6. Infrastructure security for agentic AI systems on AWS

Infrastructure security for agentic AI systems requires isolation strategies and immutable deployment practices to contain potential compromises. Account separation and automated deployment pipelines reduce both the attack surface and operational risk.

6.1 Use the AWS Security Reference Architecture for AI systems (AI-specific)

The AWS Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. Use the latest AWS SRA – generative AI guide to align with AWS security best practices for generative AI systems. These best practices form a solid foundation for agentic AI systems. Specifically, use AWS account structures to separate agents from data sources that are not directly related to their operational functions. For example, make sure that fine-tuning data is isolated from any operational runtime environments. This reduces the scope of potential compromise and improves access control granularity.

6.2 Apply defense-in-depth principles (General)

Apply defense-in-depth principles throughout the infrastructure to create multiple security barriers that help protect against various attack vectors. This approach reduces the likelihood of any single control failure resulting in a system breach. For more information, see Architect defense-in-depth security for generative AI applications using the OWASP Top 10 for LLMs (AWS blog post).

6.3 Reduce human access to infrastructure (General)

The AWS Well-Architected Framework recommends that you automate generative AI application lifecycle with infrastructure as code and that you use runbooks for standard activities such as deployment. Make sure that your infrastructure deployment includes tested, standardized runbooks. This reduces the likelihood of human error introducing vulnerabilities during the deployment process. Deploy immutable infrastructure and implement break-glass-procedures to prevent unauthorized modifications and promote consistent security configurations across environments. For more information about controlling changes, see How do you implement change? in the AWS Well-Architected Framework.

The AWS Well-Architected Framework also recommends that you deploy software programmatically and that you use multiple environments. Use automated pipelines to deploy code across environments, and regularly assess the security properties of the pipeline.

6.4 Deploy adequate edge protection (General)

Deploy edge protections that help protect against common web application threats, such as those outlined in the OWASP Web Application Security Project (OWASP website). This can help protect agentic AI systems from internet-based attacks. Implement controls to limit unreasonable request volumes and filter requests from known threats. This can prevent denial-of-service attacks and reduce exposure to malicious actors. Establish capabilities for rapid rule updates to protect against emerging threats. Make sure that security controls can adapt quickly to new attack patterns and vulnerabilities. For more information about limiting request volumes, see Applying rate limiting to requests in AWS WAF.