security
Your account. Your IAM. Your audit trail.
Cloud Agent Studio runs inside your AWS account — not ours. Every agent, every key, every log belongs to you. We ship the CDK, we don't keep the keys.
static creds
0
oidc subjects trusted
1
shared tenancy
none
deploy + invoke
GitHub OIDC, pinned to one subject.
No long-lived AWS access keys in the pipeline. Deploy and invoke paths both trust a single GitHub OIDC subject — repo:org/cloudagent:environment:ENV — and the invoke role's only permissions are lambda:InvokeFunction on a named function and ssm:GetParameter on one prefix.
Pinned trust
Role trust policy pins the exact repo, exact environment, and exact GitHub org. Forked PRs and wrong-environment runs cannot assume the role.
Narrow grants
Invoke role grants the minimum needed to call one Lambda and read config from one SSM prefix. No wildcards, no *-reach policies, no console power.
agent isolation
Non-root. Scoped. Time-bounded.
Each agent runs in its own Fargate task as a non-root operator user, under a task role that grants only what the agent needs: read the specific secrets, read/write the one table, accept an ECS Exec session. Nothing else — no S3, no IAM, no org-wide reach.
Non-root container
operator user with explicit uid/gid. /workspace is the only writable path. The container cannot install system packages or escalate.
Least-privilege role
Task role enumerates every permission. Secrets are read by name, DynamoDB is pinned to one table, ECS Exec is the only interactive path.
Hard 2-hour cap
MAX_TASK_DURATION_MS is enforced inside the entrypoint. SIGTERM → 30s grace → SIGKILL. Runaway agents cannot outlive their window.
network edge
CloudFront + WAF, in front of every request.
The control-plane API terminates at CloudFront with a managed WAF rule set attached — the cloudagent ruleset ships with security headers, bot controls, and core rule protection on by default. Override only with intent.
WAF always on
AWS-managed rule groups for common web exploits, bot control, and known-bad IP ranges. Ships with the stack, opts-in by default, not bolted on after.
Security headers
HSTS, strict CSP posture, referrer-policy, X-Content-Type-Options — applied at the edge, not the origin. Fixing headers is a CloudFront change, not a deploy.
VPC-scoped tasks
Agent tasks live in a 2-AZ VPC with a dedicated security group. All outbound egress only — no inbound, no ingress surface for the agent at all.
audit
Every call, traced. Every run, replayable.
Logs land in your CloudWatch account with two-week retention by default. Container Insights v2 emits per-task CPU and memory. CloudTrail captures every AWS action the agent takes — the same trail your auditors already subscribe to.
CloudWatch Logs
Structured JSON from every task. Two-week retention by default — raise it to whatever your policy requires with a one-line override.
Container Insights v2
Per-task CPU, memory, disk, and network. Alert on resource burn the same way you alert on every other ECS service in your account.
CloudTrail
Every ecs:RunTask, every secretsmanager:GetSecretValue, every dynamodb:PutItem shows up in your existing trail. No extra audit pipeline to wire.
secrets
Your Secrets Manager. Your KMS keys.
Provider credentials — Anthropic, OpenAI, Gemini, xAI, OpenRouter — live in AWS Secrets Manager under your account's KMS keys. We never store, proxy, or see them. The agent reads the specific secret it needs at task-start and the role grants nothing beyond those names.
Named-secret grants
Task role grants secretsmanager:GetSecretValue on explicit resource ARNs. Adding a provider is an additive change reviewed at deploy time.
KMS boundary
Secrets decrypt under your account's KMS key. Rotation, grants, and key-usage auditing happen where you already manage the rest of your keys.
No vendor hop
Requests go from the agent task directly to the provider API. The credential never leaves your VPC for ours — because there is no ours.
ready to deploy