Add advanced Policy + Lambda Interceptor sample to lakehouse-agent#1389
Open
ren8k wants to merge 12 commits intoawslabs:mainfrom
Open
Add advanced Policy + Lambda Interceptor sample to lakehouse-agent#1389ren8k wants to merge 12 commits intoawslabs:mainfrom
ren8k wants to merge 12 commits intoawslabs:mainfrom
Conversation
…a Interceptor Add package.json, tsconfig.json, cdk.json.example, and .gitignore under deployment/advanced-agentcore-policy-gateway-interceptor/ as the base for Phase 2 (AgentCore Cedar Policy + Lambda Interceptor) deployment. - cdk.json is generated at deploy-time by scripts/generate-cdk-context.sh from SSM Parameter Store, so only cdk.json.example is tracked.
PolicyStack provisions: - CfnPolicyEngine (AgentCore Policy Engine) - CfnPolicy x N (Cedar policies, permit_all first then forbids) - IAM inline policy on Gateway role for policy evaluation permissions - AwsCustomResource to re-attach Interceptors + Policy Engine to the Gateway bin/app.ts reads account/region from CDK context (or CDK_DEFAULT_ACCOUNT/REGION) so no hard-coded AWS account ID is required for public distribution.
The repository root .gitignore excludes lib/ globally (matches Node.js build output convention). Add a negation rule for the advanced AgentCore Policy sample so lib/policy-stack.ts is tracked. Also adds lib/policy-stack.ts itself, which was silently ignored in the previous commit.
- permit_all.cedar: baseline allow (deny-by-default without this)
- forbid_policyholder_summary.cedar: Design 1 — policyholders group
cannot invoke get_claims_summary
- forbid_eu_individual_claims.cedar: Design 3 — users flagged as EU
geography cannot invoke query_claims / get_claim_details
- forbid_restricted_geography.cedar: Design 3 — RESTRICTED geography
is denied on all tools
{gateway_arn} in each file is substituted at synth time by PolicyStack.
Design 3 version of the request interceptor injects user geography into params.arguments.geography so the Cedar policy can evaluate it as context.input.geography. During pre-deploy, this file overwrites the Phase 1 Lambda source at deployment/5-gateway-setup/interceptor-request/lambda_function.py and redeploys the Lambda.
- generate-cdk-context.sh: auto-generates cdk.json from SSM parameters populated by Phase 1 deployment (account, gateway ARN, interceptor ARNs, cognito client IDs, etc.). Uses `aws sts get-caller-identity` to derive the account ID instead of hard-coding it. - detach-interceptors.py: detaches Interceptors from the Gateway so Cedar Policy validation can complete (its internal MCP validation requests are SigV4-signed and fail on JWT-validating Interceptors). - pre-deploy.sh: orchestrates the 3 preparation steps (context, detach, Lambda update) before `cdk deploy`.
verification/verify_policy.py runs 13 checks covering all three design patterns described in the blog post: - Design 1 (Policy Only): forbid policyholders from get_claims_summary - Design 2 (Interceptor Only): row-level isolation + column masking via Lake Formation using tenant-scoped credentials - Design 3 (Policy + Interceptor): geography-based access control where the interceptor injects geography and Cedar evaluates it The script loads all configuration from SSM Parameter Store and uses the default boto3 credential chain, so no AWS profile is hard-coded. Lives under verification/ rather than test/ so it is not mistaken for a CDK unit-test directory.
README covers: - Prerequisites (depends on Phase 1 being deployed) - Directory layout - Deploy: pre-deploy.sh (generate cdk.json, detach interceptors, update Lambda) + cdk deploy + activation check + verify_policy - Policy-by-policy explanation of what each Cedar file enforces - Cleanup (Phase 2 then Phase 1, in reverse order) including how to roll back the Design 3 Lambda changes before Phase 1 cleanup - Troubleshooting table for common failure modes
…hase 1 guide - Intro: describe the Phase 1 / Phase 2 split up front so readers know the CDK sample is opt-in. - New Step 9 section points to advanced-agentcore-policy-gateway-interceptor/README.md and summarizes what it adds (Policy Engine, 4 Cedar policies, Gateway re-attach, Design 3 Lambda upgrade). - Quick Reference row and Directory Structure entry updated to include the Phase 2 directory. - Cleanup: call out that Phase 2 must be destroyed first (cdk destroy) so Phase 1 cleanup can remove the Gateway role without attached policy evaluation permissions.
…Interceptor sample Adds a short "Optional: Advanced AgentCore Policy + Lambda Interceptors (Phase 2)" section after the base deployment options. It introduces the three designs from the blog post (Policy Only / Interceptor Only / Policy + Interceptor) and links to the detailed Phase 2 README.
…e verify_policy.py setup_cognito.py creates users with a temporary password, so every user starts in Cognito FORCE_CHANGE_PASSWORD state. admin_initiate_auth then returns a NEW_PASSWORD_REQUIRED challenge instead of an AuthenticationResult, which breaks any client that does not handle the challenge — including the Phase 2 verify_policy.py. Surface this prerequisite in two READMEs: - deployment/README.md (Step 1 Cognito): tell readers to complete the first sign-in through the Streamlit UI once per user, and note that PasswordHistorySize is unset so reusing TempPass123! as the new password works. - deployment/advanced-agentcore-policy-gateway-interceptor/README.md (before Step 4): call out the same requirement right before the verify_policy.py run so Phase 2 users notice it. Discovered during a clean-account walkthrough of the full deploy path; without this step verify_policy.py aborts at the first authenticate_user call with KeyError: 'AuthenticationResult'.
ren8k
changed the title
Follows the Pull Request checklist item "Add your name to CONTRIBUTORS.md" for the advanced AgentCore Policy + Lambda Interceptor sample (PR awslabs#1389).
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| if tenant_credentials: | ||
| logger.info( | ||
| f"🔑 Obtained temporary credentials for role: {tenant_credentials['RoleName']}" |
|
Latest scan for commit: Security Scan ResultsScan Metadata
SummaryScanner ResultsThe table below shows findings by scanner, with status based on severity thresholds and dependencies: Column Explanations: Severity Levels (S/C/H/M/L/I):
Other Columns:
Scanner Results:
Severity Thresholds (Thresh Column):
Threshold Source: Values in parentheses indicate where the threshold is configured:
Statistics calculation:
Detailed FindingsShow 4 actionable findingsFinding 1: B310
Description: Code Snippet: Finding 2: SECRET-SECRET-KEYWORD
Description: Code Snippet: Finding 3: GHSA-48c2-rrv3-qjmp-yaml
Description: Finding 4: GHSA-f886-m6hf-6m8v-brace-expansion
Description: Report generated by Automated Security Helper (ASH) at 2026-04-22T15:50:06+00:00 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Important
review readylabel to it. Only PRs withreview readywill be reviewed.Issue number:
Concise description of the PR
Adds an advanced AgentCore Policy + Lambda Interceptor sample alongside
02-use-cases/lakehouse-agent/, as publicly runnable reference code for the companion blog post "Build Secure AI Agent Behavior with Policy and Lambda Interceptors in Amazon Bedrock AgentCore". The sample covers all three patterns described in the post: Policy only, Interceptor only, and Policy + Interceptor.The change is strictly additive — no existing Phase 1 code is modified. Everything new lives in a single new folder,
02-use-cases/lakehouse-agent/deployment/advanced-agentcore-policy-gateway-interceptor/. The only edits to pre-existing files are three README-level additions that link to the new folder. Phase 1 still works standalone.User experience
Before:
lakehouse-agent/demonstrates OAuth + Lake Formation row/column-level security, but has no runnable example of Cedar-based AgentCore Policy or of combining Policy with a Lambda Interceptor.After: Readers of the blog post can clone the repo, run Phase 1 as before, then
cdinto the new folder and run two commands (bash scripts/pre-deploy.shandnpx cdk deploy) to deploy Phase 2. Phase 2 reads all of its inputs from SSM parameters that Phase 1 already writes — no manual wiring.verification/verify_policy.pyexercises all three patterns end to end and printsResults: 13/13 passed.What this PR adds under the new folder:
LakehousePolicyEngine, four Cedar policies (permit_all,forbid_policyholder_summary,forbid_eu_individual_claims,forbid_restricted_geography), the IAM permissions the Gateway role needs, and anUpdateGatewaycall that re-attaches both Interceptors together with the Policy Engine inENFORCEmode.USER_GEOGRAPHYfor Cedar to evaluate ascontext.input.geography.pre-deploy.shhelper that generatescdk.jsonfrom SSM, temporarily detaches the Interceptors (required so Cedar policy validation succeeds), and redeploys the Design 3 Lambda. One caveat — that it overwrites the Phase 1 Lambda source on disk while packaging — is documented in the Phase 2 README together with the rollback command.verification/verify_policy.py, a 13-check end-to-end verification script.verify_policy.pyruns (discovered during a clean-account end-to-end deploy;setup_cognito.pyleaves users inFORCE_CHANGE_PASSWORDstate).Tested
End-to-end on a clean AWS account (
us-east-1), following the updated READMEs verbatim:ACTIVE.verification/verify_policy.py→Results: 13/13 passed(7 Design 1 checks, 3 Design 2 checks, 3 Design 3 checks).Checklist
deployment/advanced-agentcore-policy-gateway-interceptor/README.md. Architecture is deliberately not duplicated — it is the same as the existing Phase 1 diagram and is covered by the blog post.Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.