AI agents now automate complex workflows with ease, but security remains a critical challenge. Without proper authorization, these agents can expose sensitive data or perform unauthorized actions. The solution? Implementing role-based access control (RBAC) directly into your agent architecture from the start.
Amazon Bedrock AgentCore provides the tools to build secure, multi-tenant AI agents that respect user permissions at every step. By integrating identity providers, defining granular OAuth scopes, and enforcing policies through Gateway interceptors, you can create a deterministic authorization layer for your non-deterministic agents.
Start with Identity: Validate Every Request
The first step is answering a fundamental question: who is making this request? Every agent invocation must verify the user's identity before processing any data. Amazon Bedrock AgentCore Runtime handles this authentication automatically through integration with your identity provider (IDP).
When users authenticate via platforms like Okta, Microsoft Entra ID, or Amazon Cognito, they receive a JSON Web Token (JWT). This token serves as proof of identity and contains essential claims about the user's permissions and role.
The Runtime performs three critical validations on each token:
- Cryptographic signature verification to ensure the token wasn't tampered with
- Expiration check to reject stale credentials
- Audience validation to confirm the token was issued for your specific application
For development environments, AgentCore supports a NONE authorizer type, but production deployments should always use one of the secure options: CUSTOM_JWT for OAuth 2.0 compliant IDPs or AWS_IAM for AWS-based authentication. The following configuration demonstrates setting up a custom JWT authorizer with Amazon Cognito:
import boto3
client = boto3.client('bedrock-agentcore-control', region_name='us-east-1')
response = client.create_agent_runtime(
agentRuntimeName='hr-agent-runtime',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': '<account>.dkr.ecr.us-east-1.amazonaws.com/hr-agent:latest'
}
},
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': '
'allowedClients': ['hr-api-client']
}
},
networkConfiguration={'networkMode': 'PUBLIC'},
roleArn='arn:aws:iam::<account>:role/AgentRuntimeRole'
)With this configuration, all agent invocations automatically reject unauthorized requests, establishing a secure foundation before any data processing begins.
Define Granular Permissions with OAuth Scopes
Authentication confirms identity, but authorization determines what each user can access. This is where OAuth scopes become essential. Scopes serve as permission labels that map directly to user roles and capabilities.
A properly configured JWT includes several key claims that define a user's access level:
sub: Unique identifier for the useriss: Identity provider that issued the tokenaud: Intended recipient of the token (your application)exp: Token expiration timestampscope: Space-separated list of OAuth scopes defining permissionsgroups: User's role or group memberships
Common scope patterns for different user types might look like this:
- Full Access User:
api/read api/write api/admin— Access to all tools and administrative functions - Standard User:
api/read api/write— Permission to read and modify data, excluding administrative tools - Read-Only User:
api/read— Access limited to viewing data without modification capabilities
These scopes are assigned based on user roles during authentication. The challenge is ensuring these scopes are actually enforced—not just present in the token. This requires the next critical layer of security.
Enforce Policies with AgentCore Gateway
Even with authenticated tokens containing scope claims, enforcement remains essential. AI agents operate non-deterministically—an LLM might interpret user requests in unexpected ways, potentially accessing tools beyond a user's assigned permissions. This is where Amazon Bedrock AgentCore Gateway provides critical protection.
AgentCore Gateway acts as an enforcement point between your agent runtime and the tools it can access. Every tool call flows through this gateway, providing a centralized location to validate permissions and block unauthorized actions.
The gateway implements a defense-in-depth strategy by performing its own independent authentication validation, even after the Runtime has already authenticated the token. This layered approach catches any gaps in previous validation steps and prevents credential misuse.
Configure the gateway with similar identity provider settings:
import boto3
client = boto3.client('bedrock-agentcore-control', region_name='us-east-1')
response = client.create_gateway(
name='hr-agent-gateway',
protocolType='MCP',
authorizerType='CUSTOM_JWT',
authorizerConfiguration={
'customJWTAuthorizer': {
'allowedClients': ['hr-api-client'],
'discoveryUrl': '
}
},
roleArn='arn:aws:iam::<account>:role/GatewayServiceRole'
)Beyond authentication, the gateway implements Cedar policy language to define fine-grained authorization rules. Cedar policies allow you to specify exactly which users can access which tools based on their scope claims, preventing any potential authorization bypasses through creative prompting or agent hallucination.
Build Secure AI Agents for Production
The rise of AI agents promises to transform workflows across industries, but their security cannot be an afterthought. By implementing authentication through JWT validation, defining granular permissions with OAuth scopes, and enforcing policies through Gateway interceptors, you can build production-ready AI agents that maintain strict access control.
Amazon Bedrock AgentCore provides the infrastructure to implement these security measures without sacrificing the flexibility and power of AI agents. As these systems become more sophisticated, the ability to enforce deterministic authorization policies on non-deterministic behavior will become increasingly critical for enterprise adoption.
AI summary
AI ajanlarınız için güvenli çok kullanıcılı erişim kontrolü oluşturun. Amazon Bedrock AgentCore ile RBAC uygulamak için 3 basit adım.
