← AWS Implementation

AWS Prototype

AI IAM running on AWS

This prototype proves the core authorization flow: a request enters through API Gateway, is evaluated by a Lambda orchestrator, checks DynamoDB registries for user, agent, and data attributes, returns an allow or deny decision, and logs the result to CloudWatch.

Prototype Flow

API Gateway

Lambda Orchestrator

DynamoDB Registries

Authorization Decision

CloudWatch Audit Log

Allow Path

User adam invokes the finance-agent to access doc-1, which belongs to the finance domain and is allowed.

Deny Path

The same valid user and agent are denied when requesting an HR document outside the user’s allowed domain.

Audit Path

CloudWatch logs the decision, request ID, user, agent, document, purpose, risk, classification, and authorization reason.

Phase 1

API Gateway + Lambda Evidence

Lambda Orchestrator Code

Application-layer enforcement logic that checks user identity, agent capability, document domain, purpose, and risk before returning an authorization decision.

Lambda Test Success

Direct Lambda test proving the orchestrator can return an allow decision when the user, agent, and document are authorized.

CloudWatch Audit Log

Structured audit event showing the authorization decision, purpose, risk, identity chain, and request context.

Lambda CloudWatch Test

CloudWatch evidence that the Lambda execution is generating traceable logs for audit and investigation.

API Gateway Allow Test

Terminal curl result showing a successful POST request through API Gateway to the Lambda orchestrator.

API Gateway Deny Test

Terminal curl result proving enforcement: a valid user and agent are denied when the requested document falls outside the allowed data domain.

Phase 2

Cedar + Verified Permissions + Bedrock Evidence

Authorization rules externalized into Amazon Verified Permissions using Cedar policies, with Bedrock model invocation gated behind the full enforcement chain.

Cedar Policies in Verified Permissions

Cedar policy definitions stored in Amazon Verified Permissions, governing user-agent-document authorization by identity, domain, and purpose.

Cedar Policy Schema

Entity schema defining User, Agent, Document, and Action types used by AVP to validate policy structure and authorization requests.

Cedar Allow Decision

Verified Permissions returning an allow decision when the user, agent, document domain, and purpose all satisfy the Cedar policy.

Cedar Deny Decision

Verified Permissions returning a deny when the request purpose or domain does not satisfy the Cedar policy.

CloudWatch Cedar Allow Log

Structured audit event capturing a Cedar-authorized request with identity chain, purpose, domain, and decision reason.

CloudWatch Cedar Deny Log

Audit trail from a Cedar-denied request, preserving full context for investigation and compliance review.

Bedrock Allow Response

Authorized request flowing through the full enforcement chain — identity, Cedar policy, domain check — and reaching Bedrock for model invocation.

Bedrock Deny — Invalid Purpose

Request blocked before reaching Bedrock when the stated purpose does not satisfy the Cedar policy, proving enforcement before model access.

S3 Allow — Authorized Document, Model Invoked

A finance document is retrieved from S3 and evaluated against its metadata (domain and classification). The user, agent, purpose, and risk context satisfy the Cedar policy, resulting in an ALLOW decision. The document content is passed to Amazon Bedrock, demonstrating that only authorized data is permitted to enter the model.

S3 Deny — Blocked Document, Model Not Invoked

An HR document is retrieved from S3 and evaluated against its metadata. The document's domain falls outside the user's permitted scope, causing the Cedar policy to return a DENY decision. The document content is blocked before reaching Amazon Bedrock, proving that domain-restricted data cannot enter the model even after retrieval.

IAM Least-Privilege Policy

Scoped IAM policy attached to the Lambda orchestrator role, granting limited read access to exactly the five services required: Bedrock, CloudWatch Logs, DynamoDB, S3, and Verified Permissions. No other AWS services are accessible.

What This Proves

This prototype demonstrates that AI IAM can be enforced before model access across two phases. Phase 1 proves the core authorization flow through API Gateway, Lambda, and DynamoDB. Phase 2 externalizes rules into Cedar policies evaluated by Amazon Verified Permissions, and gates Bedrock model invocation behind the full enforcement chain — validating identity, agent scope, data domain, purpose, and risk before any model is invoked.

Current Prototype Status

Working AWS proof of concept

Implemented

  • • API Gateway POST endpoint
  • • Lambda authorization orchestrator
  • • DynamoDB user, agent, and document registries
  • • Allow and deny authorization paths
  • • CloudWatch structured audit logs
  • • Amazon Verified Permissions policy store
  • • Cedar policy schema and entity types
  • • Bedrock model invocation with enforcement
  • • S3-backed retrieval with domain filtering
  • • Least-privilege IAM policy for Lambda orchestrator

Next

  • • Package infrastructure as deployable IaC
  • • Add richer document corpus and retrieval ranking
  • • Add production error handling and response schema