AIエージェントがアクセスできるドメインを制御する
AWSはAmazon Bedrock AgentCoreとNetwork Firewallを連携させ、AIエージェントのインターネットアクセスをドメインレベルで制御・監査する仕組みを提供し、規制業界向けのセキュリティ対策を可能にする。
キーポイント
ドメインベースのアクセス制御とデフォルト拒否
Bedrock AgentCoreのリソースを承認済みドメインのホワイトリストに制限し、指定カテゴリの明示的ブロックや不明なドメインへのアクセスを拒否するデフォルトポリシーを適用可能にする。
監査対応と接続ログの記録
すべてのネットワーク接続試行をログ出力し、規制業界のコンプライアンス要件を満たすための監査証跡とネットワークイグレス制御を提供し、セキュリティレビューへの回答根拠とする。
ディフェンス・イン・デプスの多層防御戦略
SNI検査を第一層とし、DNSフィルタリングやコンテンツ検査、インバウンドアクセス制御(リソースベースポリシー)と組み合わせることで、包括的なセキュリティアーキテクチャを構築する方法を示す。
VPC Endpointsと厳格なドメイン管理
.amazonaws.comを広く許可するのではなく、VPC Endpointsを活用しエージェントが必要とする特定の外部ドメインのみを許可リストに追加することで、セキュリティリスクを軽減できます。
ファイアウォールポリシーの正しいデフォルトアクション設定
StatefulDefaultActionsにはaws:drop_establishedを指定し、TCPハンドシェイクとTLS SNI検査を許可しつつ、不正なドメインへの接続をドロップする必要があります。
セキュリティグループのアウトバウンド設定
ドメインフィルタリングはNetwork Firewallに委譲するため、セキュリティグループではアウトバウンド通信をすべて許可(protocol -1, port -1)して構いません。
VPC内での一貫したネットワーク制御
Browser、Code Interpreter、Agent Runtimeを同じセキュリティグループとサブネットにデプロイし、ファイアウォールルールでネットワークアクセスを一元管理できる。
影響分析・編集コメントを表示
影響分析
本記事は、AIエージェントの実用化において懸念されるセキュリティとコンプライアンス課題に対し、既存のAWSインフラ機能を活用した具体的な解決策を提示している。これにより、金融や医療などの規制業界でもAIエージェントの導入ハードルが下がり、エンタープライズレベルの実装と安全な運用基準が標準化する可能性がある。
編集コメント
技術ブログ形式だが、AIエージェントの実装段階で必ず直面する「ネットワークイグレス制御」という現実的な課題を、AWSの既存サービスでどう解決するかを示しており、実務者には即戦力となる内容だ。
aws network-firewall create-rule-group \
--rule-group-name browser-allowed-domains \
--type STATEFUL \
--capacity 100 \
--rule-group file://allowlist-rules.json \
--region us-east-2
重要: ブラウザがAWSサービスへのアクセスを必要とする場合、allowlistに.amazonaws.comを含めるか、代替としてVPCエンドポイントを使用してください。
セキュリティ上の考慮事項: .amazonaws.comドメインは、パブリックなAmazon Simple Storage Service(Amazon S3)バケット、Amazon API Gatewayエンドポイント、AWS Lambda関数URLを含む、AWS上のホストされたエンドポイントへのアクセスを許可する広範なallowlistです。より厳格な制御のためには、AWSサービスへのアクセスにはVPCエンドポイントを使用し、エージェントが必要とする特定の外部ドメインのみをallowlistに含めてください。
Code Interpreterの場合: pipパッケージのインストールが必要な場合は、「.pypi.org」と「.pythonhosted.org」を追加することを検討してください。一般的なパッケージの多くは事前にインストールされているため、これらのドメインはユースケースによってはオプションです。
ステップ4: ファイアウォールポリシーを設定する
ファイアウォールポリシーは、デフォルトアクションとしてaws:drop_establishedを使用する必要があります。これにより、TCPハンドシェイクは完了し(TLS SNI検査に必要)、許可されていないドメインへの接続はドロップされます:
cat > firewall-policy.json
- ファイアウォール同期ステータスがIN_SYNCを示していること(ルール変更には数分かかります)
- ドメインエントリに先頭のドットが含まれていること(.wikipedia.orgであってwikipedia.orgではない)
- ルートテーブルが対称ルーティング用に正しく設定されていること
- 許可されたドメインでHTTP 403エラーが発生する場合、これは通常、宛先サイトによるボット検出であり、ファイアウォールブロックではありません。ブロックされた接続には明示的なアラートエントリがあるため、CloudWatch ALERTログを確認して確認してください。
ベストプラクティス
- STRICT_ORDER評価を使用する: これにより、allowlistsとdenylistsを組み合わせる際の予測可能なルール処理が容易になります。
- AWSサービスアクセス用に.amazonaws.comを含める: または、AWS API呼び出しがインターネット経由でルーティングされるのを避けるためにVPCエンドポイントを使用してください。
- IGW(インターネットゲートウェイ)イングレスルートテーブルを設定する: これは対称ルーティングにとって重要です。これがないと、戻りトラフィックはファイアウォールをバイパスします。
- ALERTログとFLOWログの両方を有効にする: ALERTログはブロックされた接続をキャプチャします。FLOWログはトラフィックの接続メタデータを提供します。
- ファイアウォール同期を待つ: ルール変更が伝播するには数分かかります。テスト前にConfigurationSyncStateSummary: IN_SYNCを確認してください。
- マルチVPCアーキテクチャ用にHOME_NETを設定する: デフォルトでは、Network Firewallのドメイン検査は、デプロイメントVPCのCIDR(Classless Inter-Domain Routing)範囲から発信されるトラフィックのみをフィルタリングします。AWS Transit Gatewayを使用して複数のVPCからのトラフィックを検査する集中型ファイアウォールを使用する場合は、ルールグループのHOME_NET変数を設定して、送信元CIDR範囲を含める必要があります。これがないと、他のVPCからのトラフィックはドメインフィルタリングをバイパスする可能性があります。
制限事項とコスト
原文を表示
AI agents that can browse the web open powerful possibilities—from research automation to real-time data gathering. However, giving an AI agent unrestricted internet access raises security and compliance concerns. What if the agent accesses unauthorized websites? What if sensitive data is exfiltrated to external domains?
Amazon Bedrock AgentCore provides managed tools that enable AI agents to interact with the web (Browser), execute code (Code Interpreter), and host agents (Runtime). When deployed in an Amazon Virtual Private Cloud (Amazon VPC), you can control tool network access using AWS Network Firewall to implement domain-based filtering. AWS Network Firewall also provides you with managed rules to help reduce access to botnets, known-malware domains, and other high-risk resources.
In this post, we show you how to configure AWS Network Firewall to restrict AgentCore resources to an allowlist of approved internet domains. You can use this architecture to:
- Permit access only to specified domains (for example, wikipedia.org, stackoverflow.com)
- Explicitly block certain categories (e.g., social media sites) using rule templates
- Log the connection attempts for audit and compliance alignment
- Apply a default-deny policy for unspecified domains
This post focuses on domain-level filtering using SNI inspection — the first layer of a defense-in-depth approach. For DNS-level filtering and content inspection techniques, see Going further at the end of this post. For inbound access control (restricting who can invoke your agents), you can also see Resource-based policies for Amazon Bedrock AgentCore. These support conditions like aws:SourceIp, aws:SourceVpc, and aws:SourceVpce. These controls are complementary layers in a defense in depth strategy.
Why this matters: Enterprise security requirements
Customers deploying AI agents in regulated industries have consistent security requirements around network ingress and egress control:
Enterprise organizations with high security requirements
Customers in regulated industries conducting security reviews for AI agent deployments consistently ask about network isolation and egress control, requiring detailed explanations of how agent traffic is controlled and audited. These customers want assurance that agent runtime endpoints remain private, and that additional security controls like web application firewall protections are available.
Multi-tenant SaaS providers
Enterprise software as a service (SaaS) providers require DNS-level allowlisting and denylisting because their multi-tenant architectures need per-customer network policies. For example, Customer A might need to allow domains that Customer B blocks. Common requirements include:
- Execution-specific blocking (prevent access to certain domains during specific browser launches)
- Regional restrictions (block website categories in specific regions)
- Category-based rules (disable gambling or social media sites through pre-packaged rule sets)
Security vulnerability mitigation and compliance audit requirements
Security teams evaluating AI agents have identified that agents can be tricked into navigating to unintended sites through prompt injection attacks. Custom URL allowlists reduce the attack surface by restricting the browser to approved domains, regardless of what the agent is instructed to do. Domain-based egress filtering provides the logging and access control visibility that security teams often need for their security monitoring processes.
Solution overview
The solution deploys AgentCore Browser in a private subnet with no direct internet access. The outbound traffic routes through AWS Network Firewall, which inspects TLS Server Name Indication (SNI) headers to determine the destination domain and apply filtering rules. You can also monitor Network Firewall actions taken to restrict traffic through the native Network Firewall integration with Amazon CloudWatch metrics.

*Figure 1: AgentCore deployment with AWS Network Firewall and domain-based egress filtering*
The architecture includes:
- Private subnet: Hosts AgentCore Browser instances with no public IP addresses
- Public subnet: Contains the NAT Gateway for outbound connectivity
- Firewall subnet: Hosts the Network Firewall endpoint
- Four route tables: Control traffic flow through the firewall for both outbound requests and return traffic
Traffic flow
- AgentCore Runtime executes the agent and invokes the AgentCore Browser tool
- AgentCore Browser initiates an HTTPS request from the private subnet
- The private subnet route table directs traffic to the NAT Gateway in the public subnet
- The NAT Gateway translates the private IP address and forwards the request to the Network Firewall endpoint
- Network Firewall inspects the TLS SNI header to identify the destination domain
- If the domain matches an allowlist rule, the firewall forwards traffic to the Internet Gateway
- The Internet Gateway routes approved traffic to the external destination
- Return traffic follows the symmetric path back through the firewall to the agent
This architecture helps make sure that the browser traffic is inspected and filtered, regardless of the destination.
Note: SNI-based filtering helps control which domains agents connect to at the TLS layer. For DNS-level control, including controls to help prevent DNS tunneling and exfiltration, pair this with Amazon Route 53 Resolver DNS Firewall. DNS Firewall helps address a limitation of SNI inspection: an agent could potentially resolve a blocked domain through DNS and connect by IP address directly.
Prerequisites
Before you begin, make sure that you have:
- An AWS account with permissions to create VPC resources, Network Firewall, and IAM roles
- AWS Command Line Interface (AWS CLI) version 2.x configured with appropriate credentials
- Access to Amazon Bedrock AgentCore
- Basic familiarity with VPC networking concepts
Walkthrough
For the complete step-by-step VPC and Network Firewall setup, see the Amazon Bedrock AgentCore VPC configuration documentation.
This section highlights the AgentCore Browser-specific configuration.
Step 1: Deploy resources using the CloudFormation template
Launch the CloudFormation template from the repository. You can keep the stack default values. However, make sure to add a stack name (for example, “agentcore-egress“) to the “Stack name” field, choose an Availability Zone on the “Availability Zone” menu, and include a valid existing bucket name on the “BucketConfigForOutput” parameter. Wait for the stack creation to complete, which typically takes 10 minutes. Continue with the following steps after the stack status changes to CREATE_COMPLETE.
Step 2: Review the IAM execution role
AgentCore Browser requires an IAM role with a trust policy for the Amazon bedrock-agentcore.amazonaws.com service:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "bedrock-agentcore.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Step 3: Configure the Network Firewall allowlist
Create a stateful rule group with your approved domains. Note the leading dot (.) to match subdomains:
cat > allowlist-rules.json << 'EOF'
{
"RulesSource": {
"RulesSourceList": {
"Targets": [
".wikipedia.org",
".stackoverflow.com",
".docs.aws.amazon.com",
".amazonaws.com",
".pypi.org",
".pythonhosted.org"
],
"TargetTypes": ["HTTP_HOST", "TLS_SNI"],
"GeneratedRulesType": "ALLOWLIST"
}
},
"StatefulRuleOptions": {
"RuleOrder": "STRICT_ORDER"
}
}
EOF
aws network-firewall create-rule-group \
--rule-group-name browser-allowed-domains \
--type STATEFUL \
--capacity 100 \
--rule-group file://allowlist-rules.json \
--region us-east-2
Important: Include .amazonaws.com in your allowlist if the browser requires AWS service access or use VPC Endpoints as an alternative.
Security consideration: The .amazonaws.com domain is a broad allowlist that permits access to hosted endpoints on AWS, including public Amazon Simple Storage Service (Amazon S3) buckets, Amazon API Gateway endpoints, and AWS Lambda function URLs. For tighter control, use VPC Endpoints for AWS service access and allowlist only the specific external domains your agents need.
For Code Interpreter: Consider adding “.pypi.org” and “.pythonhosted.org” if you need a pip package installation. Most common packages are pre-installed, making these domains optional for your use case.
Step 4: Configure the firewall policy
The firewall policy must use aws:drop_established as the default action. This allows TCP handshakes to complete (required for TLS SNI inspection) while dropping connections to non-allowed domains:
cat > firewall-policy.json << 'EOF'
{
"StatelessDefaultActions": ["aws:forward_to_sfe"],
"StatelessFragmentDefaultActions": ["aws:forward_to_sfe"],
"StatefulRuleGroupReferences": [
{
"ResourceArn": "arn:aws:network-firewall:us-east-2:ACCOUNT_ID:stateful-rulegroup/browser-allowed-domains",
"Priority": 1
}
],
"StatefulEngineOptions": {
"RuleOrder": "STRICT_ORDER"
},
"StatefulDefaultActions": ["aws:drop_established"]
}
EOFDo not use aws:drop_strict because it blocks TCP SYN packets before the TLS handshake, preventing SNI inspection.
Step 5: Create the security group
Create a security group that allows outbound traffic. The Network Firewall handles domain filtering, so the security group permits the egress:
# Create security group
aws ec2 create-security-group \
--group-name agentcore-egress-sg \
--description "AgentCore tools - egress only, filtered by Network Firewall" \
--vpc-id vpc-XXXXXXXXX \
--region us-east-2
# Allow all outbound traffic (Network Firewall handles filtering)
aws ec2 authorize-security-group-egress \
--group-id sg-XXXXXXXXX \
--protocol -1 \
--port -1 \
--cidr 0.0.0.0/0 \
--region us-east-2
# Remove default inbound rules if present (AgentCore tools don't need inbound)
aws ec2 revoke-security-group-ingress \
--group-id sg-XXXXXXXXX \
--protocol -1 \
--port -1 \
--cidr 0.0.0.0/0 \
--region us-east-2Step 6: Create the AgentCore Browser
Create the browser with VPC configuration pointing to your private subnet:
aws bedrock-agentcore-control create-browser \
--name my_secure_browser \
--execution-role-arn arn:aws:iam::ACCOUNT_ID:role/AgentCoreBrowserExecutionRole \
--network-configuration '{
"networkMode": "VPC",
"vpcConfig": {
"securityGroups": ["sg-XXXXXXXXX"],
"subnets": ["subnet-XXXXXXXXX"]
}
}' \
--region us-east-2Step 6b: Create AgentCore Code Interpreter (Optional)
You can also deploy AgentCore Code Interpreter in the same VPC with the same firewall protection:
aws bedrock-agentcore-control create-code-interpreter \
--name my_secure_code_interpreter \
--network-configuration '{
"networkMode": "VPC",
"vpcConfig": {
"securityGroups": ["sg-XXXXXXXXX"],
"subnets": ["subnet-XXXXXXXXX"]
}
}' \
--region us-east-2AgentCore Code Interpreter uses the same network path as Browser. If you need pip to install packages, make sure .pypi.org and .pythonhosted.org are in your allowlist.
Step 6c: Deploy agent on AgentCore Runtime (Optional)
For container-based agent deployments, use the same VPC configuration:
aws bedrock-agentcore-control create-agent-runtime \
--agent-runtime-name my_vpc_agent \
--role-arn arn:aws:iam::ACCOUNT_ID:role/AgentCoreRuntimeRole \
--agent-runtime-artifact '{
"containerConfiguration": {
"containerUri": "ACCOUNT_ID.dkr.ecr.us-east-2.amazonaws.com/my-agent:latest"
}
}' \
--network-configuration '{
"networkMode": "VPC",
"networkModeConfig": {
"securityGroups": ["sg-XXXXXXXXX"],
"subnets": ["subnet-XXXXXXXXX"]
}
}' \
--protocol-configuration '{"serverProtocol": "HTTP"}' \
--region us-east-2AgentCore Runtime domain requirements depend on your model provider. Include .amazonaws.com for Amazon Bedrock model API calls or add the appropriate domains for other model providers your agent uses. Additionally, allow custom domains that your agent must access.
Step 7: Test the Configuration
Start a browser session and verify that the firewall rules work correctly:
# Start browser session
aws bedrock-agentcore start-browser-session \
--browser-identifier my_secure_browser-ABC123xyz \
--region us-east-2Use the returned WebSocket URL with a browser automation tool like Playwright to test both allowed and blocked domains:
# test_firewall_rules.py
from playwright.sync_api import sync_playwright
import boto3
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
WEBSOCKET_URL = "wss://your-session-url" # From start-browser-session response
REGION = "us-east-2"
# Sign the WebSocket URL with SigV4
session = boto3.Session(region_name=REGION)
credentials = session.get_credentials().get_frozen_credentials()
request = AWSRequest(method="GET", url=WEBSOCKET_URL.replace("wss://", "https://"))
SigV4Auth(credentials, "bedrock-agentcore", REGION).add_auth(request)
headers = dict(request.headers)
def test_domain(page, url, expected_success):
try:
response = page.goto(url, timeout=10000)
success = response and response.status < 400
status = "PASS" if success == expected_success else "FAIL"
print(f"{status}: {url} - {'loaded' if success else 'blocked'}")
return success == expected_success
except Exception as e:
success = False
status = "PASS" if not expected_success else "FAIL"
print(f"{status}: {url} - blocked ({type(e).__name__})")
return not expected_success
with sync_playwright() as p:
browser = p.chromium.connect_over_cdp(WEBSOCKET_URL, headers=headers)
page = browser.new_page()
# Test allowed domains (should load)
test_domain(page, "https://wikipedia.org", expected_success=True)
test_domain(page, "https://docs.aws.amazon.com", expected_success=True)
# Test blocked domains (should timeout/fail)
test_domain(page, "https://example.com", expected_success=False)
test_domain(page, "https://twitter.com", expected_success=False)
browser.close()Expected results:
- Allowed domains (.wikipedia.org, .amazonaws.com) should load successfully.
- Blocked domains should time out after the TCP handshake or return connection errors.
Note: Some allowed domains like docs.aws.amazon.com depend on CDN resources from domains such as awsstatic.com and cloudfront.net. If pages on allowed domains fail to render fully, add the required CDN domains to your allowlist.
You can also check the firewall logs in CloudWatch for blocked connection attempts:
# View recent alert logs (blocked connections)
aws logs filter-log-events \
--log-group-name "/aws/network-firewall/agentcore-egress/alerts" \
--filter-pattern '{ $.event.alert.action = "blocked" }' \
--region us-east-2 \
--start-time $(($(date +%s) - 300))000
# Verify firewall sync status before testing
aws network-firewall describe-firewall \
--firewall-name agentcore-egress-firewall \
--region us-east-2 \
--query 'FirewallStatus.ConfigurationSyncStateSummary'Troubleshooting: If allowed domains are blocked, verify:
- Firewall sync status shows IN_SYNC (rule changes take a few minutes)
- Domain entries include the leading dot (.wikipedia.org not wikipedia.org)
- Route tables are configured correctly for symmetric routing
- If you receive HTTP 403 errors on allowed domains, this is typically bot detection by the destination site, not a firewall block. Check CloudWatch ALERT logs to confirm—blocked connections will have explicit alert entries.
Best practices
- Use STRICT_ORDER evaluation: This facilitates predictable rule processing when combining allowlists and denylists.
- Include .amazonaws.com for AWS service access: Or use VPC Endpoints to avoid routing AWS API calls through the internet.
- Configure the IGW ingress route table: This is critical for symmetric routing. Without it, return traffic bypasses the firewall.
- Enable both ALERT and FLOW logs: ALERT logs capture blocked connections; FLOW logs provide connection metadata for the traffic.
- Wait for firewall sync: Rule changes take a few minutes to propagate. Verify ConfigurationSyncStateSummary: IN_SYNC before testing.
- Configure HOME_NET for multi-VPC architectures: By default, Network Firewall domain inspection only filters traffic originating from the deployment VPC’s Classless Inter-Domain Routing (CIDR) range. If you use a centralized firewall with AWS Transit Gateway to inspect traffic from multiple VPCs, you must configure the HOME_NET variable in your rule group to include the source CIDR ranges. Without this, traffic from other VPCs can bypass domain filtering.
Limitations and cost co
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み