Skip to main content

Overview

As AI agents become integral to workflows—coding assistants, autonomous workflows, MCP servers, and more—organizations need robust governance. Bedrock treats agents as first-class subjects, enabling you to apply the same authorization model to agents that you use for humans.

Why Agent Governance Matters

Principle of Least Privilege

Agents should only access what they need for their specific task

Context-Aware Access

Different scopes may require different agent capabilities

Auditability

Track what agents access and do across your organization

Revocability

Quickly revoke agent access when needed

Agent Subject Types

Bedrock supports multiple subject types for different use cases:
TypeUse CaseExample
agentAI assistants and autonomous agentsClaude, GPT-4, custom LLM agents
serviceBackend services and microservicesPayment processor, notification service
api_keyAPI integrationsThird-party integrations, webhooks

Example: Coding Assistant Agent

Let’s set up a coding assistant with appropriate permissions for a development team.

1. Register the Agent

curl -X POST 'https://api.example.com/subjects' \
  -H 'Authorization: Bearer YOUR_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
    "type": "agent",
    "externalId": "coding-assistant-v1",
    "metadata": {
      "name": "Coding Assistant",
      "model": "claude-3-sonnet",
      "version": "1.0.0",
      "capabilities": ["code-review", "code-generation", "documentation"]
    }
  }'

2. Create Agent-Specific Roles

Define roles tailored for agent capabilities: 
# Create all agent roles at once
curl -X POST 'https://api.example.com/roles/batch' \
  -H 'Content-Type: application/json' \
  -d '[
    {"id": "role_code_reader", "name": "Code Reader", "description": "Can read code and documentation", "scopeId": "scope_engineering"},
    {"id": "role_code_writer", "name": "Code Writer", "description": "Can read and modify code", "scopeId": "scope_engineering"},
    {"id": "role_autonomous", "name": "Autonomous Agent", "description": "Full autonomous access", "scopeId": "scope_engineering"}
  ]'

3. Define Agent Permissions

Create granular permissions for agent actions: 
# Create all permissions at once
curl -X POST 'https://api.example.com/permissions/batch' \
  -H 'Content-Type: application/json' \
  -d '[
    {"id": "perm_read_code", "scopeId": "scope_engineering", "action": "read", "resourceType": "code", "resourcePattern": "*", "key": "code:read:*"},
    {"id": "perm_write_code", "scopeId": "scope_engineering", "action": "write", "resourceType": "code", "resourcePattern": "*", "key": "code:write:*"},
    {"id": "perm_execute_code", "scopeId": "scope_engineering", "action": "execute", "resourceType": "code", "resourcePattern": "*", "key": "code:execute:*"},
    {"id": "perm_read_infra", "scopeId": "scope_engineering", "action": "read", "resourceType": "infrastructure", "resourcePattern": "*", "key": "infrastructure:read:*"},
    {"id": "perm_modify_infra", "scopeId": "scope_engineering", "action": "modify", "resourceType": "infrastructure", "resourcePattern": "*", "key": "infrastructure:modify:*"},
    {"id": "perm_read_data", "scopeId": "scope_engineering", "action": "read", "resourceType": "data", "resourcePattern": "*", "key": "data:read:*"},
    {"id": "perm_write_data", "scopeId": "scope_engineering", "action": "write", "resourceType": "data", "resourcePattern": "*", "key": "data:write:*"}
  ]'

# Assign permissions to roles
curl -X POST 'https://api.example.com/role-permissions/batch' \
  -H 'Content-Type: application/json' \
  -d '[
    {"roleId": "role_code_reader", "permissionId": "perm_read_code"},
    {"roleId": "role_code_writer", "permissionId": "perm_read_code"},
    {"roleId": "role_code_writer", "permissionId": "perm_write_code"}
  ]'

4. Add Agent to Scope with Restricted Role

You can create the agent with inline membership and role assignment: 
# Create agent with membership and role in one request
curl -X POST 'https://api.example.com/subjects' \
  -H 'Content-Type: application/json' \
  -d '{
    "id": "sub_coding_assistant",
    "subjectType": "agent",
    "externalId": "coding-assistant-v1",
    "displayName": "Coding Assistant",
    "meta": {"model": "claude-3-sonnet", "version": "1.0.0"},
    "memberships": [
      {"scopeId": "scope_engineering", "roleIds": ["role_code_reader"]}
    ]
  }'
Inline Memberships: The memberships array creates the membership and role assignments automatically when the subject is created.

Advanced Patterns

Pattern 1: Scope-Specific Agent Permissions

Different teams may want different agent capabilities: 
# Platform team allows code writing
curl -X POST 'https://api.example.com/memberships' \
  -d '{"subjectId": "sub_coding_assistant", "scopeId": "scope_platform"}'

curl -X POST 'https://api.example.com/role-assignments' \
  -d '{"roleId": "role_code_writer", "membershipId": "mem_agent_platform"}'

# Security team restricts to read-only
curl -X POST 'https://api.example.com/memberships' \
  -d '{"subjectId": "sub_coding_assistant", "scopeId": "scope_security"}'

curl -X POST 'https://api.example.com/role-assignments' \
  -d '{"roleId": "role_code_reader", "membershipId": "mem_agent_security"}'

Pattern 2: Override Agent Permissions at Child Scopes

Restrict agent capabilities in sensitive areas: 
# Disable code execution for agents in production scope
curl -X POST 'https://api.example.com/scope-overrides/permissions' \
  -d '{
    "childScopeId": "scope_production",
    "permissionId": "perm_execute_code",
    "state": "disabled"
  }'

# Disable data write for agents in customer data scope
curl -X POST 'https://api.example.com/scope-overrides/permissions' \
  -d '{
    "childScopeId": "scope_customer_data",
    "permissionId": "perm_write_data",
    "state": "disabled"
  }'

Pattern 3: Role-Permission Overrides for Agents

Fine-tune what specific roles can do at specific scopes: 
# Code Writer role cannot write code in the compliance scope
curl -X POST 'https://api.example.com/scope-overrides/role-permissions' \
  -d '{
    "childScopeId": "scope_compliance",
    "roleId": "role_code_writer",
    "permissionId": "perm_write_code",
    "state": "disabled"
  }'

Pattern 4: Multiple Agents with Different Access

# Create multiple agents with their roles in one batch
curl -X POST 'https://api.example.com/subjects/batch' \
  -H 'Content-Type: application/json' \
  -d '[
    {
      "subjectType": "agent",
      "externalId": "coding-assistant",
      "displayName": "Coding Assistant",
      "memberships": [{"scopeId": "scope_engineering", "roleIds": ["role_code_writer"]}]
    },
    {
      "subjectType": "agent",
      "externalId": "docs-assistant",
      "displayName": "Documentation Agent",
      "memberships": [{"scopeId": "scope_engineering", "roleIds": ["role_code_reader"]}]
    },
    {
      "subjectType": "agent",
      "externalId": "security-scanner",
      "displayName": "Security Scanner",
      "memberships": [{"scopeId": "scope_engineering", "roleIds": ["role_code_reader"]}]
    }
  ]'

MCP Server Integration

When using Model Context Protocol (MCP) servers, Bedrock can govern which tools and resources agents can access: 
# Create MCP-specific permissions in batch
curl -X POST 'https://api.example.com/permissions/batch' \
  -H 'Content-Type: application/json' \
  -d '[
    {"id": "perm_mcp_fs_read", "scopeId": "scope_engineering", "action": "read", "resourceType": "mcp:filesystem", "resourcePattern": "*", "key": "mcp:filesystem:read:*"},
    {"id": "perm_mcp_fs_write", "scopeId": "scope_engineering", "action": "write", "resourceType": "mcp:filesystem", "resourcePattern": "*", "key": "mcp:filesystem:write:*"},
    {"id": "perm_mcp_db_query", "scopeId": "scope_engineering", "action": "query", "resourceType": "mcp:database", "resourcePattern": "*", "key": "mcp:database:query:*"},
    {"id": "perm_mcp_gh_read", "scopeId": "scope_engineering", "action": "read", "resourceType": "mcp:github", "resourcePattern": "*", "key": "mcp:github:read:*"},
    {"id": "perm_mcp_gh_write", "scopeId": "scope_engineering", "action": "write", "resourceType": "mcp:github", "resourcePattern": "*", "key": "mcp:github:write:*"}
  ]'
Your MCP server can then check Bedrock permissions before executing tools.

Checking Agent Permissions

Use the BedrockEngine to evaluate permissions at runtime: 
import { BedrockEngine } from '@bedrock/core';

const engine = new BedrockEngine(store);

// Check if an agent can perform an action
const decision = await engine.evaluate({
  actor: { subjectId: 'agent_coding_assistant', subjectType: 'agent' },
  scopeId: 'scope_engineering',
  action: 'write',
  resource: { resourceType: 'code', resourcePattern: '*' },
});

if (decision.allowed) {
  // Agent has permission
  console.log(decision.explanation);
  // "Permission write:code granted via roles: role_code_writer"
} else {
  // Agent denied
  console.log(decision.explanation);
  // "No permission for write:code for subject agent_coding_assistant in scope scope_engineering"
}

Delegated Permissions (Agent Acting on Behalf of User)

When an agent acts on behalf of a user, both must have permission: 
const decision = await engine.evaluate({
  actor: { subjectId: 'agent_coding_assistant', subjectType: 'agent' },
  onBehalfOf: { subjectId: 'user_jane', subjectType: 'user' },
  scopeId: 'scope_engineering',
  action: 'write',
  resource: { resourceType: 'code' },
});

// Both actor (agent) AND principal (user) must be allowed
console.log(decision.usedDelegation); // true
console.log(decision.allowed); // true only if both have permission

List All Effective Permissions

const permissions = await engine.listEffectivePermissions(
  'agent_coding_assistant',
  'scope_engineering'
);

// Returns array of EffectivePermissionSummary
// [{ resourceType: 'code', action: 'read', permissions: [...], sourceRoles: [...] }]

Best Practices

Give agents the least privilege needed. It’s easier to grant more access than to revoke it after a problem.
Include model version, capabilities, and purpose in agent metadata for easier auditing.
Create different agent subjects for different purposes rather than one super-agent.
Use scope overrides to limit agent capabilities in production environments.
Log all permission checks and actions for compliance and debugging.
Use external IDs like coding-assistant-v1 to track agent versions.

Comparison: User vs Agent Governance

AspectUsersAgents
Subject typeuseragent, service, api_key
AuthenticationOAuth, SSO, passwordsAPI keys, tokens
Typical rolesAdmin, Editor, ViewerReader, Writer, Autonomous
Permission scopeOften broadUsually narrow and specific
Override usageOccasionalFrequent (restrict in sensitive areas)
MetadataName, emailModel, version, capabilities

Next Steps

Multi-tenant Authorization

Isolate agent access across tenants

Scope Overrides

Fine-tune agent permissions at specific scopes