✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
The agent runtime with no enforcement point.
The blast radius of a compromised AgentCore Runtime is decided by architecture. The Runtime's outbound connections are the tenant's responsibility — by default they reach the open internet with no in-path enforcement. The Cascade in March 2026 proved what this costs: an exfiltration attempt was blocked before the first packet left the VPC for an Aviatrix customer with workload-level Communication Governance in place. Detection saw it in the logs. The architecture stopped it.
Malicious npm package planted in agent toolchain via supply-chain attack (Cascade, March 2026). Passes vulnerability scanning — no known CVE at install time.
Compromised MCP tool response injects a follow-on instruction into the agent's context window, redirecting it toward data collection and upload to attacker host.
Agent uses legitimate Confluence, S3, or service permissions to collect confidential content — indistinguishable from an authorized workflow on the wire.
Agent calls HTTPS POST to attacker-controlled domain. TCP SYN traverses the Aviatrix Spoke Gateway. Destination not in permit list — connection never completes.
DENY log in CoPilot DCF Monitor — Runtime subnet identity, destination FQDN, rule name, timestamp. Full attribution for HIPAA, SOC 2, and EU AI Act audit.
Two enforcement layers. Zero code changes.
AgentCore VPC mode — Communication Governance starts at the Runtime ENI
AgentCore VPC mode drops the per-session microVM ENI in customer-controlled subnets. Aviatrix sets the default route on that subnet to point to the Spoke Gateway — so every outbound flow the Runtime initiates traverses DCF inline, before the first packet leaves the subnet. Two PrivateLink consumer endpoints (data plane + control plane) anchor the AgentCore API in the same landing-zone spoke, giving you full visibility on both the agent's egress and the client's ingress.
Communication Governance at the workload — blast radius bounded by policy, not detection speed
The Distributed Cloud Firewall evaluates a seven-rule policy pack first-match at the Spoke Gateway. Sanctioned model providers, tool destinations, and MCP servers are explicitly permitted by SmartGroup. Everything else — attacker domains, unsanctioned providers, DNS-tunneled exfil — hits the default-deny and is logged with a human-readable rule name. An IAM managed policy with condition keys on bedrock-agentcore:subnets and bedrock-agentcore:securityGroups denies CreateAgentRuntime, CreateAgentRuntimeEndpoint, UpdateAgentRuntime, CreateBrowser, and CreateCodeInterpreter unless the request references the approved landing-zone subnet and security group IDs. A PUBLIC mode Runtime fails at the AWS API before any packet flows. Communication Governance defines which destinations the agent can reach, on which protocols, with what certificate posture — and enforces that definition before any connection completes. It does not inspect prompt content, validate tool arguments, or filter model responses; those are the AI guardrail layer.
The Runtime subnet's default route points to the Spoke Gateway — every connection subject to Communication Governance before it reaches the wire. Seven rules in priority order: see policy pack table below. Rule changes propagate via eBPF in ~100ms — blast radius is bounded by the policy at the moment of compromise, not SOC response time. Deploy in monitor mode first; promote rule by rule.
Two interface VPC endpoints — bedrock-agentcore (data plane) and bedrock-agentcore-control — live in the same landing-zone spoke. DCF applies ingress allow rules keyed on the client VPC SmartGroup; unauthorized VPCs cannot initiate sessions. Transit is not required for standalone deployments — the Spoke Gateway deploys directly in the AgentCore VPC with no hub peering needed.
IAM condition keys on bedrock-agentcore:subnets and bedrock-agentcore:securityGroups deny five actions — CreateAgentRuntime, CreateAgentRuntimeEndpoint, UpdateAgentRuntime, CreateBrowser, CreateCodeInterpreter — unless the request references approved landing-zone IDs. A PUBLIC mode Runtime fails at the AWS API before any packet flows. No network-layer change required.
DCF Policy Pack — Seven Rules in Priority Order
First match wins. Every rule logs to CoPilot DCF Monitor with a human-readable name. Deploy all rules in monitor mode first; promote to enforcement rule by rule after validating against production traffic. The dataplane never reloads on rule changes.
| Pri | Rule Name | Source | Destination | Action | TLS / Notes |
|---|---|---|---|---|---|
| 10 | allow-client-dataplane | client-spoke-vpc | agentcore-dataplane-fqdn | PERMIT | TCP 443 · Ingress to PrivateLink data plane from client VPC. |
| 15 | allow-client-controlplane | client-spoke-vpc | agentcore-controlplane-fqdn | PERMIT | TCP 443 · Ingress to PrivateLink control plane from client VPC. |
| 20 | allow-sanctioned-models | agentcore-runtime-subnet | avx-ai-llm-providers | PERMIT | TCP 443 · Egress to sanctioned LLM API providers. Aviatrix-managed WebGroup, auto-updated. |
| 25 | allow-sanctioned-tools | agentcore-runtime-subnet | Custom tool FQDN list | PERMIT | TCP 443 · Egress to explicitly approved tool endpoints. Operator-maintained. |
| 29 | deny-supply-chain-ioc | agentcore-runtime-subnet | supply-chain-fqdn-group | DENY | URL filter · DECRYPT_ALLOWED · Blocks IoC URL paths on sanctioned domains (Shai-Hulud pattern on raw.githubusercontent.com); legitimate paths on same host return HTTP 200. Requires Controller 8.2+. |
| 30 | allow-aws-control-plane | agentcore-runtime-subnet | AWS service FQDNs | PERMIT | DECRYPT_NOT_ALLOWED · ECR, STS, SSM, CloudWatch. AWS service endpoints strict-validate cert chains — explicit bypass required. |
| 35 | allow-sanctioned-mcp | agentcore-runtime-subnet | avx-ai-mcp-agent-platforms | PERMIT | TCP 443 · Egress to sanctioned MCP server platforms. Aviatrix-managed WebGroup, auto-updated. |
| 40 | deny-dns-exfil | agentcore-runtime-subnet | ANY | DENY | UDP/TCP 53 to non-VPC-resolver IPs. Blocks DNS tunneled exfiltration. Runtime subnet must use AWS-provided resolver (169.254.169.253 or VPC+2) via DHCP options. |
| 1000 | default-deny | agentcore-runtime-subnet | ANY | DENY | All protocols · Final default-deny. Every match logged to CoPilot FlowIQ with workload identity, destination, rule name, and timestamp. |
SmartGroup and WebGroup Objects
Five SmartGroup objects and two Aviatrix-managed AI WebGroups, defined in the Aviatrix Controller and referenced by name in the DCF policy pack. All objects are defined in Terraform and ship with the blueprint.
| Object | Type / Scope / Purpose |
|---|---|
| agentcore-runtime-subnet | Subnet SmartGroup — matches the Runtime subnet CIDR in the AgentCore landing-zone VPC. Source identity for all egress rules targeting the Runtime. |
| agentcore-dataplane-fqdn | FQDN WebGroup — matches the bedrock-agentcore PrivateLink hostname for the landing-zone region. Destination identity for the ingress allow rule from the client spoke. |
| agentcore-controlplane-fqdn | FQDN WebGroup — matches the bedrock-agentcore-control PrivateLink hostname. Destination identity for the control-plane ingress allow rule. |
| client-spoke-vpc | VPC SmartGroup — matches the client VPC that invokes AgentCore sessions. Source identity for ingress allow rules to the PrivateLink endpoints. |
| supply-chain-fqdn-group | FQDN WebGroup — scoped to supply-chain hosts where URL-path enforcement is required (raw.githubusercontent.com and equivalents). Used exclusively in the priority-29 URL-filter rule with DECRYPT_ALLOWED. All other rules set DECRYPT_NOT_ALLOWED explicitly. Requires Controller 8.2+. |
| avx-ai-llm-providers | Aviatrix-managed AI WebGroup — curated, auto-updated destination list covering all major LLM API providers. Used in the allow-sanctioned-models rule. No operator maintenance required. |
| avx-ai-mcp-agent-platforms | Aviatrix-managed AI WebGroup — curated destination list for sanctioned MCP server platforms. Used in the allow-sanctioned-mcp rule. No operator maintenance required. |
What this architecture governs — and what it does not
Communication Governance defines what every AgentCore Runtime can communicate with — which destinations, on which protocols, with what certificate posture — and enforces that definition in-path at every connection. The following capabilities are explicitly out of scope: not because they are unimportant, but because they operate at a different layer of the stack. A practitioner deploying this VCA should know exactly where the blast radius reduction claim begins and ends.
AI guardrail layer — Bedrock Guardrails for content policy. Aviatrix governs network reachability; Guardrails govern content. Both are required for a complete posture.
AgentGuard Shadow AI Discovery discovers every AI workload via cloud telemetry with no gateway insertion required. Feeds directly into VCA policy targeting — find ungoverned Runtimes before applying containment.
covers AgentCore Runtime only. The MITM CA is already provisioned to Secrets Manager to accommodate Browser and Code Interpreter in v2. Do not claim v2 coverage in field conversations until those primitives ship.
Governed by Aviatrix DCF East-West policy on the transit fabric — separate ruleset from the egress policy pack in this VCA. If your deployment requires East-West containment between the AgentCore VPC and adjacent workload VPCs, add an East-West SmartGroup deny rule scoped to the AgentCore Runtime subnet.
Everything your team needs.
Security, architecture, and deployment artifacts for every stakeholder. All assets ship on May 27 alongside the Terraform blueprint.
Requires Aviatrix Enterprise · Controller 8.2+ · 1 managed network per landing zone
New to Aviatrix? Start the Enterprise free trial — VCAs included at no extra cost. Already deployed? Pull the Terraform from GitHub.
Reference Architecture
Prerequisites, SmartGroup and WebGroup design, full DCF policy pack in priority order, IAM managed policy, TLS decryption configuration, operational safety properties, and AWS domain requirements. For platform engineers deploying the blueprint.
Download PDF →Threat Model & Enforcement
AgentCore threat model, full kill chain with point of intervention, four enforcement layers, why AWS-native controls are insufficient, architectural boundaries, and compliance evidence artifacts for HIPAA, PCI-DSS, SOC 2, FedRAMP, and EU AI Act. For security architects.
Download PDF →Field & Buyer Overview
Threat narrative, architecture summary, three things your current stack can't do — including why Bedrock Guardrails doesn't govern network egress — compliance proof points, and discovery questions for security conversations.
Download PDF →Full Terraform Blueprint
Infrastructure as code for the complete deployment: Aviatrix transit + spoke, AgentCore landing zone, PrivateLink endpoints, DCF policy pack, IAM guardrail, ECR repo with sample Runtime. One terraform apply, deploys in 25–30 minutes.
Attack simulation
60-second lab recording. A prompt-injected AgentCore Runtime attempts to exfiltrate credentials to an attacker-controlled domain. The DCF default-deny rule fires before the TCP handshake completes. CoPilot FlowIQ logs the attempt with full workload identity and rule attribution.
Available SoonTrusted by enterprise security teams
SOC 2 Type II
Independently audited
ISO 27001
Certified
500+ enterprises
Including 10% of the Fortune 500
Zero data-plane access
Aviatrix never touches your traffic
Documented before you find them in production.
Lab-validated limitations and workarounds for . Published upfront so your POC matches the docs — and so security architects can plan around them before deployment day.