AWS Security ChangesHomeSearch

AWS devopsagent documentation change

Service: devopsagent · 2026-07-01 · Documentation low

File: devopsagent/latest/userguide/configuring-integrations-and-knowledge-invoking-devops-agent-through-webhook.md

Summary

Added support for API key authentication in generic webhooks, introduced MCP server webhooks, and clarified authentication methods during webhook creation.

Security assessment

The change documents new authentication options (API key/bearer token) and emphasizes secure storage of secrets/keys. While it enhances security documentation, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/devopsagent/latest/userguide/configuring-integrations-and-knowledge-invoking-devops-agent-through-webhook.md b/devopsagent/latest/userguide/configuring-integrations-and-knowledge-invoking-devops-agent-through-webhook.md
index 8b24d079c..858404f85 100644
--- a//devopsagent/latest/userguide/configuring-integrations-and-knowledge-invoking-devops-agent-through-webhook.md
+++ b//devopsagent/latest/userguide/configuring-integrations-and-knowledge-invoking-devops-agent-through-webhook.md
@@ -32 +32 @@ AWS DevOps Agent supports the following types of webhooks:
-  * **Generic webhooks** – Can be manually created for triggering investigations from any source not covered by a specific integration. Generic webhooks currently use **HMAC** authentication (bearer token not currently available).
+  * **Generic webhooks** – Can be manually created for triggering investigations from any source not covered by a specific integration. In the AWS DevOps Agent console, a generic webhook is created as an **Agent Space webhook** (scoped to an Agent Space). When you create a generic webhook, you choose its authentication method: **HMAC** or **API key** (bearer token).
@@ -47 +47,3 @@ The authentication method for your webhook depends on which integration it's ass
-  * Generic webhooks (not linked to a specific third-party integration)
+  * Generic webhooks (select **HMAC** at creation)
+
+  * MCP server webhooks (select **HMAC** at creation)
@@ -65,0 +68,4 @@ The authentication method for your webhook depends on which integration it's ass
+  * Generic webhooks (select **API key** at creation)
+
+  * MCP server webhooks (select **API key** at creation)
+
@@ -110 +116,5 @@ Webhooks are automatically generated when you complete the configuration of a th
-  2. The system will generate an HMAC key pair
+  2. For **Webhook authentication type** , choose **HMAC** or **API key** :
+
+     * **HMAC** – The system generates a webhook signing secret. Your client signs each request and sends the signature in the `x-amzn-event-signature` header (see Version 1 below).
+
+     * **API key** – The system generates an API key (bearer token). Your client sends it in the `Authorization: Bearer <token>` header (see Version 2 below).
@@ -112 +122 @@ Webhooks are automatically generated when you complete the configuration of a th
-  3. Securely store the generated key and secret—you won't be able to retrieve them again
+  3. Securely store the generated secret or API key. You won't be able to retrieve it again.