AWS Implementation
Building AI IAM with AWS-native services
This implementation maps the AI IAM reference architecture to AWS services using Amazon Verified Permissions for business authorization, IAM for infrastructure enforcement, and Bedrock for model execution.
Core AWS Principle
Cedar provides business authorization. IAM enforces infrastructure permissions. Application middleware connects both into a runtime AI authorization system.
Service-to-Layer Mapping
Select a plane to expand its AWS service mapping, architectural role, and supporting console reference image.
Runtime Request Flow
Step 1
User authenticates
Step 2
Request reaches API Gateway
Step 3
Lambda evaluates user → agent access
Step 4
Verified Permissions evaluates Cedar policy
Step 5
Agent registry and delegation context are loaded
Step 6
Tool and retrieval calls are policy-checked
Step 7
Authorized context is sent to Bedrock
Step 8
Output is filtered, logged, and returned
Verified Permissions Role
Amazon Verified Permissions acts as the central policy decision point for AI IAM. Application middleware submits authorization requests containing user identity, agent identity, action, resource, purpose, context, and risk. Cedar policies return allow, deny, or conditional outcomes that the application enforces before invoking agents, tools, retrieval, model calls, or output release.
isAuthorized({
principal: User::"adam",
action: Action::"RetrieveDocument",
resource: Document::"finance-forecast",
context: {
agent: "finance-agent",
purpose: "board-reporting",
risk: "medium",
device_trust: "managed"
}
})Minimum Viable Prototype
Build Step 1
Create Cognito user pool or use IAM Identity Center
Build Step 2
Create API Gateway endpoint and Lambda orchestrator
Build Step 3
Create DynamoDB tables for agents, capabilities, and delegation
Build Step 4
Create Verified Permissions policy store
Build Step 5
Write Cedar policies for user-agent, agent-tool, and user-data checks
Build Step 6
Store sample documents in S3 with metadata tags
Build Step 7
Add retrieval filtering before Bedrock invocation
Build Step 8
Log every decision and execution step to CloudWatch
Audit & Detection Stack
The AWS audit layer should capture identity chain, delegation context, Cedar decision results, retrieved document IDs, tool calls, Bedrock invocation metadata, output filtering results, denials, step-up events, and human approvals.
CloudWatch
CloudTrail
Security Lake
GuardDuty
Macie
Production Hardening
Least-privilege IAM roles
Each Lambda, agent, retriever, and tool should use scoped IAM permissions. IAM controls infrastructure access while Cedar controls business authorization.
Delegation expiration
Delegation tokens should be task-bound, time-bound, revocable, and linked to a specific user-agent-purpose chain.
Sensitive data detection
Use Macie, metadata labels, and application validation to prevent sensitive data from entering the model context without approval.
Human approval paths
High-risk actions such as external sharing, privileged tool execution, or sensitive data export should require explicit review.
Current Prototype Status
Working AWS proof of concept
Implemented
- • API Gateway POST endpoint
- • Lambda authorization orchestrator
- • DynamoDB user, agent, and document registries
- • Allow and deny authorization paths
- • CloudWatch structured audit logs
Next
- • Externalize rules into Amazon Verified Permissions
- • Add Cedar policy schema
- • Add Bedrock model invocation
- • Add S3-backed retrieval filtering
- • Add stronger least-privilege IAM controls