Skip to content

Feature/cfn samples mcp server #464

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Oct 14, 2025
Merged

Feature/cfn samples mcp server #464

merged 13 commits into from
Oct 14, 2025

Conversation

@omrsamer
Copy link
Contributor

@omrsamer omrsamer commented Oct 10, 2025
edited
Loading

Amazon Bedrock AgentCore Samples Pull Request

Important

  1. We strictly follow a issue-first approach, please first open an issue relating to this Pull Request.
  2. Once this Pull Request is ready for review please attach review ready label to it. Only PRs with review ready will be reviewed.

Issue number:

Concise description of the PR

Adding CFN ready to go templates for MCP on AgentCore Runtime.

User experience

Please share what the user experience looks like before and after this change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

  • I have reviewed the contributing guidelines
  • Add your name to CONTRIBUTORS.md
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Are you uploading a dataset?
  • Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
  • I agree to resolve any issues created for this example in the future.
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

@omrsamer
Add CloudFormation samples for MCP Server on AgentCore Runtime
e35652a 
- Created 04-cfn-samples/ directory with production-ready CloudFormation templates
- Added mcp-server-agentcore-runtime sample with:
  - Complete CloudFormation template (mcp-server-template.yaml)
  - Automated deployment scripts (deploy.sh, test.sh, cleanup.sh)
  - Authentication helper (get_token.py)
  - MCP client test script (test_mcp_server.py)
  - Comprehensive documentation (README.md, DETAILED_GUIDE.md)
- Features:
  - One-command deployment with automated Docker image building
  - JWT authentication via Cognito
  - ARM64 Docker images built via CodeBuild
  - Three sample MCP tools (add_numbers, multiply_numbers, greet_user)
  - Least-privilege IAM roles
  - Complete troubleshooting guide
@omrsamer
Add omrsamer to CONTRIBUTORS.md
cf963ea
@omrsamer
Add three additional CloudFormation samples
8a4e3d0 
- Added basic-runtime: Simple agent without tools or memory
- Added multi-agent-runtime: Two-agent system with orchestrator and specialist
- Added weather-agent-runtime: Complete agent with browser, code interpreter, and memory
- Updated main README with all four samples and comprehensive documentation
@omrsamer
Add deployment and cleanup scripts for all CFN samples
dfe5b5e 
- Added deploy.sh and cleanup.sh for basic-runtime
- Added deploy.sh and cleanup.sh for multi-agent-runtime
- Added deploy.sh and cleanup.sh for weather-agent-runtime
- All scripts are executable and follow the same pattern as mcp-server-agentcore-runtime
- Scripts include proper error handling and user-friendly output
@omrsamer
Merge upstream/main and resolve CONTRIBUTORS.md conflict
3db0623
@github-actions
Copy link

github-actions bot commented Oct 13, 2025
edited
Loading

Latest scan for commit: 7c229b5 | Updated: 2025-10-14 13:18:23 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2025-10-14T13:18:12+00:00
  • ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 0 0 0 0 0 705ms 0 PASSED MED (g)
cdk-nag 0 44 0 1 0 19 30.6s 45 FAILED MED (g)
cfn-nag 0 0 0 48 0 0 3.2s 48 FAILED MED (g)
checkov 0 45 0 0 0 0 8.0s 45 FAILED MED (g)
detect-secr… 0 3 0 0 0 0 1.5s 3 FAILED MED (g)
grype 0 0 0 0 0 0 29.3s 0 PASSED MED (g)
npm-audit 0 0 0 0 0 0 175ms 0 PASSED MED (g)
opengrep 0 0 0 0 0 0 <1ms 0 SKIPPED MED (g)
semgrep 0 0 0 0 0 0 14.6s 0 PASSED MED (g)
syft 0 0 0 0 0 0 2.4s 0 PASSED MED (g)

Detailed Findings

Show 141 actionable findings

Finding 1: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:129

Description:
Secret of type 'Secret Keyword' detected in file '04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml' at line 129

Code Snippet:

Secret of type Secret Keyword detected

Finding 2: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:460

Description:
Secret of type 'Secret Keyword' detected in file '04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml' at line 460

Code Snippet:

Secret of type Secret Keyword detected

Finding 3: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:149

Description:
Secret of type 'Secret Keyword' detected in file '04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml' at line 149

Code Snippet:

Secret of type Secret Keyword detected

Finding 4: CFN_NAG_W32

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W32
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:403

Description:
CodeBuild project should specify an EncryptionKey value

Finding 5: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:105

Description:
IAM role should not allow * resource on its permissions policy

Finding 6: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:189

Description:
IAM role should not allow * resource on its permissions policy

Finding 7: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:285

Description:
Lambda functions should be deployed inside a VPC

Finding 8: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:285

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 9: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:72

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 10: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:105

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 11: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:189

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 12: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/basic-runtime/template.yaml:235

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 13: CFN_NAG_W32

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W32
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:533

Description:
CodeBuild project should specify an EncryptionKey value

Finding 14: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:142

Description:
IAM role should not allow * resource on its permissions policy

Finding 15: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:233

Description:
IAM role should not allow * resource on its permissions policy

Finding 16: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:279

Description:
IAM role should not allow * resource on its permissions policy

Finding 17: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:336

Description:
Lambda functions should be deployed inside a VPC

Finding 18: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:450

Description:
Lambda functions should be deployed inside a VPC

Finding 19: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:336

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 20: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:450

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 21: CFN_NAG_W51

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W51
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:118

Description:
S3 bucket should likely have a bucket policy

Finding 22: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:86

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 23: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:142

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 24: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:233

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 25: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:279

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 26: CFN_NAG_W35

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W35
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:118

Description:
S3 Bucket should have access logging configured

Finding 27: CFN_NAG_W41

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W41
  • Location: 04-infrastructure-as-code/cloudformation/end-to-end-weather-agent/end-to-end-weather-agent.yaml:118

Description:
S3 Bucket should have encryption option set

Finding 28: CFN_NAG_W32

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W32
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:488

Description:
CodeBuild project should specify an EncryptionKey value

Finding 29: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:157

Description:
IAM role should not allow * resource on its permissions policy

Finding 30: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:226

Description:
IAM role should not allow * resource on its permissions policy

Finding 31: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:314

Description:
Lambda functions should be deployed inside a VPC

Finding 32: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:424

Description:
Lambda functions should be deployed inside a VPC

Finding 33: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:314

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 34: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:424

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 35: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:72

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 36: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:157

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 37: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:226

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 38: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:272

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 39: CFN_NAG_W32

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W32
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:536

Description:
CodeBuild project should specify an EncryptionKey value

Finding 40: CFN_NAG_W32

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W32
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:677

Description:
CodeBuild project should specify an EncryptionKey value

Finding 41: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:143

Description:
IAM role should not allow * resource on its permissions policy

Finding 42: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:232

Description:
IAM role should not allow * resource on its permissions policy

Finding 43: CFN_NAG_W11

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W11
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:316

Description:
IAM role should not allow * resource on its permissions policy

Finding 44: CFN_NAG_W89

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W89
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:417

Description:
Lambda functions should be deployed inside a VPC

Finding 45: CFN_NAG_W92

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W92
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:417

Description:
Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions

Finding 46: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:82

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 47: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:110

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 48: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:143

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 49: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:232

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 50: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:316

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 51: CFN_NAG_W28

  • Severity: MEDIUM
  • Scanner: cfn-nag
  • Rule ID: CFN_NAG_W28
  • Location: 04-infrastructure-as-code/cloudformation/multi-agent-runtime/template.yaml:363

Description:
Resource found with an explicit name, this disallows updates that require replacement of this resource

Finding 52: CKV_AWS_136

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_136
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:71-97

Description:
Ensure that ECR repositories are encrypted using KMS

Code Snippet:

ECRRepository:
    Type: AWS::ECR::Repository
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      RepositoryName: !Sub "${AWS::StackName}-${ECRRepositoryName}"
      ImageTagMutability: MUTABLE
      EmptyOnDelete: true
      ImageScanningConfiguration:
        ScanOnPush: true
      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowPullFromAccount
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action:
              - ecr:BatchGetImage
              - ecr:GetDownloadUrlForLayer
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-ecr-repository"
        - Key: StackName
          Value: !Ref AWS::StackName
        - Key: Module
          Value: ECR

Finding 53: CKV_AWS_51

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_51
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:71-97

Description:
Ensure ECR Image Tags are immutable

Code Snippet:

ECRRepository:
    Type: AWS::ECR::Repository
    DeletionPolicy: Delete
    UpdateReplacePolicy: Delete
    Properties:
      RepositoryName: !Sub "${AWS::StackName}-${ECRRepositoryName}"
      ImageTagMutability: MUTABLE
      EmptyOnDelete: true
      ImageScanningConfiguration:
        ScanOnPush: true
      RepositoryPolicyText:
        Version: "2012-10-17"
        Statement:
          - Sid: AllowPullFromAccount
            Effect: Allow
            Principal:
              AWS: !Sub "arn:aws:iam::${AWS::AccountId}:root"
            Action:
              - ecr:BatchGetImage
              - ecr:GetDownloadUrlForLayer
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-ecr-repository"
        - Key: StackName
          Value: !Ref AWS::StackName
        - Key: Module
          Value: ECR

Finding 54: CKV_AWS_111

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_111
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:156-222

Description:
Ensure IAM policies does not allow write access without constraints

Code Snippet:

AgentExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-agent-execution-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: AssumeRolePolicy
            Effect: Allow
            Principal:
              Service: bedrock-agentcore.amazonaws.com
            Action: sts:AssumeRole
            Condition:
              StringEquals:
                aws:SourceAccount: !Ref AWS::AccountId
              ArnLike:
                aws:SourceArn: !Sub "arn:aws:bedrock-agentcore:${AWS::Region}:${AWS::AccountId}:*"
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/BedrockAgentCoreFullAccess
      Policies:
        - PolicyName: AgentCoreExecutionPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: ECRImageAccess
                Effect: Allow
                Action:
                  - ecr:BatchGetImage
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchCheckLayerAvailability
                Resource: !GetAtt ECRRepository.Arn
              - Sid: ECRTokenAccess
                Effect: Allow
                Action:
                  - ecr:GetAuthorizationToken
                Resource: "*"
              - Sid: CloudWatchLogs
                Effect: Allow
                Action:
                  - logs:DescribeLogStreams
                  - logs:CreateLogGroup
                  - logs:DescribeLogGroups
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: "*"
              - Sid: XRayTracing
                Effect: Allow
                Action:
                  - xray:PutTraceSegments
                  - xray:PutTelemetryRecords
                  - xray:GetSamplingRules
                  - xray:GetSamplingTargets
                Resource: "*"
              - Sid: CloudWatchMetrics
                Effect: Allow
                Resource: "*"
                Action: cloudwatch:PutMetricData
                Condition:
                  StringEquals:
                    cloudwatch:namespace: bedrock-agentcore
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-agent-execution-role"
        - Key: StackName
          Value: !Ref AWS::StackName
        - Key: Module
          Value: IAM

Finding 55: CKV_AWS_111

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_111
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:225-268

Description:
Ensure IAM policies does not allow write access without constraints

Code Snippet:

CodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-codebuild-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: codebuild.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: CodeBuildPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Sid: CloudWatchLogs
                Effect: Allow
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
                  - logs:PutLogEvents
                Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*"
              - Sid: ECRAccess
                Effect: Allow
                Action:
                  - ecr:BatchCheckLayerAvailability
                  - ecr:GetDownloadUrlForLayer
                  - ecr:BatchGetImage
                  - ecr:GetAuthorizationToken
                  - ecr:PutImage
                  - ecr:InitiateLayerUpload
                  - ecr:UploadLayerPart
                  - ecr:CompleteLayerUpload
                Resource:
                  - !GetAtt ECRRepository.Arn
                  - "*"
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-codebuild-role"
        - Key: StackName
          Value: !Ref AWS::StackName
        - Key: Module
          Value: IAM

Finding 56: CKV_AWS_117

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_117
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:313-421

Description:
Ensure that AWS Lambda function is configured inside a VPC

Code Snippet:

CodeBuildTriggerFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub "${AWS::StackName}-codebuild-trigger"
      Description: "Triggers CodeBuild projects as CloudFormation custom resource"
      Handler: index.handler
      Role: !GetAtt CustomResourceRole.Arn
      Runtime: python3.9
      Timeout: 900
      Code:
        ZipFile: |
          import boto3
          import cfnresponse
          import json
          import logging
          import time

          logger = logging.getLogger()
          logger.setLevel(logging.INFO)

          def handler(event, context):
              logger.info('Received event: %s', json.dumps(event))

              try:
                  if event['RequestType'] == 'Delete':
                      cfnresponse.send(event, context, cfnresponse.SUCCESS, {})
                      return

                  project_name = event['ResourceProperties']['ProjectName']
                  wait_for_completion = event['ResourceProperties'].get('WaitForCompletion', 'true').lower() == 'true'

                  logger.info(f"Attempting to start CodeBuild project: {project_name}")
                  logger.info(f"Wait for completion: {wait_for_completion}")

                  codebuild = boto3.client('codebuild')

                  try:
                      project_info = codebuild.batch_get_projects(names=[project_name])
                      if not project_info['projects']:
                          raise Exception(f"CodeBuild project '{project_name}' not found")
                      logger.info(f"CodeBuild project '{project_name}' found")
                  except Exception as e:
                      logger.error(f"Error checking project existence: {str(e)}")
                      raise

                  response = codebuild.start_build(projectName=project_name)
                  build_id = response['build']['id']

                  logger.info(f"Successfully started build: {build_id}")

                  if not wait_for_completion:
                      cfnresponse.send(event, context, cfnresponse.SUCCESS, {
                          'BuildId': build_id,
                          'Status': 'STARTED'
                      })
                      return

                  max_wait_time = context.get_remaining_time_in_millis() / 1000 - 30
                  start_time = time.time()

                  while True:
                      if time.time() - start_time > max_wait_time:
                          error_message = f"Build {build_id} timed out"
                          logger.error(error_message)
                          cfnresponse.send(event, context, cfnresponse.FAILED, {'Error': error_message})
                          return

                      build_response = codebuild.batch_get_builds(ids=[build_id])
                      build_status = build_response['builds'][0]['buildStatus']

                      if build_status == 'SUCCEEDED':
                          logger.info(f"Build {build_id} succeeded")
                          cfnresponse.send(event, context, cfnresponse.SUCCESS, {
                              'BuildId': build_id,
                              'Status': build_status
                          })
                          return
                      elif build_status in ['FAILED', 'FAULT', 'STOPPED', 'TIMED_OUT']:
                          error_message = f"Build {build_id} failed with status: {build_status}"
                          logger.error(error_message)

                          try:
                              logs_info = build_response['builds'][0].get('logs', {})
                              if logs_info.get('groupName') and logs_info.get('streamName'):
                                  logger.info(f"Build logs available in CloudWatch")
                          except Exception as log_error:
                              logger.warning(f"Could not get log information: {log_error}")

                          cfnresponse.send(event, context, cfnresponse.FAILED, {
                              'Error': error_message,
                              'BuildId': build_id
                          })
                          return

                      logger.info(f"Build {build_id} status: {build_status}")
                      time.sleep(30)

              except Exception as e:
                  logger.error('Error: %s', str(e))
                  cfnresponse.send(event, context, cfnresponse.FAILED, {
                      'Error': str(e)
                  })
      Tags:
        - Key: Name
          Value: !Sub "${AWS::StackName}-codebuild-trigger"
        - Key: StackName
          Value: !Ref AWS::StackName
        - Key: Module
          Value: Lambda

Finding 57: CKV_AWS_363

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_AWS_363
  • Location: 04-infrastructure-as-code/cloudformation/mcp-server-agentcore-runtime/mcp-server-template.yaml:313-421

Description:
Ensure Lambda Runtime is not deprecated

Code Snippet:

CodeBuildTriggerFunction:
    Type: AWS::Lambda::Function
    Properties:


<!-- ASH-SECURITY-SCAN-COMMENT -->

@omrsamer
Add comprehensive README documentation for CFN samples with architect…
52eabd4 
…ure diagrams

- Added detailed README.md files for basic-runtime, multi-agent-runtime, and weather-agent-runtime
- Included architecture PNG diagrams for basic-runtime and multi-agent-runtime
- Standardized testing sections across all READMEs (AWS CLI and Console only)
- Removed Python testing sections for consistency
- Added deployment, testing, troubleshooting, and cost estimate sections
- Updated CONTRIBUTORS.md with contributor name
- Updated main 04-cfn-samples README.md
@omrsamer
Add architecture diagram to mcp-server-agentcore-runtime README
1e850a5 
- Added architecture.png with visual diagram
- Updated README to use local PNG instead of tutorial reference
- Added detailed architecture component descriptions
@omrsamer
Update get_token.py cosmetic changes
0cbc8e7
@omrsamer
Fix Python formatting to pass ruff linter
359994b
@omrsamer omrsamer force-pushed the feature/cfn-samples-mcp-server branch 4 times, most recently from 979a1d7 to 8089a3a Compare October 14, 2025 09:06
@omrsamer
Restructure infrastructure samples: rename to 04-infrastructure-as-co…
6035777 
…de and organize CloudFormation templates

- Rename 04-cfn-samples to 04-infrastructure-as-code
- Create cloudformation subfolder for better organization
- Rename weather-agent-runtime to end-to-end-weather-agent
- Rename weather agent template.yaml to end-to-end-weather-agent.yaml
- Update all documentation and scripts to reflect new structure
- Update main README with new paths and folder structure
- All Python files pass ruff formatting checks
@omrsamer omrsamer force-pushed the feature/cfn-samples-mcp-server branch from 8089a3a to 6035777 Compare October 14, 2025 09:28
mttanke
mttanke requested changes Oct 14, 2025
View reviewed changes
@omrsamer omrsamer force-pushed the feature/cfn-samples-mcp-server branch 2 times, most recently from a418838 to ebc570a Compare October 14, 2025 12:56
@omrsamer omrsamer requested a review from mttanke October 14, 2025 12:59
@omrsamer
Update CloudFormation examples to use us-west-2 region and remove pro…
e457a1b 
…duction-ready language

- Changed all deploy.sh, cleanup.sh, and test.sh scripts from us-east-1 to us-west-2
- Updated all README files with CLI examples to use us-west-2
- Updated Python helper scripts (get_token.py, test_mcp_server.py) to use us-west-2 in examples
- Updated multi-agent-runtime template.yaml default region to us-west-2
- Removed 'production-ready' language from README files, replaced with 'complete'
- All 4 CloudFormation examples now consistently use us-west-2 region
@omrsamer omrsamer force-pushed the feature/cfn-samples-mcp-server branch from ebc570a to e457a1b Compare October 14, 2025 13:05
@mttanke mttanke merged commit 534d438 into awslabs:main Oct 14, 2025
8 checks passed
@omrsamer omrsamer mentioned this pull request Oct 14, 2025
Closed
9 tasks
sunkavar pushed a commit to sasikiran-malladi/amazon-bedrock-agentcore-samples that referenced this pull request Oct 16, 2025
@omrsamer @mttanke @sunkavar
Feature/cfn samples mcp server (awslabs#464)
2b11cd7 
* Add CloudFormation samples for MCP Server on AgentCore Runtime

- Created 04-cfn-samples/ directory with production-ready CloudFormation templates
- Added mcp-server-agentcore-runtime sample with:
  - Complete CloudFormation template (mcp-server-template.yaml)
  - Automated deployment scripts (deploy.sh, test.sh, cleanup.sh)
  - Authentication helper (get_token.py)
  - MCP client test script (test_mcp_server.py)
  - Comprehensive documentation (README.md, DETAILED_GUIDE.md)
- Features:
  - One-command deployment with automated Docker image building
  - JWT authentication via Cognito
  - ARM64 Docker images built via CodeBuild
  - Three sample MCP tools (add_numbers, multiply_numbers, greet_user)
  - Least-privilege IAM roles
  - Complete troubleshooting guide

* Add omrsamer to CONTRIBUTORS.md

* Add three additional CloudFormation samples

- Added basic-runtime: Simple agent without tools or memory
- Added multi-agent-runtime: Two-agent system with orchestrator and specialist
- Added weather-agent-runtime: Complete agent with browser, code interpreter, and memory
- Updated main README with all four samples and comprehensive documentation

* Add deployment and cleanup scripts for all CFN samples

- Added deploy.sh and cleanup.sh for basic-runtime
- Added deploy.sh and cleanup.sh for multi-agent-runtime
- Added deploy.sh and cleanup.sh for weather-agent-runtime
- All scripts are executable and follow the same pattern as mcp-server-agentcore-runtime
- Scripts include proper error handling and user-friendly output

* Add comprehensive README documentation for CFN samples with architecture diagrams

- Added detailed README.md files for basic-runtime, multi-agent-runtime, and weather-agent-runtime
- Included architecture PNG diagrams for basic-runtime and multi-agent-runtime
- Standardized testing sections across all READMEs (AWS CLI and Console only)
- Removed Python testing sections for consistency
- Added deployment, testing, troubleshooting, and cost estimate sections
- Updated CONTRIBUTORS.md with contributor name
- Updated main 04-cfn-samples README.md

* Add architecture diagram to mcp-server-agentcore-runtime README

- Added architecture.png with visual diagram
- Updated README to use local PNG instead of tutorial reference
- Added detailed architecture component descriptions

* Update get_token.py cosmetic changes

* Fix Python formatting to pass ruff linter

* Restructure infrastructure samples: rename to 04-infrastructure-as-code and organize CloudFormation templates

- Rename 04-cfn-samples to 04-infrastructure-as-code
- Create cloudformation subfolder for better organization
- Rename weather-agent-runtime to end-to-end-weather-agent
- Rename weather agent template.yaml to end-to-end-weather-agent.yaml
- Update all documentation and scripts to reflect new structure
- Update main README with new paths and folder structure
- All Python files pass ruff formatting checks

* Update CloudFormation examples to use us-west-2 region and remove production-ready language

- Changed all deploy.sh, cleanup.sh, and test.sh scripts from us-east-1 to us-west-2
- Updated all README files with CLI examples to use us-west-2
- Updated Python helper scripts (get_token.py, test_mcp_server.py) to use us-west-2 in examples
- Updated multi-agent-runtime template.yaml default region to us-west-2
- Removed 'production-ready' language from README files, replaced with 'complete'
- All 4 CloudFormation examples now consistently use us-west-2 region

* Resolve CONTRIBUTORS.md merge conflict - include all contributors from both branches

---------

Signed-off-by: Maira Ladeira Tanke <[email protected]>
Co-authored-by: Maira Ladeira Tanke <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mttanke mttanke mttanke approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@omrsamer @mttanke