AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-06-22 · Documentation low

File: bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md

Summary

Added documentation for 'payloadFilter' configuration option in interceptors, allowing exclusion of response bodies to stay within Lambda size limits.

Security assessment

The change documents a payload filtering feature to avoid exceeding Lambda's 6MB payload limit. While this prevents potential service disruptions, there is no evidence it addresses a specific security vulnerability or weakness.

Diff

diff --git a/bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md b/bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md
index bd8bed774..d83b20162 100644
--- a//bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md
+++ b//bedrock-agentcore/latest/devguide/gateway-interceptors-configuration.md
@@ -25,0 +26,21 @@ Use caution when setting this to `true` as request headers may contain sensitive
+**payloadFilter**
+    
+
+For HTTP targets (AgentCore Runtime and passthrough) and inference targets, which share the `http` interceptor payload shape, an optional filter that excludes fields from the interceptor input payload. Lambda synchronous invocation has a 6 MB limit for the request and response combined, so excluding a large response body keeps the payload within that limit. To exclude the response body, set `payloadFilter.exclude` to a list containing the `RESPONSE_BODY` field:
+    
+    
+    {
+      "inputConfiguration": {
+        "passRequestHeaders": false,
+        "payloadFilter": {
+          "exclude": [{ "field": "RESPONSE_BODY" }]
+        }
+      }
+    }
+
+###### Note
+
+`passRequestHeaders` is required in `inputConfiguration`. Include it (for example, `"passRequestHeaders": false`) alongside `payloadFilter`.
+
+When the response body is excluded, the `body` field in the response interceptor input payload is `null`. Your function can still inspect the `statusCode`, `contentType`, and `headers`, and can inject headers or override the status code. If your function returns `body: null`, the gateway uses the original response body.
+