AWS agent-toolkit documentation change
Summary
Added documentation for CloudTrail logging of OAuth authentication events including AuthorizeOAuth2Access and CreateOAuth2Token actions, with details on captured fields and session correlation
Security assessment
The change documents new CloudTrail logging capabilities for OAuth authentication flows, enhancing security monitoring and audit capabilities. It provides visibility into authorization events and token issuance, enabling better security correlation through SignInSessionArn. No evidence of addressing a specific vulnerability.
Diff
diff --git a/agent-toolkit/latest/userguide/logging-using-cloudtrail.md b/agent-toolkit/latest/userguide/logging-using-cloudtrail.md index 7294b9901..cd3a0d411 100644 --- a//agent-toolkit/latest/userguide/logging-using-cloudtrail.md +++ b//agent-toolkit/latest/userguide/logging-using-cloudtrail.md @@ -32 +32,12 @@ For an ongoing record of events in your AWS account, including events for AWS MC -All AWS MCP Server actions are logged by CloudTrail and are documented in the [Agent Toolkit for AWS API Reference](https://docs.aws.amazon.com/aws-mcp/latest/APIReference/). For example, calls to the `ACTION_1`, `ACTION_2` and `ACTION_3` actions generate entries in the CloudTrail log files. +All AWS MCP Server actions for authenticated tools are logged by CloudTrail and are documented in the [Agent Toolkit for AWS API Reference](https://docs.aws.amazon.com/aws-mcp/latest/APIReference/). For example, calls to the `CallReadWriteTool` action generate entries in the CloudTrail log files. + +When you use OAuth authentication, CloudTrail also records the following AWS Sign-in events: + + * `AuthorizeOAuth2Access` — Recorded when a user authorizes an OAuth flow for an MCP client. + + * `CreateOAuth2Token` — Recorded when AWS Sign-in issues or refreshes OAuth tokens. + + + + +These events include the OAuth client ID, target AWS MCP Server resource, redirect URI, and associated sign-in session ARN. API calls made using OAuth access tokens include the `aws:SignInSessionArn` context. Use this context to correlate API activity with the originating OAuth sign-in session. For examples of CloudTrail entries for OAuth events, see [Monitoring OAuth activity](./oauth-authentication.html#oauth-monitoring).