Advanced

AWS Best Practices & Checklist

A comprehensive checklist, multi-account strategy, AWS Control Tower integration, regular access review process, emergency procedures, and answers to the most common AWS-specific questions about AI agent guardrails.

Complete AWS Guardrails Checklist

Use this checklist when setting up any AWS account for AI agent access. Each item corresponds to a lesson in this course.

Identity & Access (Lesson 2)

Item	Priority	Status
Create a dedicated IAM role for each AI agent	Critical	☐
Attach explicit deny policy for all destructive actions	Critical	☐
Set a permission boundary on the AI agent role	High	☐
Add IP-based condition to restrict agent to known networks	Medium	☐
Add time-based condition for business hours only	Medium	☐
Set max session duration to 1 hour	High	☐
Never use root credentials for AI agents	Critical	☐
Test policies with IAM Policy Simulator	High	☐

Organization Controls (Lesson 3)

Item	Priority	Status
Apply SCP denying all deletion in production OU	Critical	☐
Apply tag-based SCP for staging/dev OUs	High	☐
Protect Lifecycle tags from modification	High	☐
Provide sandbox account for unrestricted AI agent use	Medium	☐
Test SCPs in test OU before production	High	☐

Resource Protection (Lesson 4)

Item	Priority	Status
Enable EC2 termination protection on all production instances	Critical	☐
Enable RDS deletion protection on all databases	Critical	☐
Enforce RDS final snapshot (never skip)	Critical	☐
Enable S3 versioning on all buckets	Critical	☐
Enable S3 Object Lock on critical data buckets	High	☐
Enable CloudFormation termination protection	High	☐
Enable DynamoDB deletion protection	High	☐
Use Terraform `prevent_destroy` on all critical resources	High	☐

Monitoring (Lesson 5)

Item	Priority	Status
Enable multi-region CloudTrail with log validation	Critical	☐
Create EventBridge rules for destructive API calls	Critical	☐
Set up SNS notifications to team (email/Slack)	Critical	☐
Create CloudWatch alarm for access denied spikes	High	☐
Create CloudWatch alarm for API call volume spikes	Medium	☐
Enable AWS Config rules for protection compliance	High	☐

Backup (Lesson 6)

Item	Priority	Status
Configure AWS Backup with daily plan	Critical	☐
Enable cross-region backup copies	High	☐
Enable S3 cross-region replication (no delete marker replication)	High	☐
Set RDS backup retention to 35 days	High	☐
Automate EC2 AMI creation (daily)	Medium	☐
Document recovery procedures for each service	High	☐
Test recovery procedures quarterly	High	☐

Multi-Account Strategy

A multi-account strategy is the most effective way to isolate AI agent activity and limit blast radius. Here is the recommended structure:

Sandbox Account

Purpose: Unrestricted AI agent experimentation. Agents can create and destroy freely. No production data. Reset weekly.

SCPs: None (or only prevent IAM escalation)

AI Agent Access: Full create/delete permissions

Development Account

Purpose: Shared development resources. AI agents can create and modify but deletion is restricted to ephemeral resources.

SCPs: DenyDeleteUnlessEphemeral

AI Agent Access: Read, create, modify; delete only ephemeral

Staging Account

Purpose: Pre-production validation. AI agents can deploy but cannot delete. Mirrors production configuration.

SCPs: DenyDeleteUnlessEphemeral + tag protection

AI Agent Access: Read, create, deploy; no deletion

Production Account

Purpose: Live customer-facing services. AI agents should have read-only access. All changes go through CI/CD.

SCPs: DenyAllDeletion + DenyAllModification (except via CI/CD role)

AI Agent Access: Read-only (logs, metrics, describe)

AWS Control Tower Guardrails

If you use AWS Control Tower, you can leverage its built-in guardrails (previously called "guardrails," now "controls") for AI agent safety:

Control Tower Guardrail	Type	Relevance for AI Agents
Disallow deletion of log archive	Mandatory	Prevents AI agents from deleting CloudTrail logs
Enable CloudTrail in all regions	Mandatory	Ensures all agent activity is logged
Disallow changes to CloudTrail	Mandatory	Prevents agents from disabling logging
Detect public S3 buckets	Detective	Catches if agent makes bucket public
Detect unencrypted EBS volumes	Detective	Catches if agent creates unencrypted volumes
Detect RDS instances without deletion protection	Detective	Alerts when protection is disabled
Disallow internet connection through SSH	Elective	Prevents agent from opening SSH to the world

Bash — Enable Control Tower guardrails

# List available controls
aws controltower list-enabled-controls \
  --target-identifier arn:aws:organizations::123456789012:ou/o-xxxxx/ou-xxxx-xxxxxxxx

# Enable a specific control (e.g., detect RDS without deletion protection)
aws controltower enable-control \
  --control-identifier arn:aws:controltower:us-east-1::control/AWS-GR_RDS_INSTANCE_DELETION_PROTECTION_ENABLED \
  --target-identifier arn:aws:organizations::123456789012:ou/o-xxxxx/ou-xxxx-xxxxxxxx

Regular Access Review Process

AI agent permissions should be reviewed regularly as your infrastructure evolves. Implement this quarterly review process:

Audit AI agent IAM roles — List all policies attached to AI agent roles. Verify deny policies are still comprehensive. Check for any new AWS services that need deny rules.

Review CloudTrail logs — Analyze what actions AI agents have performed in the last quarter. Look for actions that should be denied but are not.

Check AWS Config compliance — Verify all resources are compliant with protection rules. Address any non-compliant resources.

Test recovery procedures — Perform a disaster recovery drill. Verify backups are working and can be restored within the expected timeframe.

Update documentation — Record any changes to IAM policies, SCPs, or procedures. Ensure the team knows the current guardrail configuration.

Bash — Commands for quarterly access review

# List all policies attached to the AI agent role
aws iam list-attached-role-policies --role-name AIAgentRole --output table

# Check permission boundary
aws iam get-role --role-name AIAgentRole \
  --query 'Role.PermissionsBoundary.PermissionsBoundaryArn'

# Generate credential report to find unused AI agent users
aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d

# Find last used date for AI agent access keys
aws iam get-access-key-last-used --access-key-id AKIAIOSFODNN7EXAMPLE

# Check AWS Config compliance summary
aws configservice get-compliance-summary-by-config-rule --output table

Emergency Procedures

When you detect an AI agent actively causing damage, follow this emergency procedure:

⚠

Emergency priority order: Stop the damage first, investigate second, remediate third. Do not waste time understanding the root cause while resources are being deleted.

Revoke AI agent credentials immediately:

Bash — Emergency credential revocation

# Option A: Deactivate access keys
aws iam update-access-key --user-name ai-agent --access-key-id AKIAXXXXX --status Inactive

# Option B: Attach an explicit deny-all policy to the role
aws iam put-role-policy --role-name AIAgentRole --policy-name EmergencyDenyAll \
  --policy-document '{"Version":"2012-10-17","Statement":[{"Effect":"Deny","Action":"*","Resource":"*"}]}'

# Option C: Revoke all active sessions for the role
aws iam put-role-policy --role-name AIAgentRole --policy-name RevokeOldSessions \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateLessThan": {"aws:TokenIssueTime": "'$(date -u +%Y-%m-%dT%H:%M:%SZ)'"}
      }
    }]
  }'

Assess the damage — Check CloudTrail for all actions performed by the agent in the last hour. List all deleted resources.

Begin recovery — Follow the service-specific recovery procedures from Lesson 6. Prioritize customer-facing services.

Investigate root cause — Determine how the agent bypassed guardrails. Was it a policy gap? A misconfiguration? A new service not covered by deny policies?

Update guardrails — Close the gap that allowed the incident. Update IAM policies, SCPs, and monitoring rules.

Frequently Asked Questions

No. An explicit deny in IAM always wins, regardless of any allow statements. The only entity that can bypass IAM entirely is the AWS root account user. This is why you should never give an AI agent root credentials. As long as the agent uses an IAM user or role, deny policies are absolute.

Ideally, AI agents should only have read-only access to production accounts. All changes to production should go through a CI/CD pipeline with human approval gates. If you must give agents write access, ensure comprehensive deny policies, SCPs, resource protection, and real-time monitoring are all in place.

Three approaches: (1) Deny the cloudformation:DeleteStack and service-specific delete actions via IAM so terraform destroy fails. (2) Use Terraform prevent_destroy lifecycle rules on critical resources. (3) Use a Terraform wrapper script that intercepts destroy commands and requires human confirmation. The best approach is to combine all three.

Use a sandbox account where the agent has full permissions. For staging/dev accounts, use tag-based SCPs that only allow deletion of resources tagged Lifecycle=ephemeral. Teach the agent (via system prompts or configuration) to always tag temporary resources as ephemeral. Never allow deletion of production resources.

Most guardrails are free or very low cost. IAM policies, SCPs, and resource protection settings are free. CloudTrail has a free tier (one trail per account). EventBridge rules are $1/million events. SNS notifications are pennies. AWS Backup and cross-region replication have storage costs that vary by data volume but are typically $50-200/month for small-to-medium workloads. The cost of not having guardrails (a production deletion incident) far exceeds this.

Yes. These are AWS-level controls that operate at the API layer. It does not matter which AI agent is making the API call — Claude Code, GitHub Copilot, Cursor, Devin, or any other agent. If the agent uses AWS credentials (access keys, IAM roles, SSO), these guardrails apply. The guardrails are agent-agnostic.

Use CloudTrail to search for all API calls made by the AI agent's IAM role or user. Filter by the agent's ARN: aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=AIAgentRole. For ongoing monitoring, set up CloudWatch metric filters that track the agent's API call patterns and alert on anomalies.

Yes, and it is recommended. AWS IAM Identity Center (SSO) provides short-lived credentials that expire automatically, reducing the risk of long-lived access keys being leaked. Configure the AI agent to use aws sso login with a dedicated SSO permission set that includes your deny policies. The temporary credentials have a maximum session duration you can control.

Course Summary

You have now learned every layer of the defense-in-depth strategy for securing AI agents on AWS:

Layer	Mechanism	Lesson
1. Identity	Dedicated IAM roles, deny policies, permission boundaries	Lesson 2
2. Organization	SCPs, tag-based controls, OU structure	Lesson 3
3. Resource	Termination/deletion protection, Object Lock, stack policies	Lesson 4
4. Detection	CloudTrail, EventBridge, SNS, CloudWatch, AWS Config	Lesson 5
5. Recovery	AWS Backup, cross-region replication, point-in-time recovery	Lesson 6
6. Process	Checklist, multi-account strategy, access reviews, emergency procedures	Lesson 7

💡

Start today: You do not need to implement everything at once. Start with the Critical priority items from the checklist above: dedicated IAM role with deny policy, CloudTrail logging, and resource protection on your most important resources. Then build out the remaining layers over the next few weeks.

← Previous Backup & Recovery Course Home → AWS Guardrails