feat(bedrock-agentcore-alpha): add observability configuration for Runtime (#36689)

### Issue # (if applicable)

Closes #36596

  ### Reason for this change

  Add observability support (logging and tracing) for Amazon Bedrock AgentCore Runtime. This enables users to:
  - Send X-Ray traces for agent runtime invocations
  - Deliver application logs and usage logs to CloudWatch Logs, S3, or Kinesis Data Firehose

  This is essential for monitoring, debugging, and auditing AgentCore Runtime workloads in production environments.

  ### Description of changes

  Added observability configuration options to `Runtime` construct:

  **New Properties:**
  - `tracingEnabled`: Enable X-Ray tracing delivery for the runtime
  - `loggingConfigs`: Array of logging configurations specifying log type and destination

  **New Classes:**
  - `LoggingDestination`: Abstract class with factory methods for creating log destinations
    - `LoggingDestination.cloudWatchLogs(logGroup)` - Send logs to CloudWatch Logs
    - `LoggingDestination.s3(bucket)` - Send logs to S3
    - `LoggingDestination.firehose(stream)` - Send logs to Kinesis Data Firehose

  **New Enums:**
  - `LogType`: `APPLICATION_LOGS` and `USAGE_LOGS`

  ### Describe any new or updated permissions being added

  The following IAM permissions are automatically configured:

  | Destination | Permissions | Principal |
  |-------------|-------------|-----------|
  | CloudWatch Logs | `logs:CreateLogStream`, `logs:PutLogEvents` | `delivery.logs.amazonaws.com` |
  | S3 | `s3:PutObject` | `delivery.logs.amazonaws.com` |
  | X-Ray | `xray:PutTraceSegments` | `delivery.logs.amazonaws.com` |
  | Firehose | Uses service-linked role via `LogDeliveryEnabled` tag | N/A |

  All policies include conditions restricting access by `aws:SourceAccount` and `aws:SourceArn`.

  ### Description of how you validated changes

Add unit tests and integ tests.

  ### Checklist
  - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

  ----

  *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: mazyu36

packages/@aws-cdk/aws-bedrock-agentcore-alpha/README.md

@@ -808,6 +808,52 @@ new agentcore.Runtime(this, 'test-runtime', {
 });
 ```
 
+#### Observability configuration
+
+The Runtime construct supports observability features including X-Ray tracing and logging to CloudWatch Logs, S3, or Kinesis Data Firehose. This allows you to monitor and debug your agent runtime invocations.
+
+You can configure:
+
+- tracingEnabled: Enable X-Ray tracing for the runtime
+- loggingConfigs: Send APPLICATION_LOGS (agent runtime invocations) and USAGE_LOGS (session-level resource consumption) to CloudWatch Logs, S3, or Kinesis Data Firehose
+
+For additional information, please refer to the [Set up logging and tracing for AgentCore](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability.html).
+
+```typescript fixture=default
+const repository = new ecr.Repository(this, 'TestRepository', {
+  repositoryName: 'test-agent-runtime',
+});
+
+const agentRuntimeArtifact = agentcore.AgentRuntimeArtifact.fromEcrRepository(repository, 'v1.0.0');
+
+// Create logging destinations
+const logGroup = new logs.LogGroup(this, 'RuntimeLogGroup');
+const logBucket = new s3.Bucket(this, 'RuntimeLogBucket');
+const firehoseStream = new firehose.DeliveryStream(this, 'RuntimeLogStream', {
+  destination: new firehose.S3Bucket(logBucket),
+});
+
+new agentcore.Runtime(this, 'test-runtime', {
+  runtimeName: 'test_runtime',
+  agentRuntimeArtifact: agentRuntimeArtifact,
+  tracingEnabled: true,
+  loggingConfigs: [
+    {
+      logType: agentcore.LogType.APPLICATION_LOGS,
+      destination: agentcore.LoggingDestination.cloudWatchLogs(logGroup),
+    },
+    {
+      logType: agentcore.LogType.APPLICATION_LOGS,
+      destination: agentcore.LoggingDestination.s3(logBucket),
+    },
+    {
+      logType: agentcore.LogType.APPLICATION_LOGS,
+      destination: agentcore.LoggingDestination.firehose(firehoseStream),
+    },
+  ],
+});
+```
+
 ## Browser
 
 The Amazon Bedrock AgentCore Browser provides a secure, cloud-based browser that enables AI agents to interact with websites. It includes security features such as session isolation, built-in observability through live viewing, CloudTrail logging, and session replay capabilities.

packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/index.ts

@@ -24,6 +24,7 @@ export * from './runtime/inbound-auth/runtime-authorizer-configuration';
 export * from './runtime/runtime-endpoint-base';
 export * from './runtime/runtime-endpoint';
 export * from './runtime/runtime';
+export * from './runtime/observability';
 // Tools
 // ===================================
 export * from './tools/code-interpreter';