AWS bedrock-agentcore documentation change
Summary
Added documentation for 'payloadFilter' configuration option in interceptors, allowing exclusion of response bodies to stay within Lambda size limits.
Security assessment
The change documents a payload filtering feature to avoid exceeding Lambda's 6MB payload limit. While this prevents potential service disruptions, there is no evidence it addresses a specific security vulnerability or weakness.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md b/bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md index bd8bed774..d83b20162 100644 --- a//bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md +++ b//bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md @@ -25,0 +26,21 @@ Use caution when setting this to `true` as request headers may contain sensitive +**payloadFilter** + + +For HTTP targets (AgentCore Runtime and passthrough) and inference targets, which share the `http` interceptor payload shape, an optional filter that excludes fields from the interceptor input payload. Lambda synchronous invocation has a 6 MB limit for the request and response combined, so excluding a large response body keeps the payload within that limit. To exclude the response body, set `payloadFilter.exclude` to a list containing the `RESPONSE_BODY` field: + + + { + "inputConfiguration": { + "passRequestHeaders": false, + "payloadFilter": { + "exclude": [{ "field": "RESPONSE_BODY" }] + } + } + } + +###### Note + +`passRequestHeaders` is required in `inputConfiguration`. Include it (for example, `"passRequestHeaders": false`) alongside `payloadFilter`. + +When the response body is excluded, the `body` field in the response interceptor input payload is `null`. Your function can still inspect the `statusCode`, `contentType`, and `headers`, and can inject headers or override the status code. If your function returns `body: null`, the gateway uses the original response body. +