoint →](update-harness-endpoint.html "next chapter \(use the right arrow\)")
@@ -59 +59 @@ First time using the AWS CLI? See the [User Guide](https://docs.aws.amazon.com/c
-Operation to update a Harness.
+Operation to update a harness.
@@ -914,0 +915,51 @@ JSON Syntax:
+>>> 
+>>> allowedWorkloadConfiguration -> (structure)
+>>>
+>>>> The configuration that restricts which workloads in the request’s identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
+>>>> 
+>>>> hostingEnvironments -> (list)
+>>>>
+>>>>> The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `10`
+>>>>> 
+
+>>>>> 
+>>>>> (structure)
+>>>>>
+>>>>>> A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
+>>>>>> 
+>>>>>> arn -> (string) [required]
+>>>>>>
+>>>>>>> The Amazon Resource Name (ARN) of the hosting environment.
+>>>>>>> 
+>>>>>>> Constraints:
+>>>>>>> 
+>>>>>>>   * min: `20`
+>>>>>>>   * max: `1011`
+>>>>>>> 
+
+>>>> 
+>>>> workloadIdentities -> (list)
+>>>>
+>>>>> The list of workload identities that are allowed to invoke the target.
+>>>>> 
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `10`
+>>>>> 
+
+>>>>> 
+>>>>> (string)
+>>>>>
+>>>>>> Constraints:
+>>>>>> 
+>>>>>>   * min: `3`
+>>>>>>   * max: `255`
+>>>>>>   * pattern: `[A-Za-z0-9_.-]+`
+>>>>>> 
+
@@ -973 +1024,10 @@ JSON Syntax:
-          ]
+          ],
+          "allowedWorkloadConfiguration": {
+            "hostingEnvironments": [
+              {
+                "arn": "string"
+              }
+              ...
+            ],
+            "workloadIdentities": ["string", ...]
+          }
@@ -1631 +1691 @@ JSON Syntax:
->> This is a Tagged Union structure. Only one of the following top level keys can be set: `path`, `s3`, `git`.
+>> This is a Tagged Union structure. Only one of the following top level keys can be set: `path`, `s3`, `git`, `awsSkills`.
@@ -1669 +1729 @@ JSON Syntax:
->>>>   * pattern: `https://.*`
+>>>>   * pattern: `https://[^#@]+`
@@ -1693,0 +1754,18 @@ JSON Syntax:
+>> 
+>> awsSkills -> (structure)
+>>
+>>> AWS Skills baked into the harness’s underlying Runtime.
+>>> 
+>>> paths -> (list)
+>>>
+>>>> Optionally filter allowed skills with glob syntax, e.g., [‘core-skills/*’].
+>>>> 
+>>>> (string)
+>>>>
+>>>>> Constraints:
+>>>>> 
+>>>>>   * min: `1`
+>>>>>   * max: `4096`
+>>>>>   * pattern: `([^*?\[\]]|\*)+`
+>>>>> 
+
@@ -1698 +1776 @@ Shorthand Syntax:
-    path=string,s3={uri=string},git={url=string,path=string,auth={credentialArn=string,username=string}} ...
+    path=string,s3={uri=string},git={url=string,path=string,auth={credentialArn=string,username=string}},awsSkills={paths=[string,string]} ...
@@ -1716,0 +1795,3 @@ JSON Syntax:
+        },
+        "awsSkills": {
+          "paths": ["string", ...]
@@ -1753 +1834 @@ Syntax:
->> This is a Tagged Union structure. Only one of the following top level keys can be set: `agentCoreMemoryConfiguration`.
+>> This is a Tagged Union structure. Only one of the following top level keys can be set: `agentCoreMemoryConfiguration`, `managedMemoryConfiguration`, `disabled`.
@@ -1797,0 +1879,63 @@ Syntax:
+>> 
+>> managedMemoryConfiguration -> (structure)
+>>
+>>> Harness creates and manages a memory resource in the customer’s account.
+>>> 
+>>> arn -> (string)
+>>>
+>>>> The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * pattern: `arn:aws:bedrock-agentcore:[a-z0-9-]+:[0-9]{12}:memory\/[a-zA-Z][a-zA-Z0-9-_]{0,99}-[a-zA-Z0-9]{10}`
+>>>> 
+
+>>> 
+>>> strategies -> (list)
+>>>
+>>>> Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `4`
+>>>> 
+
+>>>> 
+>>>> (string)
+>>>>
+>>>>> Possible values:
+>>>>> 
+>>>>>   * `SEMANTIC`
+>>>>>   * `SUMMARIZATION`
+>>>>>   * `USER_PREFERENCE`
+>>>>>   * `EPISODIC`
+>>>>> 
+
+>>> 
+>>> eventExpiryDuration -> (integer)
+>>>
+>>>> Event retention in days. Defaults to 30.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `3`
+>>>>   * max: `365`
+>>>> 
+
+>>> 
+>>> encryptionKeyArn -> (string)
+>>>
+>>>> Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.
+>>>> 
+>>>> Constraints:
+>>>> 
+>>>>   * min: `1`
+>>>>   * max: `2048`
+>>>>   * pattern: `arn:aws(|-cn|-us-gov):kms:[a-zA-Z0-9-]*:[0-9]{12}:key/[a-zA-Z0-9-]{36}`
+>>>> 
+
+>> 
+>> disabled -> (structure)
+>>
+>>> Explicitly opt out of memory.
@@ -1813,0 +1958,9 @@ JSON Syntax:
+        },
+        "managedMemoryConfiguration": {
+          "arn": "string",
+          "strategies": ["SEMANTIC"|"SUMMARIZATION"|"USER_PREFERENCE"|"EPISODIC", ...],
+          "eventExpiryDuration": integer,
+          "encryptionKeyArn": "string"
+        },
+        "disabled": {
+    
@@ -2022 +2175 @@ harness -> (structure)
->> The ID of the Harness.
+>> The ID of the harness.
@@ -2032 +2185 @@ harness -> (structure)
->> The name of the Harness.
+>> The name of the harness.
@@ -2042 +2195 @@ harness -> (structure)
->> The ARN of the Harness.
+>> The ARN of the harness.
@@ -2052 +2205 @@ harness -> (structure)
->> The status of the Harness.