Bharathi Srinivasan
02471ab710
* fix: resolve cfn-nag failures in CloudFormation templates - customer_support_lambda.yaml: add cfn_nag suppression metadata (F3, F38, W11) to GatewayAgentCoreRole; wildcard policy is intentional for this tutorial sample - bearer-token-injection/cognito.yaml: MfaConfiguration OFF -> OPTIONAL - strands-agents/cognito.yaml: MfaConfiguration OFF -> OPTIONAL - typescript_mastra/github-source.yaml: fix YAML indentation on ImageScanningConfiguration (was at col 0, causing parse error) - java_adk/github-source.yaml: same YAML indentation fix Fixes 6 cfn-nag failures (F3, F38 x1, F78 x2, FATAL x2) across 5 templates. * fix: correct agentcore-map.png image path in 01-features README * fix: resolve cdk-nag warnings across features and workshops * chore: add cfn-nag suppression metadata to 12 CloudFormation templates Adds cfn_nag rules_to_suppress Metadata blocks to suppress expected warnings in tutorial/demo templates: - W60 (VPC flow logs): 10 templates — demo VPCs don't require flow logs - W33 (MapPublicIpOnLaunch): 8 templates — public subnets need auto-IP for tutorial accessibility - W40/W5 (SG open egress/ingress): 8 templates — intentional open egress in AgentCore SGs and browser-firewall SGs (filtered by Network Firewall); broad rules in demo ALB/web server SGs - W2/W9 (SG SSH from 0.0.0.0/0): 2 templates — development EC2 instances use SSM but SSH open for tutorial convenience - W56 (ALB HTTP listener): cluster.yaml — demo uses HTTP; HTTPS requires ACM certificate - W59 (API Gateway no auth): infrastructure_all.yaml — AgentCore Gateway handles authentication upstream Files modified (12): 01-features/.../01-claude-code-with-s3-files/cfn-vpc.yaml 01-features/.../02-claude-code-with-efs/cfn-vpc.yaml 01-features/.../05-domain-filtering/agentcore-browser-firewall.yaml 03-integrations/.../common/01-network.yaml 03-integrations/.../ecs/cluster.yaml 06-workshops/.../01-claude-code-with-s3-files/cfn-vpc.yaml 06-workshops/.../02-claude-code-with-efs/cfn-vpc.yaml 06-workshops/.../07-bearer-token-injection/.../infrastructure_all.yaml 06-workshops/.../07-connecting-public-browser-.../cfn-browser.yaml 06-workshops/.../08-Interacting-with-vpc-.../cfn-vpc-browser.yaml 06-workshops/.../09-browser-with-domain-filtering/agentcore-browser-firewall.yaml 06-workshops/.../11-browser-with-proxy/agentcore-browser-proxy.yaml * fix: move suppression comments after Python syntax tokens Misplaced # pragma: allowlist secret comments were placed before trailing commas and closing braces, causing those tokens to be treated as comment text rather than Python syntax. Moved all commas and closing brace/comma sequences before the comment in 21 files, resolving all ruff invalid-syntax errors reported by CI. * fix: restore missing Python files in 04-entra-obo-mcp-runtime * style: apply ruff formatting to all PR-touched Python files * style: apply ruff formatting to pre-existing unformatted Python files 12 files with pre-existing formatting issues were surfaced by the CI ruff format check because they appear in this PR's changed-files list. Applied ruff format to bring them into compliance.
📚 Amazon Bedrock AgentCore Tutorials
This folder contains Hands-on tutorials for building, deploying, and managing AI agents with Amazon Bedrock AgentCore.
AgentCore services work independently or together, with any agentic framework (Strands Agents, LangChain, LangGraph, CrewAI, etc.) and any model.
Prerequisites
- An AWS account with Amazon Bedrock access
- Python 3.10+ and Jupyter Notebook (or JupyterLab)
- AWS CLI configured with appropriate credentials
- Basic familiarity with AI agents and AWS services
Tutorials
01 - Runtime
Deploy and scale AI agents on a secure, serverless runtime -- regardless of framework, protocol, or model. Covers hosting agents, MCP servers, A2A, and bi-directional streaming. (Docs · Deep Dive Video)
02 - Gateway
Turn APIs, Lambda functions, and existing services into MCP-compatible tools without managing integrations. Includes examples for auth, access control, sensitive data masking, and more. (Docs · Deep Dive Video)
03 - Identity
Manage agent identity and access across AWS services and third-party apps (Slack, Zoom) using standard identity providers (Okta, Entra, Cognito). Covers inbound auth, outbound auth, and 3LO flows. (Docs · Deep Dive Video)
04 - Memory
Add fully managed memory to your agents for personalized experiences. Explore short-term memory, long-term memory, branching, and security patterns. (Docs · Deep Dive Video)
05 - Tools
Use AgentCore's built-in tools: Code Interpreter for secure code execution, and Browser Tool for web navigation and form completion. (Code Interpreter Docs · Browser Tool Docs · Deep Dive Video)
06 - Observability
Trace, debug, and monitor agent performance with OpenTelemetry-compatible telemetry. Works for agents hosted on Runtime, self-hosted agents, Lambda-based agents, and EKS-hosted agents. (Docs · Deep Dive Video)
07 - Evaluations
Assess agent quality with built-in and custom evaluators across dimensions like correctness, helpfulness, and safety. Includes creating evaluators, running evaluations, and using results. (Docs · Deep Dive Video)
08 - Policy
Define and enforce security controls using Cedar language policies to prevent data leakage and authority overreach. Covers natural language policy authoring and fine-grained access control. (Docs · Deep Dive Video)
09 - End-to-End Workshop
Build a complete agent step by step, combining Runtime, Gateway, Identity, Memory, and more into a production-ready solution. (Deep Dive Video)
Where to Start
- New to AgentCore? Start with 01 - Runtime and work through the tutorials in order.
- Looking for a specific capability? Jump directly to any tutorial -- each one is self-contained.
- Want the full picture? The End-to-End Workshop ties all the components together.
Resources
- Amazon Bedrock AgentCore Documentation -- Official developer guide and API reference
- AgentCore Deep Dives Playlist -- Video playlist covering each component in detail