How to secure Amazon Bedrock agents
Amazon Bedrock makes it easy to ship agents that reason, call tools through action-group Lambdas, and retrieve from knowledge bases. The hard part is trust: how do you know a Bedrock agent did what it reported, and only that? This guide covers the runtime security gaps in Bedrock agents and how to close them with Kaizen.
What can go wrong with a Bedrock agent
- Prompt injection through a knowledge base. A poisoned retrieved document can steer the agent into an action it was never meant to take.
- The allowed-but-malicious action. An action-group Lambda is permitted to call an API, so a guardrail lets it through, even when the call exfiltrates data.
- Report-versus-reality gaps. The agent's reasoning trace can say one thing while its Lambda actually does another. Anything that only reads the trace is fooled.
Bedrock Guardrails screen prompts and responses for content. They do not learn how each agent normally behaves or judge what it actually did on the wire. That behavioral layer is what Kaizen adds.
Attach Kaizen to a Bedrock agent
The lightweight way is a one-line wrapper around invoke_agent that forces enableTrace
and inspects every action the agent takes:
import boto3
from kaizen_security import Kaizen
from kaizen_security.integrations.bedrock import KaizenBedrockAgent
kz = Kaizen(api_key="kz_live_...", agent="support-bot")
kz.declare(tools=["lookup_order"], destinations=["api.internal"])
runtime = boto3.client("bedrock-agent-runtime", region_name="us-east-1")
agent = KaizenBedrockAgent(runtime, kz)
result = agent.invoke_agent(agentId=AGENT_ID, agentAliasId=ALIAS_ID, sessionId="s1", inputText="...")
Every action-group invocation, knowledge-base lookup, and return-of-control call flows to the isolated Observer, which learns the agent's behavior and flags deviations. See the full Amazon Bedrock integration.
The in-tenant option: the Kaizen Sandbox
For teams whose data cannot leave their account, the deepest mode runs in your own AWS account next to the agent. It watches the agent's reasoning trace and its real egress, decides with Claude on Bedrock through IAM, and sends out only the verdict. No model key and no behavioral data leave your account. Read the proof in the Kaizen Sandbox on Bedrock.