Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Authorization on AgentCore Runtime

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon Bedrock AgentCore runtimes are configured with an authorizer to authenticate and authorize incoming invocation requests. Amazon Bedrock AgentCore Runtime provides a serverless execution environment for AI agents, where each runtime exposes an endpoint that clients can call to invoke the agent. The authorizerConfiguration field on a runtime defines how incoming requests are authenticated before reaching the agent — currently supporting custom JWT-based authorization via an OpenID Connect (OIDC) discovery URL. When configured, the runtime validates incoming JWT tokens against the specified identity provider before allowing the invocation to proceed.

Without an authorizerConfiguration configured, an AgentCore runtime relies solely on AWS IAM-based access control for InvokeAgentRuntime requests. While IAM policies can restrict access to known AWS principals, the absence of a JWT authorizer means the runtime cannot validate tokens from external identity providers, OAuth clients, or end-user applications. This makes it impossible to enforce application-level or user-level access control on agent invocations, which is often required when AI agents are integrated into customer-facing systems or multi-tenant applications.

Configuring a custom JWT authorizer on the runtime enables the service to validate the Authorization header in incoming invocation requests against an OIDC-compliant identity provider, checking the token's audience, client ID, scopes, and any custom claims you define. This provides a critical layer of access control that ensures only authenticated and authorized callers — such as specific OAuth clients or users with the correct scopes — can interact with your AI agent runtime.

Security

Enabling authorization on Amazon Bedrock AgentCore runtimes is essential for protecting AI agent workloads from unauthorized access. AI agents hosted on AgentCore runtimes may have access to sensitive internal tools, APIs, databases, and business logic. Without a properly configured authorizer, any caller with IAM InvokeAgentRuntime permissions — including automated pipelines, compromised roles, or misconfigured services — can invoke the agent without any additional identity verification. Configuring a JWT-based authorizer ensures that every invocation request is authenticated against a trusted identity provider, allowing you to enforce fine-grained access control based on user identity, application client, allowed scopes, and custom claims. This is particularly important for runtimes that serve external users or multi-tenant applications, where verifying the caller's identity and permissions is a fundamental security requirement.

Audit

To determine if your Amazon Bedrock AgentCore runtimes have authorization configured, perform the following operations:

Using AWS Console

The AWS Management Console does not currently display the inbound JWT authorizer configuration for an AgentCore runtime. The Identity tab on the runtime details page provides informational guidance about inbound and outbound authentication, but does not show whether an authorizer has been configured or its current settings. To reliably determine if a runtime has authorization configured, use the AWS CLI audit steps below.

Using AWS CLI

01 Run list-agent-runtimes command (OSX/Linux/UNIX) to list the IDs of all Amazon Bedrock AgentCore runtimes available in the selected AWS region: 

aws bedrock-agentcore-control list-agent-runtimes
	--region us-east-1
	--query 'agentRuntimes[*].agentRuntimeId'

02 The command output should return the requested AgentCore runtime identifiers: 

[
	"cc_agentcore_runtime-aBcDeFgHiJ",
	"cc_data_agent_runtime-kLmNoPqRsT"
]

03 Run get-agent-runtime command (OSX/Linux/UNIX) with the ID of the Amazon Bedrock AgentCore runtime that you want to examine as the identifier parameter and output query filters to describe the authorizer configuration for the selected runtime: 

aws bedrock-agentcore-control get-agent-runtime
	--region us-east-1
	--agent-runtime-id cc_agentcore_runtime-aBcDeFgHiJ
	--query 'authorizerConfiguration'

04 The command output should return the authorizer configuration if one is attached: 

null

If the get-agent-runtime command output returns null for the authorizerConfiguration attribute, as shown in the example above, the selected Amazon Bedrock AgentCore runtime does not have authorization configured and is therefore non-compliant.

05 Repeat steps no. 3 and 4 for each AgentCore runtime available in the selected AWS region.

06 Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the Audit process for other regions.

Remediation / Resolution

To enable authorization on your Amazon Bedrock AgentCore runtimes, perform the following operations:

Before configuring authorization on a runtime, you must have an OIDC-compliant identity provider available (such as Amazon Cognito, Okta, Auth0, or Microsoft Entra ID). The discoveryUrl used in the authorizer configuration must be the OpenID Connect discovery endpoint of your identity provider (ending in /.well-known/openid-configuration). The runtime will validate incoming JWT tokens against this endpoint. If you do not have an existing OIDC identity provider, see Option 2 in the AWS CLI remediation section below for complete instructions to set up Amazon Cognito as the identity provider from scratch.

Using AWS CloudFormation

01 Use the following AWS CloudFormation template to create an Amazon Bedrock AgentCore runtime with authorization configured: 

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Description": "Create an Amazon Bedrock AgentCore Runtime with JWT authorization configured.",
	"Resources": {
		"CcAgentcoreRuntime": {
			"Properties": {
				"AgentRuntimeArtifact": {
					"ContainerConfiguration": {
						"ContainerUri": "123456789012.dkr.ecr.us-east-1.amazonaws.com/cc-ai-agent:latest"
					}
				},
				"AgentRuntimeName": "cc_agentcore_runtime",
				"AuthorizerConfiguration": {
					"CustomJWTAuthorizer": {
						"AllowedAudience": [
							"cc-runtime-client"
						],
						"AllowedClients": [
							"1a2b3c4d5e6f7g8h9i0j"
						],
						"DiscoveryUrl": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE/.well-known/openid-configuration"
					}
				},
				"NetworkConfiguration": {
					"NetworkMode": "PUBLIC"
				},
				"RoleArn": "arn:aws:iam::123456789012:role/cc-agentcore-runtime-role"
			},
			"Type": "AWS::BedrockAgentCore::Runtime"
		}
	}
	}

02 Use the following AWS CloudFormation template in YAML format: 

AWSTemplateFormatVersion: "2010-09-09"
Description: "Create an Amazon Bedrock AgentCore Runtime with JWT authorization configured."
Resources:
CcAgentcoreRuntime:
	Type: AWS::BedrockAgentCore::Runtime
	Properties:
	AgentRuntimeName: cc_agentcore_runtime
	RoleArn: arn:aws:iam::123456789012:role/cc-agentcore-runtime-role
	AgentRuntimeArtifact:
		ContainerConfiguration:
		ContainerUri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/cc-ai-agent:latest
	NetworkConfiguration:
		NetworkMode: PUBLIC
	AuthorizerConfiguration:
		CustomJWTAuthorizer:
		DiscoveryUrl: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE/.well-known/openid-configuration
		AllowedAudience:
			- cc-runtime-client
		AllowedClients:
			- 1a2b3c4d5e6f7g8h9i0j

Using Terraform (AWS Provider)

01 Use the following Terraform configuration to create an Amazon Bedrock AgentCore runtime with JWT authorization enabled: 

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 5.0"
		}
	}
	required_version = ">= 1.3.0"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_bedrock_agentcore_runtime" "cc_agentcore_runtime" {
	agent_runtime_name = "cc_agentcore_runtime"
	role_arn           = "arn:aws:iam::123456789012:role/cc-agentcore-runtime-role"

	agent_runtime_artifact {
		container_configuration {
			container_uri = "123456789012.dkr.ecr.us-east-1.amazonaws.com/cc-ai-agent:latest"
		}
	}

	network_configuration {
		network_mode = "PUBLIC"
	}

	authorizer_configuration {
		custom_jwt_authorizer {
			discovery_url    = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_EXAMPLE/.well-known/openid-configuration"
			allowed_audience = ["cc-runtime-client"]
			allowed_clients  = ["1a2b3c4d5e6f7g8h9i0j"]
		}
	}
}

Using AWS Console

The AWS Management Console does not currently provide a direct interface for configuring the inbound JWT authorizer on an existing AgentCore runtime. The Identity tab on the runtime details page is informational only and does not expose controls for setting the authorizerConfiguration property. To configure inbound JWT authorization, use the AWS CLI remediation steps below.

Using AWS CLI

The authorizerConfiguration property on an AgentCore runtime is set via the create-agent-runtime (at creation time) or update-agent-runtime (to update an existing runtime) commands. Both commands require all mandatory runtime configuration parameters because they perform a full replacement. Choose one of the following two approaches depending on whether you have an existing OIDC-compatible identity provider or need to set one up from scratch using Amazon Cognito.

Option 1: Custom JWT — Using an Existing OIDC Identity Provider

Use this approach if you already have an OIDC-compatible identity provider (e.g., Okta, Auth0, Microsoft Entra ID, or an existing Amazon Cognito user pool) and know its discovery URL and client identifiers.

01 Run update-agent-runtime command (OSX/Linux/UNIX) to configure custom JWT authorization for the Amazon Bedrock AgentCore runtime identified in the Audit section (see Audit section part II to identify the right resource). Replace the --agent-runtime-artifact, --role-arn, and --network-configuration parameter values with the existing configuration values from your runtime, and set the discoveryUrl, allowedClients, and allowedAudience values from your identity provider: 

aws bedrock-agentcore-control update-agent-runtime \
	--region us-east-1 \
	--agent-runtime-id cc_agentcore_runtime-aBcDeFgHiJ \
	--agent-runtime-artifact '{"containerConfiguration":{"containerUri":"123456789012.dkr.ecr.us-east-1.amazonaws.com/cc-ai-agent:latest"}}' \
	--role-arn arn:aws:iam::123456789012:role/cc-agentcore-runtime-role \
	--network-configuration '{"networkMode":"PUBLIC"}' \
	--authorizer-configuration '{"customJWTAuthorizer":{"discoveryUrl":"https://your-idp.example.com/.well-known/openid-configuration","allowedAudience":["cc-runtime-client"],"allowedClients":["1a2b3c4d5e6f7g8h9i0j"]}}'

Notes:

  • The discoveryUrl must end with /.well-known/openid-configuration and its issuer value must match the iss claim in incoming JWT tokens.
  • At least one of allowedAudience, allowedClients, or allowedScopes must be provided.
  • You can also add "allowedScopes" and "customClaimValidation" to further restrict token acceptance.

02 The command output should return the updated AgentCore runtime information: 

{
	"agentRuntimeArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:runtime/cc_agentcore_runtime-aBcDeFgHiJ",
	"agentRuntimeId": "cc_agentcore_runtime-aBcDeFgHiJ",
	"agentRuntimeVersion": "2",
	"createdAt": "2026-01-15T10:30:00Z",
	"lastUpdatedAt": "2026-03-13T14:20:00Z",
	"status": "UPDATING"
}

03 Repeat steps no. 1 and 2 for each AgentCore runtime that does not have authorization configured, available in the selected AWS region.

04 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

Option 2: Amazon Cognito — Complete Setup from Scratch

Use this approach if you do not have an existing OIDC identity provider and need to create one. The following steps create an Amazon Cognito user pool, a user pool client, a test user, and then configure the runtime to use it as the JWT authorizer.

Step 1: Create a Cognito user pool and client

Run the following commands to create the Cognito resources. Record the output values — you will need them in Step 3.

# Create a Cognito user pool
export POOL_ID=$(aws cognito-idp create-user-pool \
	--pool-name "cc-agentcore-user-pool" \
	--policies '{"PasswordPolicy":{"MinimumLength":8}}' \
	--region us-east-1 \
	--query 'UserPool.Id' \
	--output text)

echo "User Pool ID: $POOL_ID"

# Create a user pool client (no secret for user-password auth)
export CLIENT_ID=$(aws cognito-idp create-user-pool-client \
	--user-pool-id $POOL_ID \
	--client-name "cc-agentcore-client" \
	--no-generate-secret \
	--explicit-auth-flows "ALLOW_USER_PASSWORD_AUTH" "ALLOW_REFRESH_TOKEN_AUTH" \
	--region us-east-1 \
	--query 'UserPoolClient.ClientId' \
	--output text)

echo "Client ID: $CLIENT_ID"
echo "Discovery URL: https://cognito-idp.us-east-1.amazonaws.com/$POOL_ID/.well-known/openid-configuration"

Step 2: (Optional) Create a test user

# Create a test user
aws cognito-idp admin-create-user \
	--user-pool-id $POOL_ID \
	--username "testuser" \
	--region us-east-1 \
	--message-action SUPPRESS

# Set a permanent password
aws cognito-idp admin-set-user-password \
	--user-pool-id $POOL_ID \
	--username "testuser" \
	--password "TestPassword123!" \
	--region us-east-1 \
	--permanent

Step 3: Configure the runtime with the Cognito JWT authorizer

01 Run update-agent-runtime command (OSX/Linux/UNIX) to configure the Amazon Bedrock AgentCore runtime identified in the Audit section with the Cognito user pool as the JWT identity provider. Replace the --agent-runtime-artifact, --role-arn, and --network-configuration parameter values with the existing configuration values from your runtime: 

aws bedrock-agentcore-control update-agent-runtime \
	--region us-east-1 \
	--agent-runtime-id cc_agentcore_runtime-aBcDeFgHiJ \
	--agent-runtime-artifact '{"containerConfiguration":{"containerUri":"123456789012.dkr.ecr.us-east-1.amazonaws.com/cc-ai-agent:latest"}}' \
	--role-arn arn:aws:iam::123456789012:role/cc-agentcore-runtime-role \
	--network-configuration '{"networkMode":"PUBLIC"}' \
	--authorizer-configuration "{\"customJWTAuthorizer\":{\"discoveryUrl\":\"https://cognito-idp.us-east-1.amazonaws.com/$POOL_ID/.well-known/openid-configuration\",\"allowedClients\":[\"$CLIENT_ID\"]}}"

02 The command output should return the updated AgentCore runtime information: 

{
	"agentRuntimeArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:runtime/cc_agentcore_runtime-aBcDeFgHiJ",
	"agentRuntimeId": "cc_agentcore_runtime-aBcDeFgHiJ",
	"agentRuntimeVersion": "2",
	"createdAt": "2026-01-15T10:30:00Z",
	"lastUpdatedAt": "2026-03-13T14:20:00Z",
	"status": "UPDATING"
}

03 To verify the runtime now accepts JWT tokens, obtain a bearer token from Cognito and invoke the runtime using the Authorization: Bearer <token> header: 

# Obtain a bearer token for the test user
export TOKEN=$(aws cognito-idp initiate-auth \
	--client-id "$CLIENT_ID" \
	--auth-flow USER_PASSWORD_AUTH \
	--auth-parameters USERNAME='testuser',PASSWORD='TestPassword123!' \
	--region us-east-1 \
	--query 'AuthenticationResult.AccessToken' \
	--output text)

echo "Bearer token acquired. Token preview: ${TOKEN:0:50}..."

04 Repeat steps 1 and 2 of Step 3 for each AgentCore runtime that does not have authorization configured, available in the selected AWS region.

05 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Mar 17, 2026

Related BedrockAgentCore rules