feat: token exchange example with real setup with different client id…

[massi-ang]

Token exchange example via Gateway Interceptor with realistic setup and terraform IaC that uses different client_ids to authenticate calls to AgentCore Gateway and API Gateway.

Amazon Bedrock AgentCore Samples Pull Request

Important

1. We strictly follow a issue-first approach, please first open an issue relating to this Pull Request.
2. Once this Pull Request is ready for review please attach review ready label to it. Only PRs with review ready will be reviewed.

Issue number: #1233

Concise description of the PR

The current example does not show the correct header propagation, and requires Jupyter notebooks to deploy the solution which is not something developers use. This use case is not aimed to data scientists. 

User experience

Please share what the user experience looks like before and after this change

Before: need to use Jupyter Notebook to deploy the infrastructure which is not a familiar tool for backend and full-stack developers. Token propagation is faked and the new token is sent as part of the payload instead of an auth header and correctly used.

After: use Terraform for IaC which is the mostly used IaC tool by our customer. Correctly propagate token to the Authorization header to the target and shows the full e2e auth flow.

Checklist

If your change doesn't seem to apply, please leave them unchecked.

• I have reviewed the contributing guidelines
• Add your name to CONTRIBUTORS.md
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Are you uploading a dataset?
• Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
• I agree to resolve any issues created for this example in the future.
• I have performed a self-review of this change
• Changes have been tested
• Changes are documented

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

[github-actions]

Latest scan for commit: 6aed4ab | Updated: 2026-04-01 16:10:02 UTC

Security Scan Results

Scan Metadata

• Project: ASH
• Scan executed: 2026-04-01T16:09:45+00:00
• ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

• Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
• Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
• High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
• Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
• Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
• Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

• Time: Duration taken by each scanner to complete its analysis
• Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

• PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
• FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
• MISSING: Scanner could not run because required dependencies/tools are not installed or available
• SKIPPED: Scanner was intentionally disabled or excluded from this scan
• ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

• CRITICAL: Only Critical severity findings cause scanner to fail
• HIGH: High and Critical severity findings cause scanner to fail
• MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
• LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
• ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

• (g) = global: Set in the global_settings section of ASH configuration
• (c) = config: Set in the individual scanner configuration section
• (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

• All statistics are calculated from the final aggregated SARIF report
• Suppressed findings are counted separately and do not contribute to actionable findings
• Scanner status is determined by comparing actionable findings to the threshold

Scanner	S	C	H	M	L	I	Time	Action	Result	Thresh
bandit	0	0	0	0	4	0	774ms	0	PASSED	MED (g)
cdk-nag	0	0	0	0	0	0	33.3s	0	PASSED	MED (g)
cfn-nag	0	0	0	0	0	0	4ms	0	PASSED	MED (g)
checkov	0	21	0	0	0	0	7.0s	21	FAILED	MED (g)
detect-secrets	0	1	0	0	0	0	743ms	1	FAILED	MED (g)
grype	0	0	0	0	0	0	40.1s	0	PASSED	MED (g)
npm-audit	0	0	0	0	0	0	166ms	0	PASSED	MED (g)
opengrep	0	0	0	0	0	0	<1ms	0	SKIPPED	MED (g)
semgrep	0	5	0	0	0	0	17.6s	5	FAILED	MED (g)
syft	0	0	0	0	0	0	2.1s	0	PASSED	MED (g)

Detailed Findings

Show 27 actionable findings

Finding 1: SECRET-SECRET-KEYWORD

• Severity: HIGH
• Scanner: detect-secrets
• Rule ID: SECRET-SECRET-KEYWORD
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/agentcore.tf:7

Description:
Secret of type 'Secret Keyword' detected in file '01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/agentcore.tf' at line 7

Code Snippet:

Secret of type Secret Keyword detected

---

Finding 2: CKV_AWS_355

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_355
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/agentcore.tf:31-43

Description:
Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions

Code Snippet:

resource "aws_iam_role_policy" "gateway_lambda_invoke" {
  name = "LambdaInvokePolicy"
  role = aws_iam_role.gateway.name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect   = "Allow"
      Action   = ["lambda:InvokeAsync", "lambda:InvokeFunction"]
      Resource = "*"
    }]
  })
}

---

Finding 3: CKV_AWS_290

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_290
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/agentcore.tf:31-43

Description:
Ensure IAM policies does not allow write access without constraints

Code Snippet:

resource "aws_iam_role_policy" "gateway_lambda_invoke" {
  name = "LambdaInvokePolicy"
  role = aws_iam_role.gateway.name

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect   = "Allow"
      Action   = ["lambda:InvokeAsync", "lambda:InvokeFunction"]
      Resource = "*"
    }]
  })
}

---

Finding 4: CKV_AWS_237

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_237
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/apigateway.tf:5-67

Description:
Ensure Create before destroy for API Gateway

Code Snippet:

resource "aws_api_gateway_rest_api" "this" {
  name        = "Posts API ${local.suffix}"
  description = "Posts API with Cognito JWT authentication"

  body = jsonencode({
    openapi = "3.0.1"
    info = {
      title       = "Posts API ${local.suffix}"
      version     = "1.0.0"
      description = "Posts API authenticated via Cognito JWT"
    }
    components = {
      securitySchemes = {
        CognitoAuth = {
          type                              = "apiKey"
          name                              = "Authorization"
          in                                = "header"
          "x-amazon-apigateway-authtype"    = "cognito_user_pools"
          "x-amazon-apigateway-authorizer"  = {
            type         = "cognito_user_pools"
            providerARNs = [aws_cognito_user_pool.this.arn]
          }
        }
      }
      schemas = local.schemas
    }
    paths = {
      "/posts" = {
        post = {
          summary     = "Create a new post"
          operationId = "createPost"
          security    = [{ CognitoAuth = [
            "${local.resource_server_id}/read",
            "${local.resource_server_id}/write",
          ] }]
          requestBody = local.create_post_request_body
          responses   = local.create_post_responses
          "x-amazon-apigateway-integration" = {
            type = "mock"
            requestTemplates = {
              "application/json" = "{\"statusCode\": 201}"
            }
            responses = {
              default = {
                statusCode = "201"
                responseTemplates = {
                  "application/json" = jsonencode({
                    id     = 42
                    title  = "$input.path('$.title')"
                    body   = "$input.path('$.body')"
                    userId = "$input.path('$.userId')"
                  })
                }
              }
            }
          }
        }
      }
    }
  })

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 5: CKV_AWS_120

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_120
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/apigateway.tf:83-88

Description:
Ensure API Gateway caching is enabled

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  deployment_id = aws_api_gateway_deployment.this.id
  rest_api_id   = aws_api_gateway_rest_api.this.id
  stage_name    = "prod"
  description   = "Production deployment - ${local.suffix}"
}

---

Finding 6: CKV_AWS_73

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_73
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/apigateway.tf:83-88

Description:
Ensure API Gateway has X-Ray Tracing enabled

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  deployment_id = aws_api_gateway_deployment.this.id
  rest_api_id   = aws_api_gateway_rest_api.this.id
  stage_name    = "prod"
  description   = "Production deployment - ${local.suffix}"
}

---

Finding 7: CKV_AWS_76

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_76
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/apigateway.tf:83-88

Description:
Ensure API Gateway has Access Logging enabled

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  deployment_id = aws_api_gateway_deployment.this.id
  rest_api_id   = aws_api_gateway_rest_api.this.id
  stage_name    = "prod"
  description   = "Production deployment - ${local.suffix}"
}

---

Finding 8: CKV_AWS_117

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_117
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:32-40

Description:
Ensure that AWS Lambda function is configured inside a VPC

Code Snippet:

resource "aws_lambda_function" "pre_token_generation" {
  function_name    = "pre-token-generation-${local.suffix}"
  description      = "Pre Token Generation Lambda for Cognito User Pool"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.pre_token_lambda.arn
  filename         = data.archive_file.pre_token_generation.output_path
  source_code_hash = data.archive_file.pre_token_generation.output_base64sha256
}

---

Finding 9: CKV_AWS_50

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_50
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:32-40

Description:
X-Ray tracing is enabled for Lambda

Code Snippet:

resource "aws_lambda_function" "pre_token_generation" {
  function_name    = "pre-token-generation-${local.suffix}"
  description      = "Pre Token Generation Lambda for Cognito User Pool"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.pre_token_lambda.arn
  filename         = data.archive_file.pre_token_generation.output_path
  source_code_hash = data.archive_file.pre_token_generation.output_base64sha256
}

---

Finding 10: CKV_AWS_116

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_116
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:32-40

Description:
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

Code Snippet:

resource "aws_lambda_function" "pre_token_generation" {
  function_name    = "pre-token-generation-${local.suffix}"
  description      = "Pre Token Generation Lambda for Cognito User Pool"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.pre_token_lambda.arn
  filename         = data.archive_file.pre_token_generation.output_path
  source_code_hash = data.archive_file.pre_token_generation.output_base64sha256
}

---

Finding 11: CKV_AWS_115

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_115
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:32-40

Description:
Ensure that AWS Lambda function is configured for function-level concurrent execution limit

Code Snippet:

resource "aws_lambda_function" "pre_token_generation" {
  function_name    = "pre-token-generation-${local.suffix}"
  description      = "Pre Token Generation Lambda for Cognito User Pool"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.pre_token_lambda.arn
  filename         = data.archive_file.pre_token_generation.output_path
  source_code_hash = data.archive_file.pre_token_generation.output_base64sha256
}

---

Finding 12: CKV_AWS_272

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_272
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:32-40

Description:
Ensure AWS Lambda function is configured to validate code-signing

Code Snippet:

resource "aws_lambda_function" "pre_token_generation" {
  function_name    = "pre-token-generation-${local.suffix}"
  description      = "Pre Token Generation Lambda for Cognito User Pool"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.pre_token_lambda.arn
  filename         = data.archive_file.pre_token_generation.output_path
  source_code_hash = data.archive_file.pre_token_generation.output_base64sha256
}

---

Finding 13: CKV_AWS_117

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_117
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:82-101

Description:
Ensure that AWS Lambda function is configured inside a VPC

Code Snippet:

resource "aws_lambda_function" "gateway_interceptor" {
  function_name    = "gateway-interceptor-${local.suffix}"
  description      = "Gateway Interceptor for AgentCore Gateway"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.interceptor_lambda.arn
  filename         = data.archive_file.gateway_interceptor.output_path
  source_code_hash = data.archive_file.gateway_interceptor.output_base64sha256

  environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 14: CKV_AWS_173

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_173
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:82-101

Description:
Check encryption settings for Lambda environmental variable

Code Snippet:

resource "aws_lambda_function" "gateway_interceptor" {
  function_name    = "gateway-interceptor-${local.suffix}"
  description      = "Gateway Interceptor for AgentCore Gateway"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.interceptor_lambda.arn
  filename         = data.archive_file.gateway_interceptor.output_path
  source_code_hash = data.archive_file.gateway_interceptor.output_base64sha256

  environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 15: CKV_AWS_50

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_50
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:82-101

Description:
X-Ray tracing is enabled for Lambda

Code Snippet:

resource "aws_lambda_function" "gateway_interceptor" {
  function_name    = "gateway-interceptor-${local.suffix}"
  description      = "Gateway Interceptor for AgentCore Gateway"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.interceptor_lambda.arn
  filename         = data.archive_file.gateway_interceptor.output_path
  source_code_hash = data.archive_file.gateway_interceptor.output_base64sha256

  environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 16: CKV_AWS_116

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_116
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:82-101

Description:
Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)

Code Snippet:

resource "aws_lambda_function" "gateway_interceptor" {
  function_name    = "gateway-interceptor-${local.suffix}"
  description      = "Gateway Interceptor for AgentCore Gateway"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.interceptor_lambda.arn
  filename         = data.archive_file.gateway_interceptor.output_path
  source_code_hash = data.archive_file.gateway_interceptor.output_base64sha256

  environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 17: CKV_AWS_115

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_115
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:82-101

Description:
Ensure that AWS Lambda function is configured for function-level concurrent execution limit

Code Snippet:

resource "aws_lambda_function" "gateway_interceptor" {
  function_name    = "gateway-interceptor-${local.suffix}"
  description      = "Gateway Interceptor for AgentCore Gateway"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.interceptor_lambda.arn
  filename         = data.archive_file.gateway_interceptor.output_path
  source_code_hash = data.archive_file.gateway_interceptor.output_base64sha256

  environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 18: CKV_AWS_272

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_AWS_272
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:82-101

Description:
Ensure AWS Lambda function is configured to validate code-signing

Code Snippet:

resource "aws_lambda_function" "gateway_interceptor" {
  function_name    = "gateway-interceptor-${local.suffix}"
  description      = "Gateway Interceptor for AgentCore Gateway"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.interceptor_lambda.arn
  filename         = data.archive_file.gateway_interceptor.output_path
  source_code_hash = data.archive_file.gateway_interceptor.output_base64sha256

  environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 19: CKV2_AWS_4

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_AWS_4
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/apigateway.tf:83-88

Description:
Ensure API Gateway stage have logging level defined as appropriate

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  deployment_id = aws_api_gateway_deployment.this.id
  rest_api_id   = aws_api_gateway_rest_api.this.id
  stage_name    = "prod"
  description   = "Production deployment - ${local.suffix}"
}

---

Finding 20: CKV2_AWS_51

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_AWS_51
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/apigateway.tf:83-88

Description:
Ensure AWS API Gateway endpoints uses client certificate authentication

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  deployment_id = aws_api_gateway_deployment.this.id
  rest_api_id   = aws_api_gateway_rest_api.this.id
  stage_name    = "prod"
  description   = "Production deployment - ${local.suffix}"
}

---

Finding 21: CKV2_AWS_29

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV2_AWS_29
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/apigateway.tf:83-88

Description:
Ensure public API gateway are protected by WAF

Code Snippet:

resource "aws_api_gateway_stage" "prod" {
  deployment_id = aws_api_gateway_deployment.this.id
  rest_api_id   = aws_api_gateway_rest_api.this.id
  stage_name    = "prod"
  description   = "Production deployment - ${local.suffix}"
}

---

Finding 22: CKV_SECRET_6

• Severity: HIGH
• Scanner: checkov
• Rule ID: CKV_SECRET_6
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/agentcore.tf:7-8

Description:
Base64 High Entropy String

Code Snippet:

api_key = "placeh**********"

---

Finding 23: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active

• Severity: HIGH
• Scanner: semgrep
• Rule ID: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:32-40

Description:
The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.

Code Snippet:

resource "aws_lambda_function" "pre_token_generation" {
  function_name    = "pre-token-generation-${local.suffix}"
  description      = "Pre Token Generation Lambda for Cognito User Pool"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.pre_token_lambda.arn
  filename         = data.archive_file.pre_token_generation.output_path
  source_code_hash = data.archive_file.pre_token_generation.output_base64sha256
}

---

Finding 24: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active

• Severity: HIGH
• Scanner: semgrep
• Rule ID: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:82-101

Description:
The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.

Code Snippet:

resource "aws_lambda_function" "gateway_interceptor" {
  function_name    = "gateway-interceptor-${local.suffix}"
  description      = "Gateway Interceptor for AgentCore Gateway"
  runtime          = "python3.13"
  handler          = "lambda_function.lambda_handler"
  role             = aws_iam_role.interceptor_lambda.arn
  filename         = data.archive_file.gateway_interceptor.output_path
  source_code_hash = data.archive_file.gateway_interceptor.output_base64sha256

  environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

  depends_on = [aws_cognito_user_pool_domain.this]
}

---

Finding 25: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted

• Severity: HIGH
• Scanner: semgrep
• Rule ID: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda.tf:91-98

Description:
By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.

Code Snippet:

environment {
    variables = {
      DOWNSTREAM_CLIENT_ID     = aws_cognito_user_pool_client.downstream.id
      DOWNSTREAM_CLIENT_SECRET = aws_cognito_user_pool_client.downstream.client_secret
      COGNITO_DOMAIN           = "${local.cognito_domain}.auth.${local.region}.amazoncognito.com"
      RESOURCE_SERVER_ID       = local.resource_server_id
    }
  }

---

Finding 26: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure

• Severity: HIGH
• Scanner: semgrep
• Rule ID: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda_src/gateway_interceptor/lambda_function.py:64

Description:
Detected a python logger call with a potential hardcoded secret "Token exchange failed with status %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.

Code Snippet:

logger.error("Token exchange failed with status %s", response.status)

---

Finding 27: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure

• Severity: HIGH
• Scanner: semgrep
• Rule ID: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure
• Location: 01-tutorials/02-AgentCore-gateway/14-token-exchange-at-request-interceptor/terraform/lambda_src/gateway_interceptor/lambda_function.py:66

Description:
Detected a python logger call with a potential hardcoded secret "Token exchange error: %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.

Code Snippet:

logger.error("Token exchange error: %s", str(e))

---

Report generated by Automated Security Helper (ASH) at 2026-04-01T16:09:39+00:00