Recap Series
- Session 01: A Developer’s Roadmap to Architecting for Agents
- Session 02: Amazon Bedrock Data Automation
- Session 03: Multi-Agent on AgentCore
- Session 04: Building Agentic AI Nova Act and Strands Agents in Practice
- Session 04: Accelerating Migration Projects with Kiro using Spec-Driven Development
- Session 06: From "Matching" to "Understanding": Personalized AI Search Practice Driven by AgentCore Memory
- Session 07: Observe to Optimize – LLM Observability to AIOps Turning real-time insights into intelligent automation
- Session 08: Deploying TEAM and Building the Best Engineering Team
- Session 09: Five Hard Lessons from Five Years of So-Called Serverless Databases
- Session 14: What if AI does my job How Q Developer CLI and Kiro have changed my daily routine
- Session 16: Velocity with Vigilance: Security Essentials for Amazon Bedrock Agent Development
- Session 26: Run OSS LLMs on a Single H100 Smarter, Cheaper, Faster
- Session 28: A Modern Unified Metadata Architecture: New Approaches to Breaking Down Data Silos
- Session 29: Serverless MediaOps: Automating Video Workflows with AI on Amazon Web Services
- Session 30: Architecting for Efficiency and Reliability with Performance Testing at Scale
- Session 31: Connecting the World Through Open Source: Practical Journey of Technology, Community and Global Developer Relations
- Session 33: Building Streaming Iceberg Tables for Real-Time Logistics Analytics
- Session 34: Accelerating Large-Scale Robot Strategy Training: An Automated Closed-Loop Architecture Based on Kiro, Trainium, and EKS
- Session 35: From Vibe to Viable with spec driven development
- Session 36: Making Cloud Cost Analysis Smarter: Building FinOps Intelligent Agents with Strands and AgentCore
- Session 37: Transform Conversational Agentic AIOps for K8s Using CNCF Kagent, K8sGPT, and Nova Sonic
Session Notes
Agentic Development is analogous to Distributed Programming / MicroServices.
Key Security Risks in agentic systems include:
- Threat Modeling Best Practices
- Transparency Agentic Systems Agent (Core component) interacts with:
- Memory
- Tools
- Planning
- Action Memory Components:
- Short-term memory
- Long-term memory Tools:
- Calendar
- Calculator
- Code Interpreter
- Search Planning Components:
- Reflection
- Self-critics
- Chain of thoughts
- Subgoal decomposition
Agentic Systems are Distributed Systems:
- Distributed systems make calls to various APIs, both local and remote.
- Remote calls have myriad failure cases:
- [ 1 ] Not authorized
- [ 2 ] No response
- [ 3 ] Slow response
- [ 4 ] Wrong response Agentic Security is even harder than traditional distributed systems security
- Agents can be highly non-deterministic.
- Questions on specificity:
- [ 1 ] How specific is the agent/tool/action group description?
- [ 2 ] How many agents are there?
- [ 3 ] How specific is your system prompt?
- Getting a wrong answer is a security concern. The Agentic Attack Surface includes:
- Every agent call
- Every tool call
- Every prompt
- Expanded surface due to:
- Wrong answers
- Delayed answers
- Multi-agent observability
- Non-determinism
- Data exfiltration
- Prompt injection Threats from the LLMs Themselves:
- AI models can fake compliance and plan deception when oversight weakens.
- Deceptive AI skills grow with model complexity.
- Human complacency fuels AI deception, risking unnoticed propagation in systems.
- An experiment by Apollo Research showed GPT-4 executing an illegal insider-trading plan and lying to investigators.
- Researchers found deception skills emerge in models as parameter counts grow, including:
- [ 1 ] Withholding critical facts
- [ 2 ] Fabricating credentials
- [ 3 ] Generating misleading explanations
Three Layers of Mitigation:
- Bedrock UG (> 3000 pages)
- Shared Responsibility Model Bedrock Specific Defenses
- Guardrails
- HTML Evaluation
- Traditional Amazon Web Services Security
- [ 1 ] IAM
- [ 2 ] Least Privilege
- [ 3 ] CloudWatch
- Guardrails metrics
- Amazon Bedrock Guardrails
- [ 1 ] Content Filters
- [ 2 ] Denied Topics
- [ 3 ] Word Filters
- [ 4 ] Sensitive Information Filters
- [ 5 ] Contextual Grounding check
- Apply to the model and to agents Shared Responsibility Model:
- All of the standard defenses
- Least Privilege
- IAM
- Lambda defences
- CloudWatch
- CloudTrail
