AWS bedrock-agentcore medium security documentation change
Summary
Removed 'time_of_last_update' from ping response example and added warning about misusing timestamp
Security assessment
The warning explicitly states that incorrectly setting 'time_of_last_update' can prevent session timeouts, leading to session quota exhaustion. This addresses a potential denial-of-service vulnerability where misconfigured clients could exhaust system resources by keeping sessions alive indefinitely.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-agui-protocol-contract.md b/bedrock-agentcore/latest/devguide/runtime-agui-protocol-contract.md index b90c40fed..828672d6a 100644 --- a//bedrock-agentcore/latest/devguide/runtime-agui-protocol-contract.md +++ b//bedrock-agentcore/latest/devguide/runtime-agui-protocol-contract.md @@ -155,2 +155 @@ Returns a status code indicating your agent’s health: - "status": "Healthy", - "time_of_last_update": 1640995200 + "status": "Healthy" @@ -158,0 +158,8 @@ Returns a status code indicating your agent’s health: +`status` is required and is one of `Healthy` or `HealthyBusy`. While the status is `HealthyBusy`, the runtime session is kept alive. + +An optional `time_of_last_update` field (a Unix timestamp in seconds) may be included to report when the `status` last changed. + +###### Warning + +Do not set `time_of_last_update` to the current time on every ping. A timestamp that advances on every ping signals a continuous status change, which prevents the idle session timeout from ever firing — sessions then persist until `MaxLifetime` and can exhaust your session quota. If you omit the field, the platform tracks status changes on its own. If you use the Bedrock AgentCore SDK, the ping response is handled for you. +