Webinar: Get Hands-On With ServerlessRegister now

Amazon CloudFront to Amazon Bedrock AgentCore Runtime

Amazon Cognito → Amazon CloudFront → Amazon Bedrock AgentCore

Proxy requests to Amazon Bedrock AgentCore Runtime through CloudFront with OAuth 2.0 authentication, supporting A2A, HTTP, and MCP protocols.

This pattern creates a CloudFront distribution that proxies requests to three AgentCore Runtimes (A2A, HTTP, MCP protocols).
CloudFront Functions strip path prefixes (/a2a, /rest, /mcp) before forwarding to the appropriate AgentCore Runtime.
AgentCore validates JWT tokens for OAuth 2.0 authentication.
Benefits include: Custom domain support, DDoS protection via AWS Shield, optional WAF integration for rate limiting and geo-blocking, custom authorizer logic via Lambda@Edge, and centralized logging.

< Back to all patterns
Language:
Python
Framework:
AWS CDK

GitHub icon Download this pattern (.zip)

GitHub icon View this pattern on GitHub

Clone repo

git clone https://github.com/aws-samples/serverless-patterns/cd serverless-patterns/cloudfront-agentcore-runtime-cdk

Deploy

python3 -m venv .venvsource .venv/bin/activatepip3 install -r requirements.txtcdk bootstrap aws://<account-id>/us-west-2 aws://<account-id>/us-east-1cdk deploy --all

Testing

See the GitHub repo for detailed testing instructions.

Cleanup

Delete the stacks: cdk destroy --all

Additional resources

Created by:

Rakshith Rao

Rakshith Rao

I am a Senior Solutions Architect at AWS and help our strategic customers build and operate their key workloads on AWS.

Follow on LinkedIn

Biswanath Mukherjee

Biswanath Mukherjee

Sr. Solutions Architect working at AWS India.

Follow on LinkedIn