MCP
Governing MCP and Agentic AI on AWS: Identity, Permissions, Observability, and Audit at Scale
A platform team has dozens of internal agents using MCP tools and wants enterprise governance before customer-facing rollout.
Governing MCP and Agentic AI on AWS: Identity, Permissions, Observability, and Audit at Scale
Scenario
A platform team has dozens of internal agents using MCP tools and wants enterprise governance before customer-facing rollout.
Core problem
As agent count grows, risk shifts from “single model error” to “multi-agent control plane failure.” Governance must address:
- who can invoke which tools
- what data each agent can access
- how to observe every decision and action
- how to prevent cross-agent privilege escalation
AWS governance model
Use layered controls:
- identity and credential boundaries (AgentCore Identity + IAM)
- tool registry and permission policies
- runtime observability and audit trails
- human approvals for high-impact actions
Architecture
graph TD
Client[Internal Product Teams] --> API[Agent Platform API]
API --> ID[AgentCore Identity / Workload Identities]
API --> REG[Tool Registry + Policy Engine]
API --> RUN[Agent Runtime]
RUN --> MCP[MCP Servers / Tool Endpoints]
RUN --> OBS[AgentCore Observability + CloudWatch]
OBS --> AUDIT[(S3 + DynamoDB Audit Evidence)]
RUN --> APPROVAL[Step Functions Approval Flow]
Step-by-step tutorial
1) Establish policy registry table
export AWS_REGION=us-east-1
export PROJECT=agent-governance
aws dynamodb create-table \
--table-name ${PROJECT}-tool-policy \
--attribute-definitions AttributeName=agent_id,AttributeType=S AttributeName=tool_id,AttributeType=S \
--key-schema AttributeName=agent_id,KeyType=HASH AttributeName=tool_id,KeyType=RANGE \
--billing-mode PAY_PER_REQUEST \
--sse-specification Enabled=true$env:AWS_REGION = "us-east-1"
$env:PROJECT = "agent-governance"
aws dynamodb create-table `
--table-name "$($env:PROJECT)-tool-policy" `
--attribute-definitions AttributeName=agent_id,AttributeType=S AttributeName=tool_id,AttributeType=S `
--key-schema AttributeName=agent_id,KeyType=HASH AttributeName=tool_id,KeyType=RANGE `
--billing-mode PAY_PER_REQUEST `
--sse-specification Enabled=true2) Policy evaluation component (FastAPI)
from fastapi import FastAPI, HTTPException
from pydantic import BaseModel
app = FastAPI(title="Agent Governance Policy API")
POLICIES = {
"agent-support-1": {"tools": {"search_kb", "get_ticket"}, "max_risk": "medium"},
"agent-ops-1": {"tools": {"search_logs", "open_incident"}, "max_risk": "high"}
}
class ToolRequest(BaseModel):
agent_id: str
tool_id: str
requested_risk: str
@app.post("/authorize")
def authorize(req: ToolRequest):
policy = POLICIES.get(req.agent_id)
if not policy:
raise HTTPException(status_code=403, detail="Unknown agent")
if req.tool_id not in policy["tools"]:
raise HTTPException(status_code=403, detail="Tool not permitted")
levels = ["low", "medium", "high", "critical"]
if levels.index(req.requested_risk) > levels.index(policy["max_risk"]):
raise HTTPException(status_code=403, detail="Risk exceeds policy")
return {"approved": True}3) IAM least-privilege pattern
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["dynamodb:GetItem", "dynamodb:Query"],
"Resource": "arn:aws:dynamodb:*:*:table/agent-governance-tool-policy"
},
{
"Effect": "Deny",
"Action": ["*"],
"Resource": "*",
"Condition": {"StringEquals": {"aws:RequestedRegion": "eu-west-3"}}
}
]
}Use deny conditions and scoped role sessions for tighter control.
4) Observability setup
- Emit decision logs:
agent_id,tool_id,policy_result,reason,trace_id. - Push metrics for denied requests and risky attempts.
aws cloudwatch put-metric-alarm \
--alarm-name ${PROJECT}-policy-denials \
--namespace AgentGovernance \
--metric-name PolicyDenied \
--statistic Sum --period 300 --evaluation-periods 1 --threshold 20 \
--comparison-operator GreaterThanOrEqualToThreshold \
--alarm-actions arn:aws:sns:us-east-1:123456789012:${PROJECT}-alerts5) Human approval flow for high-impact tools
For tool categories like delete, transfer, publish, require explicit approval via Step Functions before execution.
Security recommendations
- isolate tool execution roles by trust zone
- maintain immutable policy version history
- enforce short-lived credentials
- bind user identity + agent identity for delegated actions
Cost optimization
- central policy engine reduces duplicate guardrails in every agent
- shared observability pipelines lower per-agent overhead
- evaluate heavy checks only on high-risk requests
Production checklist
- policy-as-code and peer review process in place
- identity model documented for users, agents, and tools
- denial and escalation runbooks tested
- quarterly access review and least-privilege verification
- audit export meets compliance retention requirements
References
- https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity
- https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-iam.html
- https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/observability-configure.html
- https://docs.aws.amazon.com/prescriptive-guidance/latest/govern-architect-agentic-ai/introduction.html
Source
platform/archive/articles/governing-mcp-agentic-ai-on-aws.md