The article outlines a method for securing AI agents deployed on Amazon ECS using Amazon Bedrock AgentCore Identity. It details the implementation of the Authorization Code Grant (3-legged OAuth) flow, ensuring secure session binding and scoped access tokens for external service interactions. This approach addresses critical security concerns for production AI agents by enforcing least-privilege principles and protecting against common web attacks.
Every atomic assertion extracted from the underlying record, ranked by evidence strength.
Amazon Bedrock AgentCore Identity secures how AI agents access external services.
The implementation includes auth tokens scoped to each user session, following least-privilege principles.
The implementation includes secure session binding that prevents CSRF and browser-swapping attacks.
The Session Binding Service processes OAuth callbacks to link user sessions with third-party access tokens.
The implementation includes separation of concerns between the agent workload and session binding service.
The solution uses OAuth 2.0 (RFC 6749) and OpenID Connect (OIDC).
AI agents in production require secure access to external services.
The access logs bucket requires Amazon S3 managed encryption (SSE-S3).
The solution maintains an auditable chain from user authentication through to agent action.
This post implements Authorization Code Grant (3-legged OAuth) on Amazon ECS with secure session binding and scoped tokens.
The Authorization Code Grant provides user consent before the agent can act.
The Authorization Code Grant provides scoped delegation that limits the agent to only the permissions the user approved.
A Callback URL points to AgentCore Identity and must be registered with the Authorization Server as the redirect target.
OIDC authenticates users (who they are).
The pattern works across different compute platforms, whether you run agents on ECS, EKS, Lambda, or outside AWS entirely.
The application exchanges an authorization code for an access token, which creates an audit trail.
The Authorization Code Grant flow involves a user authenticating with an identity provider and granting consent.
AI agents can run on compute platforms like Amazon ECS, Amazon EKS, AWS Lambda, or on-premises.
Amazon Bedrock AgentCore Identity secures the scoped access token in its token vault.
Each token is bound to a specific user identity with explicit consent.
The `sub` field in the JWT uniquely identifies the user.
The Authorization Code Grant is suited for agentic workloads that act on behalf of users.
The agent calls a large language model (LLM) on Amazon Bedrock.
The Authorization Code Grant provides session binding that verifies the user who initiated the authorization request is the same user who granted consent.
Performing actions in GitHub requires the user's OAuth access token.
A Callback URL is automatically generated when creating an OAuth client in AgentCore Identity.
After user authorization, the Session Binding Service completes the OAuth flow by binding the authorization to the correct user session via AgentCore Identity.
A Session Binding URL points back to a customer-managed service that completes the session binding between the authenticated user and the OAuth flow.
The Session Binding URL endpoint is implemented and hosted by the customer.
The architecture diagram shows AgentCore Identity securing a self-hosted AI agent on Amazon ECS.
The Agentic Workload runs the AI agent and handles user requests.
The solution deploys two services on Amazon ECS behind an Application Load Balancer.
The solution focuses on the Authorization Code Grant for user-delegated access.
Other OIDC-compliant providers are supported by the solution.
The walkthrough uses Microsoft Entra ID as the identity provider.
Both services use Amazon Bedrock AgentCore Identity to authenticate users inbound via OIDC and authorize outbound actions on their behalf.
Requests arrive at an Amazon Application Load Balancer (ALB).
The ALB authenticates the user through the ALB's built-in OIDC authentication flow.
Traffic is encrypted with HTTPS using a certificate from AWS Certificate Manager.
An alias A record in an Amazon Route 53 public hosted zone routes traffic to the load balancer.
After authenticating the user through OIDC, the ALB forwards the request to the Amazon ECS cluster.
The ALB injects an x-amzn-oidc-data header containing the user's claims in JWT format.
OAuth 2.0 authorizes user actions (what they can do).
The Agentic Workload exposes a FastAPI server with an `/invocations` endpoint that accepts a `sessionId` and `message`.
The FastAPI server passes `sessionId` and `message` to an agent built with Strands Agents.
Other agent SDKs like LangChain can also be used.
Amazon Bedrock AgentCore Identity is available as a standalone service.
Other model providers work with the agent.
The agent uses the user's `sub` claim as a key prefix to isolate sessions between users.
The agent has tools to perform actions on the user's behalf in GitHub.
The solution validates the ALB-signed JWT using AWS's published signing keys.
When the agent needs to act on a user's behalf in a third-party service, it requests an OAuth access token through AgentCore Identity.
If no valid token exists, AgentCore Identity initiates an Authorization Code Grant flow.
The Authorization Code Grant flow prompts the user to authorize access.
A dedicated S3 bucket stores access logs for both the load balancer and the data bucket.
The FastAPI server that hosts the agentic workload exposes a `/docs` endpoint, which renders the OpenAPI specification as an interactive HTML page.
Amazon CloudWatch captures logs.
ECS pulls container images from Amazon ECR.
A set of basic AWS WAF rules is attached to the load balancer to provide baseline protection against common web exploits.
The agent stores session state in an Amazon S3 bucket.