{ "kind": "story", "slug": "secure-ai-agents-with-amazon-bedrock-agentcore-identity-on-a-3957158", "id": 1778110417603957158, "record_id": 1778055162702038315, "headline": "Secure AI agents with Amazon Bedrock AgentCore Identity on Amazon ECS", "summary": "The article outlines a method for securing AI agents deployed on Amazon ECS using Amazon Bedrock AgentCore Identity. It details the implementation of the Authorization Code Grant (3-legged OAuth) flow, ensuring secure session binding and scoped access tokens for external service interactions. This approach addresses critical security concerns for production AI agents by enforcing least-privilege principles and protecting against common web attacks.", "source": "aws-machine-learning-blog", "source_url": "https://aws.amazon.com/blogs/machine-learning/secure-ai-agents-with-amazon-bedrock-agentcore-identity-on-amazon-ecs", "home_domain": "engineering-technology", "claim_type": null, "sentiment": "neutral", "significance": "medium", "claim_count": 121, "reading_time_minutes": 9, "published_date": "2026-05-05", "created_on": "2026-05-08T05:29:43.226589+00:00", "claims": [ { "id": 1778218183780387020, "text": "Amazon Bedrock AgentCore Identity secures how AI agents access external services.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183804981403, "text": "The implementation includes auth tokens scoped to each user session, following least-privilege principles.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183800349753, "text": "The implementation includes secure session binding that prevents CSRF and browser-swapping attacks.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183912059806, "text": "The Session Binding Service processes OAuth callbacks to link user sessions with third-party access tokens.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183808766875, "text": "The implementation includes separation of concerns between the agent workload and session binding service.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183810871473, "text": "The solution uses OAuth 2.0 (RFC 6749) and OpenID Connect (OIDC).", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183764673268, "text": "AI agents in production require secure access to external services.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184037450480, "text": "The access logs bucket requires Amazon S3 managed encryption (SSE-S3).", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183848951297, "text": "The solution maintains an auditable chain from user authentication through to agent action.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183792183707, "text": "This post implements Authorization Code Grant (3-legged OAuth) on Amazon ECS with secure session binding and scoped tokens.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183856444988, "text": "The Authorization Code Grant provides user consent before the agent can act.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183864327886, "text": "The Authorization Code Grant provides scoped delegation that limits the agent to only the permissions the user approved.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183870041689, "text": "A Callback URL points to AgentCore Identity and must be registered with the Authorization Server as the redirect target.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183816663418, "text": "OIDC authenticates users (who they are).", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184380209286, "text": "The pattern works across different compute platforms, whether you run agents on ECS, EKS, Lambda, or outside AWS entirely.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183836323281, "text": "The application exchanges an authorization code for an access token, which creates an audit trail.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183832797558, "text": "The Authorization Code Grant flow involves a user authenticating with an identity provider and granting consent.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183788887620, "text": "AI agents can run on compute platforms like Amazon ECS, Amazon EKS, AWS Lambda, or on-premises.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183840455567, "text": "Amazon Bedrock AgentCore Identity secures the scoped access token in its token vault.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183844541885, "text": "Each token is bound to a specific user identity with explicit consent.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183946302689, "text": "The `sub` field in the JWT uniquely identifies the user.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183852359204, "text": "The Authorization Code Grant is suited for agentic workloads that act on behalf of users.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183964901302, "text": "The agent calls a large language model (LLM) on Amazon Bedrock.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183860328195, "text": "The Authorization Code Grant provides session binding that verifies the user who initiated the authorization request is the same user who granted consent.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183988939488, "text": "Performing actions in GitHub requires the user's OAuth access token.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183868449105, "text": "A Callback URL is automatically generated when creating an OAuth client in AgentCore Identity.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184004928182, "text": "After user authorization, the Session Binding Service completes the OAuth flow by binding the authorization to the correct user session via AgentCore Identity.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183876647222, "text": "A Session Binding URL points back to a customer-managed service that completes the session binding between the authenticated user and the OAuth flow.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183884689582, "text": "The Session Binding URL endpoint is implemented and hosted by the customer.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183888263251, "text": "The architecture diagram shows AgentCore Identity securing a self-hosted AI agent on Amazon ECS.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183902949895, "text": "The Agentic Workload runs the AI agent and handles user requests.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183900884978, "text": "The solution deploys two services on Amazon ECS behind an Application Load Balancer.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183828552081, "text": "The solution focuses on the Authorization Code Grant for user-delegated access.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183896641328, "text": "Other OIDC-compliant providers are supported by the solution.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183892482203, "text": "The walkthrough uses Microsoft Entra ID as the identity provider.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183916871774, "text": "Both services use Amazon Bedrock AgentCore Identity to authenticate users inbound via OIDC and authorize outbound actions on their behalf.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183920146663, "text": "Requests arrive at an Amazon Application Load Balancer (ALB).", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183924017907, "text": "The ALB authenticates the user through the ALB's built-in OIDC authentication flow.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183928494847, "text": "Traffic is encrypted with HTTPS using a certificate from AWS Certificate Manager.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183932881186, "text": "An alias A record in an Amazon Route 53 public hosted zone routes traffic to the load balancer.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183936189957, "text": "After authenticating the user through OIDC, the ALB forwards the request to the Amazon ECS cluster.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183940489732, "text": "The ALB injects an x-amzn-oidc-data header containing the user's claims in JWT format.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183824753286, "text": "OAuth 2.0 authorizes user actions (what they can do).", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183952098394, "text": "The Agentic Workload exposes a FastAPI server with an `/invocations` endpoint that accepts a `sessionId` and `message`.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183956970162, "text": "The FastAPI server passes `sessionId` and `message` to an agent built with Strands Agents.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183960312727, "text": "Other agent SDKs like LangChain can also be used.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183784146678, "text": "Amazon Bedrock AgentCore Identity is available as a standalone service.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183968329167, "text": "Other model providers work with the agent.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183976891008, "text": "The agent uses the user's `sub` claim as a key prefix to isolate sessions between users.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183984446884, "text": "The agent has tools to perform actions on the user's behalf in GitHub.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184280113842, "text": "The solution validates the ALB-signed JWT using AWS's published signing keys.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183991961701, "text": "When the agent needs to act on a user's behalf in a third-party service, it requests an OAuth access token through AgentCore Identity.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183996662749, "text": "If no valid token exists, AgentCore Identity initiates an Authorization Code Grant flow.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184000565340, "text": "The Authorization Code Grant flow prompts the user to authorize access.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184020243375, "text": "A dedicated S3 bucket stores access logs for both the load balancer and the data bucket.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184008583801, "text": "The FastAPI server that hosts the agentic workload exposes a `/docs` endpoint, which renders the OpenAPI specification as an interactive HTML page.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184014232565, "text": "Amazon CloudWatch captures logs.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184024990860, "text": "ECS pulls container images from Amazon ECR.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218184028198627, "text": "A set of basic AWS WAF rules is attached to the load balancer to provide baseline protection against common web exploits.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" }, { "id": 1778218183972456709, "text": "The agent stores session state in an Amazon S3 bucket.", "evidence_type": "direct_quote", "confidence": "stated", "home_domain": "engineering-technology", "published_date": "2026-05-05" } ], "tags": [ { "id": 17730955648679697, "slug": "amazon-application-load-balancer-organization", "name": "Amazon Application Load Balancer", "type": "organization" }, { "id": 17733570659880550, "slug": "amazon-bedrock-agentcore-identity-organization", "name": "Amazon Bedrock AgentCore Identity", "type": "organization" }, { "id": 17730950507777406, "slug": "amazon-cloudwatch-organization", "name": "Amazon CloudWatch", "type": "organization" }, { "id": 17730950596817215, "slug": "amazon-ecr-organization", "name": "Amazon ECR", "type": "organization" }, { "id": 17730950632812096, "slug": "amazon-ecs-organization", "name": "Amazon ECS", "type": "organization" }, { "id": 17730950503420712, "slug": "amazon-eks-organization", "name": "Amazon EKS", "type": "organization" }, { "id": 17733575101231075, "slug": "amazon-kms-organization", "name": "Amazon KMS", "type": "organization" }, { "id": 17730950508345842, "slug": "amazon-route-53-organization", "name": "Amazon Route 53", "type": "organization" }, { "id": 17723038993598995, "slug": "aws-organization", "name": "AWS", "type": "organization" }, { "id": 17724205301351014, "slug": "aws-certificate-manager-organization", "name": "AWS Certificate Manager", "type": "organization" }, { "id": 17724201130002819, "slug": "aws-lambda-organization", "name": "AWS Lambda", "type": "organization" }, { "id": 17724065913561045, "slug": "aws-waf-organization", "name": "AWS WAF", "type": "organization" }, { "id": 17723038994314960, "slug": "fastapi-organization", "name": "FastAPI", "type": "organization" }, { "id": 17733518056319805, "slug": "github-organization", "name": "GitHub", "type": "organization" }, { "id": 17723038994321982, "slug": "google-calendar-organization", "name": "Google Calendar", "type": "organization" }, { "id": 17723038993657761, "slug": "jira-organization", "name": "Jira", "type": "organization" }, { "id": 17723038993660793, "slug": "langchain-organization", "name": "LangChain", "type": "organization" }, { "id": 17724064814009484, "slug": "microsoft-entra-id-organization", "name": "Microsoft Entra ID", "type": "organization" }, { "id": 17731082584481438, "slug": "microsoft-graph-organization", "name": "Microsoft Graph", "type": "organization" }, { "id": 17723038993599880, "slug": "salesforce-organization", "name": "Salesforce", "type": "organization" }, { "id": 17724166708764419, "slug": "strands-agents-organization", "name": "Strands Agents", "type": "organization" }, { "id": 17724266664152342, "slug": "julian-gr-ber-person", "name": "Julian Gr\u00fcber", "type": "person" }, { "id": 17724167696118138, "slug": "satveer-khurpa-person", "name": "Satveer Khurpa", "type": "person" }, { "id": 17795626729958751, "slug": "amazon-s3-resource", "name": "Amazon S3", "type": "resource" }, { "id": 17723038993834580, "slug": "ai-regulation-topic", "name": "AI Regulation", "type": "topic" }, { "id": 17723038993834764, "slug": "artificial-intelligence-topic", "name": "Artificial Intelligence", "type": "topic" }, { "id": 17723038993835295, "slug": "cloud-computing-topic", "name": "Cloud Computing", "type": "topic" }, { "id": 17723038993835921, "slug": "cybersecurity-topic", "name": "Cybersecurity", "type": "topic" } ] }