Skip to content
Cloud

Govern AI agents on AWS

Add governance to AI agents that inspect and act on AWS. The AWS pack routes governed read and write calls through Cordum's policy engine: read-style API calls are allowed by default, while writes require approval. Per-action allow/deny rules and a least-privilege IAM role on the worker keep agents inside approved boundaries, and every call is written to the audit trail.

What this pack does

  • Governed read/write over AWS API calls (read allowed by default, write requires approval)
  • Per-action allow/deny via policy rules
  • Least-privilege IAM role held by the worker, not the agent
  • Audit trail for all cloud operations

Use cases

Require approval before agents make write-category AWS API calls

Deny sensitive write actions (e.g. iam:* changes) with a policy rule

Audit every agent-initiated AWS operation

Quick setup

  1. 1Install the AWS pack: cordumctl pack install aws
  2. 2Configure AWS credentials with a least-privilege IAM role on the worker
  3. 3Define per-action allow/deny policy rules
  4. 4Enable the pack in your Cordum dashboard

Frequently asked questions

How does Cordum govern agent actions on AWS?

The AWS pack exposes governed read and write topics. Each agent API call is evaluated against policy before dispatch, so read-style calls are allowed by default while write-category calls require approval. You scope what the agent can reach with per-action allow/deny rules and the IAM role the worker runs under.

Can I block agents from changing IAM policies?

Yes, by policy. Write actions require approval by default, and you can author a rule that denies sensitive actions such as IAM changes outright. The Safety Kernel returns the decision before the AWS call executes, so a denied action never reaches AWS. The worker's IAM role should also be scoped so the privilege is not there to begin with.

How do I keep agents from making unintended write changes?

Writes are gated by default and you grant the worker only the IAM permissions it needs. Anything outside that least-privilege role fails at AWS regardless of policy, and within it you can require approval or deny specific actions so an agent cannot provision or modify resources without oversight.

Should agents have AWS credentials directly?

No. Configure the pack with a least-privilege IAM role on the worker rather than handing credentials to the agent. The agent requests an action, Cordum governs it, and the worker performs the call under its scoped role, with every cloud operation written to the audit trail.

Ready to govern AWS?

Other integrations