| layout | default |
|---|---|
| title | Security |
| nav_order | 5 |
| description | Security considerations and best practices for the AgentCore Gateway User Federation sample |
This is an educational project demonstrating cloud-native security patterns.
This project implements the following security standards for learning purposes:
- OAuth 2.0 with Authorization Code + PKCE flow
- Okta as Identity Provider (IdP)
- JWT tokens with RS256 signature
- JWT signature verification using Okta JWKS
- Token expiration validation
- Audience and issuer verification
- JWKS caching (1 hour TTL)
- CORS restricted to specific origins
- Security headers (HSTS, X-Frame-Options, X-Content-Type-Options)
- Bearer token authentication on all protected endpoints
- No secrets in source code
- Environment variables for configuration
- Mock database (no real user data)
- User JWT forwarded through AgentCore
- Same access controls for agent and direct API calls
- User identity preserved in audit logs
- AWS Security Best Practices
- AWS Well-Architected Framework - Security Pillar
- IAM Best Practices
- AWS Lambda Security
- API Gateway Security