AWS Security ChangesHomeSearch

AWS devopsagent documentation change

Service: devopsagent · 2026-07-01 · Documentation medium

File: devopsagent/latest/userguide/configuring-integrations-and-knowledge-connecting-to-privately-hosted-tools.md

Summary

Added DNS resolution options (Public/In VPC) for host addresses, clarified certificate key placement, and introduced separate private connection routing for OAuth target and exchange URLs in MCP server capabilities.

Security assessment

The changes enhance security documentation by adding DNS resolution controls (reducing exposure of internal names) and enabling network segmentation for OAuth endpoints. However, there's no evidence of addressing a specific vulnerability. Security improvements are preventive (isolation of token exchange paths) rather than reactive fixes.

Diff

diff --git a/devopsagent/latest/userguide/configuring-integrations-and-knowledge-connecting-to-privately-hosted-tools.md b/devopsagent/latest/userguide/configuring-integrations-and-knowledge-connecting-to-privately-hosted-tools.md
index 8c4ec4a8b..adebe573c 100644
--- a//devopsagent/latest/userguide/configuring-integrations-and-knowledge-connecting-to-privately-hosted-tools.md
+++ b//devopsagent/latest/userguide/configuring-integrations-and-knowledge-connecting-to-privately-hosted-tools.md
@@ -158 +158 @@ Private connections are account-level resources. After you create a private conn
-  11. For **Host address** , enter the IP address or DNS name of your target service (for example, `mcp.internal.example.com` or `10.0.1.50`). The service must be reachable from the selected VPC. If you choose a DNS name, it must be publicly resolvable.
+  11. For **Host address** , enter the IP address or DNS name of your target service (for example, `mcp.internal.example.com` or `10.0.1.50`). The service must be reachable from the selected VPC. If you enter a DNS name, how it is resolved depends on the **DNS resolution** mode you choose in the next step.
@@ -160 +160 @@ Private connections are account-level resources. After you create a private conn
-  12. (Optional) For **Certificate public key** , if the host address you specified uses TLS certificates issued by a private certificate authority, enter the PEM-encoded public key of the certificate. This allows AWS DevOps Agent to trust the TLS connection to your target service.
+  12. For **DNS resolution** , choose how the host address DNS name is resolved:
@@ -162 +162,7 @@ Private connections are account-level resources. After you create a private conn
-  13. Choose **Create connection**.
+     * **Public** (default) – The DNS name is resolved using public DNS. If you enter a DNS name as the host address, it must be publicly resolvable. Use this mode when your hostname has a public DNS record (which can point to a private IP address). If you specify an IP address as the host address, this setting has no effect.
+
+     * **In VPC** – The DNS name is resolved from within your VPC context, so hostnames that exist only in a [private hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-private.html) resolve correctly without any public DNS record. Use this mode when your target service's hostname is private to your VPC.
+
+  13. (Optional) For **Certificate public key** , if the host address you specified uses TLS certificates issued by a private certificate authority, enter the PEM-encoded public key of the certificate. This allows AWS DevOps Agent to trust the TLS connection to your target service.
+
+  14. Choose **Create connection**.
@@ -202 +208,2 @@ Run the following command to create a private connection. Replace the placeholde
-                "portRanges": ["443"]
+                "portRanges": ["443"],
+                "dnsResolution": "PUBLIC"
@@ -205,0 +213,2 @@ Run the following command to create a private connection. Replace the placeholde
+The `dnsResolution` field controls how the `hostAddress` DNS name is resolved. Valid values are `PUBLIC` (the default when omitted) and `IN_VPC`. Use `IN_VPC` when your host address only resolves inside your VPC (for example, a name in a private hosted zone). If you specify an IP address for `hostAddress`, this field has no effect.
+
@@ -259,0 +269,40 @@ In the AWS DevOps Agent console, private connections can be linked to a capabili
+#### Routing the endpoint and the OAuth token exchange through different private connections
+
+For OAuth-based MCP server capability providers, the agent makes requests to two different endpoints: the **target URL** (the MCP server endpoint you register) and the **exchange URL** (the OAuth token exchange endpoint). By default, a single `privateConnectionName` is used for both. If these two endpoints are reachable through different private network paths, you can route each one through its own private connection by using `targetUrlPrivateConnectionName` and `exchangeUrlPrivateConnectionName` instead:
+
+  * `targetUrlPrivateConnectionName` – the private connection used to reach the MCP server endpoint (target URL).
+
+  * `exchangeUrlPrivateConnectionName` – the private connection used to reach the OAuth token exchange endpoint (exchange URL).
+
+
+
+
+You can specify either or both. If you set only one, the other endpoint is reached over the public internet (it does not fall back to the other private connection).
+
+###### Important
+
+ __`targetUrlPrivateConnectionName` and `exchangeUrlPrivateConnectionName` cannot be combined with `privateConnectionName` in the same request. Use either the single `privateConnectionName` (applies to both endpoints) or the per-endpoint names — not both.
+
+The following example registers an OAuth Client Credentials MCP Server that reaches its endpoint and its token exchange endpoint through two separate private connections:
+    
+    
+    aws devops-agent register-service \
+        --service mcpserver \
+        --target-url-private-connection-name my-target-connection \
+        --exchange-url-private-connection-name my-exchange-connection \
+        --service-details '{
+            "mcpserver": {
+                "name": "my-mcp-tool",
+                "endpoint": "https://mcp.internal.example.com",
+                "authorizationConfig": {
+                    "oAuthClientCredentials": {
+                        "clientName": "MyOAuthClient",
+                        "clientId": "client-id",
+                        "clientSecret": "secret-value",
+                        "exchangeUrl": "https://auth.internal.example.com/token"
+                    }
+                }
+            }
+        }' \
+        --region us-east-1
+