Add egress-controlled code execution sample#1769
Conversation
A multi-container security sample under 03-advanced: a trusted supervisor container (started by AgentCore Runtime) launches a broker and an untrusted agent container inside the same microVM via containerd. All agent egress is mediated by the broker, which enforces a runtime-configurable allowlist. The Phase 1 operation is ping_domain, exercising the full supervisor -> agent -> broker -> egress path. The allow-vs-deny contrast (amazon.com permitted, aws.amazon.com denied) demonstrates the security boundary end to end. Includes deploy.py / invoke.py / cleanup.py (matching the folder convention), three arm64 Dockerfiles, unit tests for the IPC framing and broker allowlist, and an architecture diagram. Also adds the row to the 03-advanced index. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add Fabio Balancin (balancin) and Varun Gunda (vvargu) for the egress-controlled code execution sample. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…-coding-execution README Consolidate into the existing Current status section and drop the broken Roadmap anchor link. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Latest scan for commit: Security Scan ResultsScan Metadata
SummaryScanner ResultsThe table below shows findings by scanner, with status based on severity thresholds and dependencies: Column Explanations: Severity Levels (S/C/H/M/L/I):
Other Columns:
Scanner Results:
Severity Thresholds (Thresh Column):
Threshold Source: Values in parentheses indicate where the threshold is configured:
Statistics calculation:
Detailed FindingsShow 4 actionable findingsFinding 1: SECRET-BASE64-HIGH-ENTROPY-STRING
Description: Code Snippet: Finding 2: B108
Description: Code Snippet: Finding 3: B108
Description: Code Snippet: Finding 4: B108
Description: Code Snippet: Report generated by Automated Security Helper (ASH) at 2026-07-14T18:59:24+00:00 |
What this adds
A new advanced sample: Egress-Controlled Code Execution (
01-features/02-host-your-agent/01-runtime/03-advanced/12-egress-coding-execution).It demonstrates running untrusted code securely inside an AgentCore Runtime microVM using a three-container pattern:
BedrockAgentCoreAppcommand router that drives containerd (ctr) to launch the other two containers.--net-host, no credentials, non-root); it can only reach the broker over a Unix-domain socket.The Phase 1 operation is
ping_domain, exercising the full supervisor → agent → broker → egress path. The allow-vs-deny contrast (amazon.compermitted,aws.amazon.comdenied by the exact-match allowlist) is the security boundary.Contents
deploy.py/invoke.py/cleanup.pyfollowing the folder convention (create-or-reuse runtime + IAM role, run the demo, tear down).linux/arm64Dockerfiles (pip-based) for supervisor / broker / agent.03-advancedindex.Testing
Validated end to end on a real account (
deploy.py→invoke.py→cleanup.py): images built and pushed to ECR, runtime reachedREADY, the allowed ping executed while the disallowed domain was blocked by the broker, and cleanup removed the runtime, ECR repos, and role. Unit tests pass (pytest), andruff check/ruff format --checkare clean.Notes
Phase 1 only — HTTP/secret proxying, rate limits, and explicit namespace/capability/cgroup hardening are documented as deferred to Phase 2. Sample is experimental/educational (disclaimer included in the README).