Amazon Bedrock AgentCore Adds Domain Allowlist Filtering for AI Agent Web Access
Summary
- • AWS integrates Network Firewall with AgentCore to restrict AI agents to approved domains only
- • SNI inspection enforces default-deny egress inside VPC deployments without breaking encryption
- • Prompt injection defense is a key use case — allowlists prevent agents reaching attacker-controlled sites
- • Targets regulated-industry enterprises needing auditable, per-customer egress control
Details
AgentCore gets domain-level filtering via AWS Network Firewall integration
AgentCore's Browser, Code Interpreter, and Runtime managed tools can now be deployed inside an Amazon VPC with all outbound traffic routed through AWS Network Firewall. Administrators configure stateful rules using SNI inspection to allow only approved domains, blocking all others by default.
SNI inspection filters HTTPS traffic without decrypting it
The architecture inspects the Server Name Indication field in TLS handshakes, which is transmitted in plaintext before encryption begins. This allows domain-based filtering of HTTPS traffic without a man-in-the-middle setup. AWS describes this as the first layer of a defense-in-depth stack; additional layers include DNS-level filtering, deep packet content inspection, and inbound resource-based policies using aws:SourceIp, aws:SourceVpc, and aws:SourceVpce conditions.
Prompt injection can trick AI agents into navigating to malicious domains
Security teams evaluating AI agent deployments have identified prompt injection as a vector that causes agents to access unauthorized or attacker-controlled websites. Restricting the AgentCore Browser tool to an allowlist of approved domains eliminates the ability to redirect the agent externally, significantly reducing the blast radius of a successful injection attack.
Multi-tenant SaaS providers can enforce per-customer domain policies
The framework enables per-customer allowlists and denylists within shared infrastructure, supporting execution-specific blocking, regional restrictions, and category-based rules (e.g., disabling gambling or social media domains via pre-packaged rule sets). All connection attempts are logged for audit trails required in regulated industries.
AWS managed rule groups automatically block botnets and known-malware domains
Beyond custom allowlists, AWS Network Firewall includes managed rule groups that restrict access to known-malicious infrastructure, reducing the operational burden on security teams who would otherwise need to curate and maintain threat intelligence feeds manually.
Product Launch = new capability; Tech Info = implementation detail; Security Alert = threat/vulnerability; Industry Update = business/market context; Infrastructure = deployment architecture
What This Means
As enterprises deploy AI agents capable of autonomous web browsing, unrestricted internet access creates real data exfiltration and compliance risk that regulated industries cannot accept. This capability closes that gap by bringing standard network security primitives — allowlisting, default-deny, audit logging — directly to AI agent infrastructure on AWS. Organizations in regulated industries now have a concrete, auditable mechanism to satisfy security reviewers asking how agent traffic is controlled, removing a significant barrier to enterprise AI agent adoption.