Preventative security best practice for agents

The following best practices for Amazon Bedrock service can help prevent security incidents:

Use secure connections

Always use encrypted connections, such as those that begin with https:// to keep sensitive information secure in transit.

Implement least priviledge access to resources

When you create custom policies for Amazon Bedrock resources, grant only the permissions required to perform a task. It's recommended to start with a minimum set of permissions and grant additional permissions as needed. Implementing least privilege access is essential to reducing the risk and impact that could result from errors or malicious attacks. For more information, see Identity and access management for Amazon Bedrock.

Do not include PII in any of the agent resources containing customer data

When creating, updating, and deleting agents resources (for example, when using CreateAgent ) do not include personally-identifiable information (PII) in any fields that do not support using customer managed key such as action group names and knowledgebase names. For the list of fields that support using customer managed key, see Encryption of agent resources with customer managed keys (CMK)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Encrypt agent sessions with customer managed key (CMK)

Encryption of agent resources for agents created before January 22, 2025