Feature Request
Description
Add a use case sample demonstrating how to secure AI coding agents with Cedar policies on AgentCore Gateway. This fills a gap in the existing samples — the current 02-policy feature tutorial focuses on ABAC with JWT claims for insurance underwriting, but there's no sample showing the coding agent security pattern (path-based file access, command blocklists, tool-level restrictions).
Motivation
Every team building AI coding assistants (with Strands, LangGraph, etc.) needs guardrails to prevent agents from:
Accessing files outside the workspace (/etc/passwd, SSH keys)
Running dangerous shell commands (rm -rf /, sudo)
Using unauthorized tools (code execution, HTTP, external APIs)
This is one of the most common questions from teams adopting AgentCore for coding agents.
Proposed Solution
A complete sample under 02-use-cases/securing-coding-agents/ that demonstrates:
Cedar policies using context.input conditions (path patterns, command strings)
Forbid-first patterns layered with explicit permit allowlists
Per-target Lambda functions (file, shell, restricted)
18 scenarios (8 ALLOW / 10 DENY) verifying policy enforcement
CloudWatch Logs integration for policy decision auditing
Security documentation for production adaptation
Strands agent demo via MCP
Implementation
Ready — PR will follow immediately after this issue is created.
Feature Request
Description
Add a use case sample demonstrating how to secure AI coding agents with Cedar policies on AgentCore Gateway. This fills a gap in the existing samples — the current 02-policy feature tutorial focuses on ABAC with JWT claims for insurance underwriting, but there's no sample showing the coding agent security pattern (path-based file access, command blocklists, tool-level restrictions).
Motivation
Every team building AI coding assistants (with Strands, LangGraph, etc.) needs guardrails to prevent agents from:
Accessing files outside the workspace (/etc/passwd, SSH keys)
Running dangerous shell commands (rm -rf /, sudo)
Using unauthorized tools (code execution, HTTP, external APIs)
This is one of the most common questions from teams adopting AgentCore for coding agents.
Proposed Solution
A complete sample under 02-use-cases/securing-coding-agents/ that demonstrates:
Cedar policies using context.input conditions (path patterns, command strings)
Forbid-first patterns layered with explicit permit allowlists
Per-target Lambda functions (file, shell, restricted)
18 scenarios (8 ALLOW / 10 DENY) verifying policy enforcement
CloudWatch Logs integration for policy decision auditing
Security documentation for production adaptation
Strands agent demo via MCP
Implementation
Ready — PR will follow immediately after this issue is created.