AWS bedrock-agentcore medium security documentation change
Summary
Modified ping response format and added warning about improper use of 'time_of_last_update' field causing session quota exhaustion.
Security assessment
Explicitly warns that misusing 'time_of_last_update' can prevent session timeouts, leading to resource exhaustion attacks that could deplete session quotas (denial of service vulnerability). Documents security best practices for session management.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-a2a-protocol-contract.md b/bedrock-agentcore/latest/devguide/runtime-a2a-protocol-contract.md index f51f6ee02..683a16264 100644 --- a//bedrock-agentcore/latest/devguide/runtime-a2a-protocol-contract.md +++ b//bedrock-agentcore/latest/devguide/runtime-a2a-protocol-contract.md @@ -198,2 +198 @@ Returns a status code indicating your agent’s health: - "status": "Healthy", - "time_of_last_update": 1640995200 + "status": "Healthy" @@ -201,0 +201,8 @@ Returns a status code indicating your agent’s health: +`status` is required and is one of `Healthy` or `HealthyBusy`. While the status is `HealthyBusy`, the runtime session is kept alive. + +An optional `time_of_last_update` field (a Unix timestamp in seconds) may be included to report when the `status` last changed. + +###### Warning + +Do not set `time_of_last_update` to the current time on every ping. A timestamp that advances on every ping signals a continuous status change, which prevents the idle session timeout from ever firing — sessions then persist until `MaxLifetime` and can exhaust your session quota. If you omit the field, the platform tracks status changes on its own. If you use the Bedrock AgentCore SDK, the ping response is handled for you. +