How does Bedrock AgentCore Policy differ from standard IAM?

Bedrock AgentCore Policy allows for fine-grained, natural-language-defined controls specifically for agent-tool interactions, operating outside the agent's code using the Cedar policy language, whereas IAM manages broader resource access permissions.

Is Amazon Connect Health HIPAA compliant out of the box?

Amazon Connect Health is HIPAA-eligible, meaning the infrastructure supports compliance, but customers must configure the agents and workflows correctly and sign a Business Associate Agreement (BAA) to be fully compliant.

AWS Weekly Roundup: Agentic AI Hits Production, But Can Cedar Policies Stop the Hallucinations?

The dust hasn’t settled on last week’s zero-day patches before Amazon drops another wave of infrastructure updates. This week’s AWS release cycle signals a definitive shift from experimental generative AI to “Agentic” workflows—software that doesn’t just talk, it acts. While the marketing machine spins this as “limitless creativity,” the engineering reality is a complex mesh of new latency bottlenecks and attack surfaces. We are seeing the commoditization of AI agents in healthcare and gaming, but the real story lies in the governance layer: Bedrock AgentCore now speaks Cedar.

The Tech TL;DR:
- Bedrock AgentCore Policy: AWS introduces fine-grained, natural-language-to-Cedar policy controls for AI agents, moving governance outside the application code.
- Connect Health GA: Five purpose-built healthcare agents are now generally available, claiming HIPAA eligibility but requiring strict workflow integration.
- VPC Encryption Costs: The free preview for VPC Encryption Controls ends March 1; enforcement mode is now a line item on your bill.

For the CTOs and principal engineers reading this, the headline isn’t the new agents; it’s the control plane. When you deploy an autonomous agent that can execute SQL queries or modify S3 buckets, the blast radius of a hallucination expands from a weird chat response to a production outage. AWS is attempting to solve this with the general availability of Policy in Amazon Bedrock AgentCore. This allows security teams to define tool access rules using natural language that compiles into Cedar, AWS’s open-source policy language. It’s a necessary abstraction layer, separating intent from execution.

The Governance Gap: Cedar vs. Traditional IAM

Historically, securing AI agents meant wrapping them in rigid IAM roles, a blunt instrument that often broke the agent’s ability to reason dynamically. The new Bedrock AgentCore approach attempts to introduce stateful governance. However, relying on natural language to generate security policies introduces a new class of risk: prompt injection at the policy definition layer. If an attacker can influence the “natural language” input that defines the Cedar policy, they effectively own the agent’s permissions.

According to the official Cedar documentation, the language is designed for scalability and formal verification. Yet, in a production environment, the latency overhead of evaluating these policies against every agent step remains a critical metric to watch. Early benchmarks suggest a negligible impact on simple tasks, but complex multi-step agentic workflows could observe significant drag.

“The industry is rushing to deploy agents without establishing the ‘guardrails’ first. We are seeing a surge in demand for auditors who understand not just network security, but the logic flows of LLMs. The threat model has shifted from SQL injection to prompt injection.”

This shift explains the aggressive hiring we are seeing across the sector. Major players like Microsoft AI and Visa are actively recruiting Directors of AI Security. They aren’t looking for standard SOC2 auditors; they need architects who can map the probabilistic nature of LLMs to deterministic security policies. This talent war highlights a critical gap: most existing security teams are ill-equipped to audit agentic behavior.

Healthcare Agents and the Compliance Reality

Amazon Connect Health is now generally available, offering five specific agents for patient verification and medical coding. While AWS claims these are HIPAA-eligible, “eligible” does not indicate “compliant.” The responsibility for configuring the ambient documentation and ensuring no PHI leaks into unauthorized logs still rests with the implementation partner. The architecture relies on the agent operating within existing clinical workflows, which often means integrating with legacy EHR systems via fragile APIs.

For healthcare providers, this deployment scenario necessitates a rigorous cybersecurity audit specifically scoped for AI interactions. Standard IT audits won’t catch an agent that inadvertently summarizes a patient’s mental health history into a billing code field. Organizations need to engage specialized cybersecurity consulting firms that can validate the data flow between the agent and the EHR, ensuring that the “ambient” nature of the documentation doesn’t become a privacy liability.

Implementation Mandate: Defining Agent Boundaries

To mitigate the risk of over-permissive agents, engineers should immediately adopt the new policy controls. Below is a conceptual Cedar policy snippet that restricts an agent’s ability to invoke tools only during specific maintenance windows, a critical control for autonomous infrastructure agents.

// Cedar Policy: Restrict Agent Tool Invocation to Maintenance Window policy "RestrictAgentTools" { effect: forbid, principal: is Agent, action: in [Action::"InvokeTool"], resource: is Tool, when: { // Deny access if current time is outside 02:00 - 04:00 UTC context.current_time < time("02:00") || context.current_time > time("04:00") } };

Deploying this requires a shift in how we view risk assessment services. The “resource” is no longer just a database; it’s the agent’s cognitive process. Traditional vulnerability scanners won’t detect a logic flaw in a Cedar policy that allows an agent to bypass a human-in-the-loop check.

Cost Implications: VPC Encryption and OpenClaw

On the infrastructure side, AWS is monetizing visibility. The VPC Encryption Controls transition from free preview to paid status on March 1, 2026. For enterprises running high-throughput microservices, the ability to enforce encryption-in-transit at the VPC level is non-negotiable for compliance with standards like SOC 2. However, the new pricing model means that “monitor mode” (detecting unencrypted traffic) will now incur costs before you even switch to “enforce mode.” This creates a financial disincentive for thorough auditing.

Meanwhile, the introduction of OpenClaw on Amazon Lightsail offers a sandboxed environment for private AI agents. While useful for developers wanting to run local models without sending data to the public cloud, the “one-click HTTPS” and device pairing authentication must be stress-tested. In the official announcement, AWS highlights the ease of deployment, but enterprise security teams should verify the isolation guarantees of these sandboxed sessions against side-channel attacks.

The Editorial Kicker

We are entering an era where the “developer” is increasingly an orchestrator of agents rather than a writer of code. AWS’s move to externalize policy via Cedar is a recognition that code-level security is insufficient for probabilistic systems. However, as we hand over more critical workflows to these agents, the role of the human auditor becomes paradoxically more important and more tough. The companies that win in 2026 won’t just be those with the smartest agents, but those with the most rigorous third-party validation of their agent’s decision-making logic. Don’t let the “Generally Available” label lull you into a false sense of security; the real work begins at deployment.

Disclaimer: The technical analyses and security protocols detailed in this article are for informational purposes only. Always consult with certified IT and cybersecurity professionals before altering enterprise networks or handling sensitive data.