diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/memory/memory.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/memory/memory.ts
index f0ec04a0d75f7..1e0851854fd23 100644
--- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/memory/memory.ts
+++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/memory/memory.ts
@@ -11,7 +11,7 @@
  *  and limitations under the License.
  */
 
-import { Arn, ArnFormat, Duration, IResource, Lazy, Resource } from 'aws-cdk-lib';
+import { Arn, ArnFormat, Duration, IResource, Lazy, Resource, Token } from 'aws-cdk-lib';
 import { IConstruct, Construct } from 'constructs';
 import * as bedrockagentcore from 'aws-cdk-lib/aws-bedrockagentcore';
 import { CfnMemory, CfnMemoryProps } from 'aws-cdk-lib/aws-bedrockagentcore';
@@ -828,6 +828,10 @@ export class Memory extends MemoryBase {
   private _validateMemoryExpirationDays = (expirationDays: number): string[] => {
     let errors: string[] = [];
 
+    if (Token.isUnresolved(expirationDays)) {
+      return errors;
+    }
+
     if (expirationDays < MEMORY_EXPIRATION_DAYS_MIN || expirationDays > MEMORY_EXPIRATION_DAYS_MAX) {
       errors.push(`Memory expiration days must be between ${MEMORY_EXPIRATION_DAYS_MIN} and ${MEMORY_EXPIRATION_DAYS_MAX}`);
     }
diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts
index 1e2d08d0bc1a8..48e36cd7e903d 100644
--- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts
+++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts
@@ -13,6 +13,7 @@
 
 import { CfnRuntime } from 'aws-cdk-lib/aws-bedrockagentcore';
 import { ValidationError } from './validation-helpers';
+import { Token } from 'aws-cdk-lib';
 import { IUserPool, IUserPoolClient } from 'aws-cdk-lib/aws-cognito';
 
 /**
@@ -44,7 +45,7 @@ export abstract class RuntimeAuthorizerConfiguration {
     allowedClients?: string[],
     allowedAudience?: string[],
   ): RuntimeAuthorizerConfiguration {
-    if (!discoveryUrl.endsWith('/.well-known/openid-configuration')) {
+    if (!Token.isUnresolved(discoveryUrl) && !discoveryUrl.endsWith('/.well-known/openid-configuration')) {
       throw new ValidationError('JWT discovery URL must end with /.well-known/openid-configuration');
     }
     return new JwtAuthorizerConfiguration(discoveryUrl, allowedClients, allowedAudience);
@@ -81,7 +82,7 @@ export abstract class RuntimeAuthorizerConfiguration {
     clientId: string,
     allowedAudience?: string[],
   ): RuntimeAuthorizerConfiguration {
-    if (!discoveryUrl.endsWith('/.well-known/openid-configuration')) {
+    if (!Token.isUnresolved(discoveryUrl) && !discoveryUrl.endsWith('/.well-known/openid-configuration')) {
       throw new ValidationError('OAuth discovery URL must end with /.well-known/openid-configuration');
     }
     return new OAuthAuthorizerConfiguration(discoveryUrl, clientId, allowedAudience);
diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/memory/memory.test.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/memory/memory.test.ts
index 2703b57fb3886..3a606e33e695e 100644
--- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/memory/memory.test.ts
+++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/memory/memory.test.ts
@@ -471,6 +471,21 @@ describe('Memory expiration duration validation tests', () => {
       });
     }).not.toThrow();
   });
+
+  test('does not fail validation if expirationDuration is a late-bound value', () => {
+    // WHEN
+    const expirationDuration = new cdk.CfnParameter(stack, 'ExpirationDuration', {
+      default: 30,
+      type: 'Number',
+    });
+
+    expect(() => {
+      new Memory(stack, 'memory-late-bound', {
+        memoryName: 'memory_late_bound',
+        expirationDuration: Duration.days(expirationDuration.valueAsNumber),
+      });
+    }).not.toThrow();
+  });
 });
 
 describe('Memory with custom strategies tests', () => {
diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts
index ccccff069c791..ead1c4e911073 100644
--- a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts
+++ b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/runtime.test.ts
@@ -1154,6 +1154,35 @@ describe('Runtime authentication configuration error cases', () => {
     app.synth();
     expect(runtime.agentRuntimeName).toBe('test_runtime');
   });
+
+  test('does not fail validation if JWT discovery URL is a late-bound value', () => {
+    // WHEN
+    const discoveryUrlParam = new cdk.CfnParameter(stack, 'JWTDiscoveryUrl', {
+      default: 'https://example.com/.well-known/openid-configuration',
+      type: 'String',
+    });
+
+    // THEN
+    expect(() => {
+      RuntimeAuthorizerConfiguration.usingJWT(discoveryUrlParam.valueAsString);
+    }).not.toThrow();
+  });
+
+  test('does not fail validation if OAuth discovery URL is a late-bound value', () => {
+    // WHEN
+    const discoveryUrlParam = new cdk.CfnParameter(stack, 'OAuthDiscoveryUrl', {
+      default: 'https://oauth-provider.com/.well-known/openid-configuration',
+      type: 'String',
+    });
+
+    // THEN
+    expect(() => {
+      RuntimeAuthorizerConfiguration.usingOAuth(
+        discoveryUrlParam.valueAsString,
+        'oauth-client-123',
+      );
+    }).not.toThrow();
+  });
 });
 
 describe('RuntimeNetworkConfiguration tests', () => {