AWS bedrock-agentcore high security documentation change
Summary
Added section on enforcing traffic through the gateway, updated interceptor support details, and removed public preview notice.
Security assessment
The change adds explicit documentation on restricting direct access to AgentCore Runtime by enforcing traffic through the gateway. This addresses security concerns by detailing how to prevent runtime bypass using resource-based policies for IAM runtimes and workload configuration for OAuth runtimes.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-target-http-runtime.md b/bedrock-agentcore/latest/devguide/gateway-target-http-runtime.md index fc62d7050..54f56576c 100644 --- a//bedrock-agentcore/latest/devguide/gateway-target-http-runtime.md +++ b//bedrock-agentcore/latest/devguide/gateway-target-http-runtime.md @@ -7 +7 @@ -Key considerations and limitationsTarget configurationInvoking an AgentCore Runtime targetOutbound authorizationCapability comparison with MCP targets +Key considerations and limitationsTarget configurationInvoking an AgentCore Runtime targetOutbound authorizationEnforcing traffic through the gatewayCapability comparison with MCP targets @@ -13,4 +12,0 @@ You can add an Amazon Bedrock AgentCore Runtime agent as a gateway target. The g -###### Note - -AgentCore Runtime targets for Gateway are in public preview. Features and APIs may change before general availability. - @@ -39,0 +36,2 @@ Adding an AgentCore Runtime target to your gateway is useful when you want to: + * Enforcing traffic through the gateway + @@ -57 +55 @@ When working with AgentCore Runtime targets, be aware of the following considera - * Request interceptor Lambda functions are supported. Response interceptor Lambda functions with payload are not supported in the initial release due to SSE streaming incompatibility. + * Request and response interceptor Lambda functions are supported in buffered mode. Interceptors are not yet supported in streaming mode. @@ -144,0 +143,13 @@ AgentCore Runtime targets support the following outbound authorization types: +## Enforcing traffic through the gateway + +You can front your AgentCore Runtime with an AgentCore Gateway so that the gateway becomes the single, governed entry point to the runtime — giving you policy-based authorization, Amazon Bedrock Guardrails, request and response interceptors, and unified observability, all applied outside the agent’s own environment. For the full rationale, see [Front your runtime with an AgentCore Gateway](./runtime-security-best-practices.html#security-bp-front-with-gateway). But this is only useful if you can’t bypass the gateway and access the runtime directly. You can now achieve this regardless of whether the runtime uses IAM (SigV4) or OAuth (JWT) inbound authorization. + +You configure this restriction on the runtime. The gateway stamps the source of every request it forwards, and the runtime validates that source on the way in. The specific mechanism depends on the runtime’s inbound authorization type: + + * **IAM (SigV4) runtimes** – Attach a resource-based policy that restricts invocation to your gateway’s execution role. For the policy and the trust-policy hardening it requires, see [Restrict IAM (SigV4) inbound invocation to your gateway](./runtime-oauth.html#runtime-restrict-iam-gateway). + + * **OAuth (JWT) runtimes** – Configure `allowedWorkloadConfiguration` on the runtime’s `customJWTAuthorizer` to allow only your gateway’s workload. For the configuration and field reference, see [Restrict invocation to your gateway](./runtime-oauth.html#deploy-agent-allowed-workload). + + + + @@ -153 +164 @@ Semantic tool search | Indexes tool descriptions and enables discovery through -Response interceptor Lambda | Supports both request and response interceptors for non-streaming MCP operations. | Response interceptor Lambda with payload is not supported in the initial release due to SSE streaming incompatibility. Only request interceptor Lambda functions and response interceptors without payload are supported. +Response interceptor Lambda | Supports both request and response interceptors for non-streaming MCP operations. | Supports both request and response interceptor Lambda functions in buffered mode. Interceptors are not yet supported in streaming mode.