DEV205 Securing Amazon Bedrock AgentCore

Rowan Udell, AWS Security Hero
AWS Summit Sydney 2026

Agents Are Software.

Treat them like software.

What Makes Agents Unusual Software?

Traditional App

Deterministic execution

  • Fixed control flow
  • Clearly scoped permissions
  • Predictable I/O

AI Agent

Probabilistic outcomes are a feature, not a bug

  • Broad access patterns
  • Dynamic tool selection
  • Untrusted content in the loop

Guardrails that are 95% effective

are not reliable enough.

The Lethal Trifecta

Simon Willison, 2025

A Dangerous Combination

  • One or two? Manageable.
  • All three?

A Dangerous Combination


Meet the Tax Assistant

An AI agent that helps Australians with tax returns, deductions, and financial planning

It has access to financial records, processes documents from users, and takes actions with the ATO and banks

Any concerns?

All Three Legs

Sensitive Data

  • TFNs and income
  • Bank and super balances
  • Prior returns

Untrusted Content

  • Uploaded receipts
  • Forwarded bank statements
  • User requests

External Actions

  • Lodge tax returns
  • Submit BAS statements
  • Initiate bank transfers

"Old school" security

is still your best friend.

The Fundamentals Haven't Changed

  • Least privilege - don't give agents permissions they don't need
  • Defense in depth - IAM, VPC, Guardrails, Cedar policies: independent layers that assume the others can fail
  • Separation of concerns - multi-agent architectures scope capabilities and contain blast radius
  • Audit everything - you can't secure what you can't see
  • Get identity right - agents should act as users, not as omnipotent service accounts

Break a Leg

The trifecta is only lethal with all three.

Three Patterns

Pick a leg to remove

Scoped Data

  • Limit Sensitive Data
  • Caller's own data
  • Like multi-tenant SaaS

Curated Input

  • Avoid Untrusted Content
  • Limit what the agent sees
  • Only required modalitites

Read-Only

  • Forbid External Actions
  • Agent thinks, doesn't act
  • Whenever output is enough

Back to the Tax Assistant

Sensitive Data

  • Memory namespace
    • memoryStrategyId
    • actorId
    • sessionId
  • IAM condition bedrock-agentcore:namespace blocks cross-user retrieval
  • AgentCore Identity OBO token carries actorId on every call

Untrusted Content

  • Gateway SchemaDefinition types every field: amounts, dates, ABNs
  • No free-text or file-upload fields in the tool schema
  • Documents pre-parsed into structured records before reaching agent context

External Actions

  • Policy enforced at the Gateway, outside agent code
  • Cedar forbid and when condition

A Multi-Agent Approach

diagram

What To Do Tomorrow

Make Things Better

  • Catalogue every agent you run: you can't secure what you can't see.
  • Map the legs each agent carries, erring on the side of caution.
  • Name the leg you removed for each agent: if you can't name it, is it gone?
  • Enforce removal outside agent code using Policy, Gateway, and Identity.
  • Decompose multi-leg agents into focused, single-purpose sub-agents.

Agents Are Software.

Secure them like software.

Thank You!

Questions? No time for questions! Happy to chat after 🤙

I help teams move agents from prototype to production

reveal: on

reveal: on

reveal: on

reveal: on

reveal: on

reveal: on

reveal: on