Back to News Hub
🟧AWS Machine Learning
July 8, 2026
E-Commerce

Securing Amazon Bedrock AgentCore Runtime with AWS WAF

Overview

AWS provides two architecture patterns for securing Amazon Bedrock AgentCore Runtime using AWS WAF and VPC Interface Endpoints. Pattern 1 uses a Lambda proxy between an internet-facing ALB and the VPC Endpoint for full request control, while Pattern 2 routes traffic directly from the ALB to VPC Endpoint ENI IP addresses, eliminating the Lambda hop. Both designs enforce traffic through WAF only and have been validated with SigV4 and OAuth authentication methods.

Key Takeaways

  • Two proven architecture patterns enable secure access to AgentCore Runtime via AWS WAF and VPC Interface Endpoints, each with distinct trade-offs between control and simplicity.
  • Pattern 1 includes a Lambda proxy for complete request transformation flexibility; Pattern 2 eliminates the Lambda layer by routing directly to VPC Endpoint ENI IP addresses for lower latency and reduced complexity.
  • Resource policies can be configured to block direct access to AgentCore Runtime, ensuring all traffic must flow through AWS WAF regardless of which pattern is deployed.
  • Both patterns have been end-to-end tested with industry-standard authentication methods including AWS SigV4 signatures and OAuth using Amazon Cognito JWT tokens.
  • An internet-facing ALB serves as the entry point in both designs, providing a public endpoint that channels all inbound requests through WAF inspection before reaching the AgentCore Runtime.
Securing Amazon Bedrock AgentCore Runtime with AWS WAF

Understanding the Security Challenge

Protecting Amazon Bedrock AgentCore Runtime requires preventing direct access while maintaining secure API communication.

  • ›Direct access to AgentCore Runtime without WAF inspection creates a security backdoor that bypasses threat protection policies.
  • ›Organizations need architecture patterns that enforce security controls without introducing unnecessary latency or operational overhead.
  • ›The solution must work seamlessly with existing authentication mechanisms including AWS Signature Version 4 and OAuth-based identity providers.

AgentCore Runtime is a powerful service that requires robust security controls to prevent unauthorized access and malicious traffic. A naive approach of exposing the runtime directly to the internet introduces significant security risks. The challenge lies in designing an architecture that enforces AWS WAF inspection while maintaining authentication integrity and acceptable performance characteristics. This post addresses this challenge by presenting two complementary patterns, each optimized for different operational requirements and use cases.

Pattern 1: Lambda Proxy Architecture

The first pattern uses a Lambda function as an intermediary between the ALB and VPC Endpoint, providing maximum control over request handling.

  • ›An internet-facing ALB receives all inbound traffic and routes it through AWS WAF for threat inspection and policy enforcement.
  • ›The Lambda proxy function sits between the WAF-protected ALB and the VPC Interface Endpoint, allowing complete customization of request and response transformation.
  • ›This architecture enables request enrichment, custom logging, request validation, and protocol adaptation without modifying the underlying AgentCore Runtime.
  • ›The Lambda function can inject additional security headers, transform payloads, or perform business logic validation before forwarding to the VPC Endpoint.

Pattern 1 is ideal for organizations that require extensive request processing capabilities or need to integrate with existing Lambda-based middleware stacks. The Lambda proxy adds a layer of flexibility that allows teams to implement custom security policies, request validation logic, and monitoring instrumentation. This design trades a small amount of additional latency from the Lambda invocation for comprehensive control over how requests are processed and transformed.

The VPC Interface Endpoint in this pattern connects privately to AgentCore Runtime, ensuring that traffic never traverses the public internet. The resource policy on the endpoint can be configured to accept traffic only from the Lambda function's execution role, further restricting access to only authorized sources. This defense-in-depth approach ensures that even if an attacker somehow bypasses the ALB or WAF, they cannot directly invoke the AgentCore Runtime.

Pattern 2: Direct VPC Endpoint Routing

The second pattern eliminates the Lambda hop by routing traffic directly from the ALB to VPC Endpoint ENI IP addresses, optimizing for performance and simplicity.

  • ›The internet-facing ALB routes traffic directly to the VPC Endpoint's Elastic Network Interface (ENI) IP addresses, bypassing the Lambda proxy entirely.
  • ›This direct routing approach reduces latency by eliminating the serverless function invocation overhead, improving response times for latency-sensitive applications.
  • ›The configuration is simpler to understand and deploy compared to Pattern 1, reducing operational complexity and the number of components to monitor.
  • ›A resource policy on the VPC Endpoint restricts access to traffic originating from the ALB security group, preventing any direct access attempts.

Pattern 2 is optimal for organizations prioritizing performance and operational simplicity over request transformation capabilities. By targeting the VPC Endpoint ENI IP addresses directly, the ALB can forward traffic with minimal overhead, making this pattern suitable for high-throughput, low-latency workloads. The reduction in architectural complexity also decreases the operational burden of monitoring and troubleshooting, as there are fewer components in the request path.

The direct routing approach does not sacrifice security. The resource policy on the VPC Endpoint ensures that traffic can only originate from the ALB security group. AWS WAF inspection still occurs at the ALB layer, protecting against application-layer attacks, DDoS attempts, and other threats. Organizations can choose this pattern without compromising their security posture while benefiting from improved response times and reduced infrastructure costs from not running Lambda functions for every request.

Enforcing WAF-Only Access with Resource Policies

Both patterns rely on resource policies to close potential backdoors and ensure all traffic flows through AWS WAF.

  • ›The VPC Endpoint's resource policy must explicitly deny any traffic not originating from the authorized source (Lambda role in Pattern 1, ALB security group in Pattern 2).
  • ›This policy-based access control prevents attackers from discovering and directly accessing the VPC Endpoint even if they obtain the endpoint's DNS name or ENI IP addresses.
  • ›Organizations should regularly audit and validate these policies to ensure they remain restrictive and aligned with security requirements.
  • ›The combination of WAF rules, security groups, and resource policies creates multiple layers of defense against unauthorized access.

Resource policies on the VPC Interface Endpoint provide the final security boundary that ensures traffic must flow through AWS WAF. By denying all traffic except from explicitly authorized sources, these policies eliminate the possibility of a direct-access backdoor. Even if an attacker bypasses the ALB or discovers the endpoint's addressing information through other means, the resource policy prevents them from reaching AgentCore Runtime.

The specificity of these policies is crucial. In Pattern 1, the policy restricts traffic to the Lambda execution role only. In Pattern 2, it restricts traffic to the ALB's security group. This principle of least privilege ensures that even compromised components cannot pivot to access AgentCore Runtime through unauthorized paths. Organizations should implement these policies as part of their infrastructure-as-code deployment to ensure consistency and auditability.

Authentication Integration with SigV4 and OAuth

Both patterns have been validated to work seamlessly with AWS Signature Version 4 and OAuth authentication methods.

  • ›AWS SigV4 signature calculations work correctly through both the Lambda proxy and direct VPC Endpoint routing patterns, preserving request integrity.
  • ›Amazon Cognito JWT tokens carried in OAuth flows are properly validated by both architectures without modification or replay attacks.
  • ›The Lambda proxy pattern can optionally inspect and validate authentication tokens before forwarding requests, adding an additional security layer.
  • ›Direct routing in Pattern 2 maintains authentication integrity while eliminating potential token transformation issues that could occur in proxy scenarios.

End-to-end testing with both SigV4 and OAuth authentication confirms that these patterns preserve the cryptographic and token-based security mechanisms that applications rely on. SigV4 signatures remain valid through both patterns because the request path and signature structure are maintained. OAuth JWT tokens from Amazon Cognito are properly forwarded and validated without interception or modification.

The choice between Pattern 1 and Pattern 2 does not impact authentication security. Pattern 1 provides the option to inspect tokens at the Lambda layer for additional validation logic, while Pattern 2 delegates token validation entirely to AgentCore Runtime. Both approaches are secure and have been thoroughly tested in production-like environments. Organizations can confidently deploy either pattern knowing that their authentication mechanisms will function correctly and securely.

Choosing Between Pattern 1 and Pattern 2

Each pattern has distinct advantages; the choice depends on specific organizational requirements and workload characteristics.

  • ›Choose Pattern 1 if your organization requires request transformation, custom validation logic, request enrichment, or integration with existing Lambda-based middleware.
  • ›Choose Pattern 2 if your priority is minimizing latency, reducing operational complexity, and supporting high-throughput workloads with predictable infrastructure costs.
  • ›Pattern 1 incurs additional costs from Lambda invocations and execution time; Pattern 2 avoids these serverless computing costs by routing directly.
  • ›Both patterns provide equivalent security guarantees when properly configured with WAF rules and resource policies.

The decision between these patterns should align with your team's operational maturity, performance requirements, and budget constraints. Pattern 1 is more flexible and allows security teams to implement sophisticated request inspection logic. However, this flexibility comes at the cost of additional latency and infrastructure complexity. Pattern 2 is easier to understand, deploy, and troubleshoot, making it ideal for teams seeking simplicity and performance.

Organizations can also implement a hybrid approach, starting with Pattern 2 for basic security and upgrading to Pattern 1 if future requirements demand advanced request processing capabilities. Both patterns scale effectively to handle enterprise-level traffic volumes. The modular design allows teams to adjust their architecture as business needs evolve without requiring a complete redesign of the security infrastructure.

Best Practices and Deployment Considerations

Successfully implementing either pattern requires attention to configuration details, monitoring, and ongoing security validation.

  • ›Define comprehensive AWS WAF rules that address your organization's threat model, including rate limiting, geo-blocking, and application-layer attack prevention.
  • ›Configure CloudWatch monitoring and alarms to track WAF rule matches, Lambda errors, and VPC Endpoint performance metrics for both patterns.
  • ›Implement infrastructure-as-code templates for both patterns to ensure consistent, reproducible deployments across environments.
  • ›Regularly audit resource policies, security group rules, and WAF configurations to ensure they remain aligned with security policies and compliance requirements.

Deployment of either pattern should follow infrastructure-as-code practices to ensure consistency and enable version control. Use AWS CloudFormation, Terraform, or AWS CDK to define the ALB, WAF, VPC Endpoint, and associated resources. This approach provides auditability, enables quick replication across environments, and simplifies rollback procedures if changes introduce issues. Include parameter validation and security scanning in your deployment pipeline to catch misconfigurations before they reach production.

Ongoing monitoring is essential for both patterns. CloudWatch metrics should track WAF rule executions, ALB target health, Lambda execution duration and errors, and VPC Endpoint connection status. Set up alarms for anomalous traffic patterns, increased WAF rule matches, or Lambda failures. Regular security audits should verify that resource policies remain restrictive and that no unauthorized access paths have been inadvertently created. Testing authentication mechanisms regularly ensures that SigV4 and OAuth flows continue to function correctly as updates are deployed.

Frequently Asked Questions

What is the main difference between Pattern 1 and Pattern 2?

Pattern 1 uses a Lambda proxy function between the ALB and VPC Endpoint for request transformation and control, while Pattern 2 routes traffic directly from the ALB to VPC Endpoint ENI IP addresses, eliminating the Lambda hop. Pattern 1 offers more flexibility but adds latency; Pattern 2 is simpler and faster but offers less customization.

How do resource policies prevent direct access to AgentCore Runtime?

Resource policies on the VPC Endpoint explicitly deny any traffic not originating from authorized sources (the Lambda role in Pattern 1, or the ALB security group in Pattern 2). This ensures that even if an attacker discovers the endpoint's address, they cannot access it without going through WAF-protected entry points.

Do both patterns work with AWS SigV4 and OAuth authentication?

Yes, both patterns have been end-to-end tested and confirmed to work correctly with AWS Signature Version 4 and Amazon Cognito JWT tokens. The request paths and authentication mechanisms are preserved in both architectures, maintaining security and functionality.

Which pattern should I choose for a high-throughput application?

Pattern 2 is better suited for high-throughput applications because it eliminates the Lambda invocation overhead, resulting in lower latency and predictable performance. It also avoids Lambda execution costs, making it more economical for high-volume workloads.

Can I switch between Pattern 1 and Pattern 2 after initial deployment?

Yes, the patterns are modular enough to allow migration between them. You can start with Pattern 2 for simplicity and upgrade to Pattern 1 if you later need request transformation capabilities, or vice versa, by updating your infrastructure-as-code templates and redeploying.

Both architecture patterns provide secure, tested approaches to protecting AgentCore Runtime with AWS WAF, allowing you to choose based on your specific performance and operational needs.

Continue Learning

Originally published by AWS Machine Learning
Read the original

Comments

Sign in to join the conversation