Understanding Gateway CloudTrail Events - Amazon Bedrock AgentCore

Amazon Bedrock AgentCore is in preview release and is subject to change.

Understanding Gateway CloudTrail Events

A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on.

Note

The contents of the requests and responses for data events are REDACTED, and the JWT claims have HTML entities sanitized for security purposes.

InvokeMcp Data Event With Authentication Error

The following example shows a CloudTrail log entry that demonstrates the InvokeMcp action with an authentication error:

{ "eventVersion": "1.11", "userIdentity": { "type": "AWSAccount", "principalId": "", "accountId": "anonymous" }, "eventTime": "2025-07-14T02:14:42Z", "eventSource": "bedrock-agentcore.amazonaws.com", "eventName": "InvokeMcp", "awsRegion": "us-west-2", "sourceIPAddress": "34.XXX.XXX.206", "userAgent": "python-httpx/0.28.1", "requestParameters": { "body": { "id": 0, "method": "initialize", "params": { "clientInfo": { "name": "mcp", "version": "0.1.0" }, "protocolVersion": "2025-06-18", "capabilities": {} }, "jsonrpc": "2.0" } }, "responseElements": { "body": { "jsonrpc": "2.0", "id": 0, "error": { "code": -32001, "message": "Invalid Bearer token" } }, "contentType": "application/json", "statusCode": 401 }, "requestID": "1234abcd-12ab-34cd-56ef-1234567890ab", "eventID": "12345678-1234-5678-9abc-123456789012", "readOnly": false, "resources": [ { "accountId": "XXXXXXXXXX", "type": "AWS::BedrockAgentCore::Gateway", "ARN": "arn:aws:bedrock-agentcore:us-west-2:XXXXXXXXXX:gateway/test-openapi-gateway-b24f8c26-u9p3rjw8qw" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "XXXXXXXXXX", "sharedEventID": "12345678-xxxx-xxxx-xxxx-123456789012", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "test-openapi-gateway-xxxxxxx-u9p3rjw8qw.gateway.bedrock-agentcore.us-west-2.amazonaws.com" } }
Successful InvokeMcp Data Event

The following example shows a CloudTrail log entry for a successful InvokeMcp action:

{ "eventVersion": "1.11", "userIdentity": { "type": "AWSAccount", "principalId": "", "accountId": "anonymous" }, "eventTime": "2025-07-14T02:14:42Z", "eventSource": "bedrock-agentcore.amazonaws.com", "eventName": "InvokeMcp", "awsRegion": "us-west-2", "sourceIPAddress": "35.88.103.184", "userAgent": "python-httpx/0.28.1", "requestParameters": { "body": { "id": 1, "method": "tools/call", "params": { "name": "SmithyTarget___ListTables", "arguments": "REDACTED" }, "jsonrpc": "2.0" } }, "responseElements": { "body": { "jsonrpc": "2.0", "id": 1, "result": { "isError": false, "content": "REDACTED" } }, "contentType": "application/json", "statusCode": 200 }, "additionalEventData": { "targetId": "0JTXXX4YMA", "jwt": { "headers": { "kid": "hGrcJwz5MX6hNeuL6jdXE4hjK7sT6oj+yN7kN+arRv4=", "alg": "RS256" }, "claims": { "sub": "4ammgxxxxxxxxxxxm3b8c", "token_use": "access", "scope": "python-cognito-resource-server-id/write python-cognito-resource-server-id/read", "auth_time": 1752459276, "iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_Fxxxxxhtq", "exp": 1752462876, "iat": 1752459276, "version": 2, "jti": "1234abcd-12ab-34cd-56ef-1234567890ab" }, "type": "JWS" }, "downstreamRequestIds": [ "H3RDH6T03DG10996U0M2P1V1IFVV4KQNSO5AEMVJF66Q9ASUAAJG" ] }, "requestID": "1234abcd-12ab-34cd-56ef-1234567890ab", "eventID": "12345678-1234-5678-9abc-123456789012", "readOnly": false, "resources": [ { "accountId": "XXXXXXXXXX", "type": "AWS::BedrockAgentCore::Gateway", "ARN": "arn:aws:bedrock-agentcore:us-west-2:XXXXXXXXXX:gateway/test-gateway-65129e91-mtzoadyihf" } ], "eventType": "AwsApiCall", "managementEvent": false, "recipientAccountId": "XXXXXXXXXX", "sharedEventID": "1234abcd-12ab-34cd-56ef-1234567890ab", "eventCategory": "Data", "tlsDetails": { "tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "test-gateway-65129e91-xxxxxxxx.gateway.bedrock-agentcore.us-west-2.amazonaws.com" } }
Management Event

The following example shows a CloudTrail log entry for a management event:

{ "eventVersion": "1.09", "userIdentity": { "type": "AssumedRole", "principalId": "AROXXXXXXXXXXXXNRD7D:xxxxx", "arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/HydraInvocationRole-xxxxxxxxx/xxxx", "accountId": "XXXXXXXXXXXX", "accessKeyId": "xxxxxxxxx", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "xxxxxxxx", "arn": "arn:aws:iam::XXXXXXXXXXXX:role/HydraInvocationRole-xxx", "accountId": "XXXXXXXXXXXX", "userName": "HydraInvocationRole-xxxxx" }, "attributes": { "creationDate": "2025-07-14T02:42:43Z", "mfaAuthenticated": "false" } }, "invokedBy": "bedrock-agentcore.amazonaws.com" }, "eventTime": "2025-07-14T02:47:38Z", "eventSource": "bedrock-agentcore.amazonaws.com", "eventName": "CreateGateway", "awsRegion": "us-west-2", "sourceIPAddress": "bedrock-agentcore.amazonaws.com", "userAgent": "bedrock-agentcore.amazonaws.com", "requestParameters": { "roleArn": "arn:aws:iam::XXXXXXXXXXXX:role/PythonGenesisTestGatewayRole", "name": "***", "authorizerConfiguration": { "customJWTAuthorizer": { "allowedClients": [ "xxxxxxxxx" ], "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxx/.well-known/openid-configuration" } }, "description": "***", "protocolType": "MCP", "authorizerType": "CUSTOM_JWT" }, "responseElements": { "authorizerConfiguration": { "customJWTAuthorizer": { "allowedClients": [ "xxxxxxxxxxxxxxx" ], "discoveryUrl": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxxx/.well-known/openid-configuration" } }, "description": "***", "protocolType": "MCP", "gatewayArn": "arn:aws:bedrock-agentcore:us-west-2:XXXXXXXXXXXX:gateway/test-openapi-gateway-xxxxxxx-xxxxxx", "workloadIdentityDetails": { "workloadIdentityArn": "arn:aws:bedrock-agentcore:us-west-2:XXXXXXXXXXXX:workload-identity-directory/default/workload-identity/test-openapi-gateway-xxxxxx-xxxxx" }, "createdAt": "2025-07-14T02:47:38.302834063Z", "gatewayUrl": "https://test-openapi-gateway-xxxxxxx-8fb4mo6pqx.gateway.bedrock-agentcore.us-west-2.amazonaws.com/mcp", "roleArn": "arn:aws:iam::XXXXXXXXXXXX:role/PythonGenesisTestGatewayRole", "name": "***", "authorizerType": "CUSTOM_JWT", "gatewayId": "test-openapi-gateway-9c8f7109-8fb4mo6pqx", "status": "CREATING", "updatedAt": "2025-07-14T02:47:38.302845797Z" }, "requestID": "0fb99b0b-a4d1-xxxx-8aee-c703adaa6bd9", "eventID": "b12bf859-xxxx-48d7-952a-d5c6ec00fb68", "readOnly": false, "resources": [ { "accountId": "XXXXXXXXXXXX", "type": "AWS::BedrockAgentCore::Gateway", "ARN": "arn:aws:bedrock-agentcore:us-west-2:XXXXXXXXXXXX:gateway/test-openapi-gateway-xxxxxxx-8fb4mo6pqx" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "XXXXXXXXXXXX", "eventCategory": "Management" }

Additional Resources

For more information about using CloudTrail with Gateway, see the following resources: