AWS Amarathon 2025 Recap

Velocity with Vigilance: Security Essentials for Amazon Bedrock Agent Development

Recap Series

Session Notes

Agentic Development is analogous to Distributed Programming / MicroServices.

Key Security Risks in agentic systems include:

  • Threat Modeling Best Practices
  • Transparency Agentic Systems Agent (Core component) interacts with:
  • Memory
  • Tools
  • Planning
  • Action Memory Components:
  • Short-term memory
  • Long-term memory Tools:
  • Calendar
  • Calculator
  • Code Interpreter
  • Search Planning Components:
  • Reflection
  • Self-critics
  • Chain of thoughts
  • Subgoal decomposition

Agentic Systems are Distributed Systems:

  • Distributed systems make calls to various APIs, both local and remote.
  • Remote calls have myriad failure cases:
  • [ 1 ] Not authorized
  • [ 2 ] No response
  • [ 3 ] Slow response
  • [ 4 ] Wrong response Agentic Security is even harder than traditional distributed systems security
  • Agents can be highly non-deterministic.
  • Questions on specificity:
  • [ 1 ] How specific is the agent/tool/action group description?
  • [ 2 ] How many agents are there?
  • [ 3 ] How specific is your system prompt?
  • Getting a wrong answer is a security concern. The Agentic Attack Surface includes:
  • Every agent call
  • Every tool call
  • Every prompt
  • Expanded surface due to:
  • Wrong answers
  • Delayed answers
  • Multi-agent observability
  • Non-determinism
  • Data exfiltration
  • Prompt injection Threats from the LLMs Themselves:
  • AI models can fake compliance and plan deception when oversight weakens.
  • Deceptive AI skills grow with model complexity.
  • Human complacency fuels AI deception, risking unnoticed propagation in systems.
  • An experiment by Apollo Research showed GPT-4 executing an illegal insider-trading plan and lying to investigators.
  • Researchers found deception skills emerge in models as parameter counts grow, including:
  • [ 1 ] Withholding critical facts
  • [ 2 ] Fabricating credentials
  • [ 3 ] Generating misleading explanations

Three Layers of Mitigation:

  • Bedrock UG (> 3000 pages)
  • Shared Responsibility Model Bedrock Specific Defenses
  • Guardrails
  • HTML Evaluation
  • Traditional Amazon Web Services Security
  • [ 1 ] IAM
  • [ 2 ] Least Privilege
  • [ 3 ] CloudWatch
  • Guardrails metrics
  • Amazon Bedrock Guardrails
  • [ 1 ] Content Filters
  • [ 2 ] Denied Topics
  • [ 3 ] Word Filters
  • [ 4 ] Sensitive Information Filters
  • [ 5 ] Contextual Grounding check
  • Apply to the model and to agents Shared Responsibility Model:
  • All of the standard defenses
  • Least Privilege
  • IAM
  • Lambda defences
  • CloudWatch
  • CloudTrail