Guardrail placement alters security in Amazon Bedrock Agents versus self‑orchestrated AI agents

An engineering post compares where to insert guardrails in Amazon Bedrock Agents versus a self‑orchestrated agent using an AI guard, demonstrating an indirect prompt‑injection attack that abuses a tool call to exfiltrate a secret.

An engineering post demonstrates that the location of guardrails inside an AI agent’s orchestration loop can decide whether an indirect prompt‑injection attack succeeds. The author runs the same exploit against a managed Amazon Bedrock Agent and a self‑orchestrated agent augmented with an AI guard to show that visibility into intermediate states — and not just the guardrail logic itself — determines what can be detected and blocked.

The demo uses a concrete scenario: a user asks the agent to “Read GitHub Issue #123 and summarize it.” The agent calls a GetIssues tool to retrieve the issue body, and that retrieved text contains an embedded adversarial instruction instructing the agent to call a GetLocalSecrets action and include its result. The attack thus arrives via a trusted tool output rather than a direct user prompt, classifying it as an indirect prompt‑injection.

In the managed Bedrock Agent example, custom developer code runs only at the Action Group Lambda extension point. Because that Lambda is the sole place for custom logic, any guardrails implemented there cannot observe the agent’s full conversation history or intermediate model outputs. That limited visibility narrows what the guardrail can evaluate and lets certain tool‑mediated injections slip through.

By contrast, the self‑orchestrated agent in the post places evaluations at multiple hook points around model and tool calls. Those insertions include pre‑tool checks, post‑tool inspections of retrieved data, and decision‑time validations before executing sensitive actions. With broader visibility at each stage, the agent can detect and halt attempts that rely on malicious instructions embedded in tool responses.

To reason about these differences, the writeup frames a simplified agent orchestration loop with three recurring phases: intake and context merge; prompt construction from merged context plus system instructions; and the decision/loop control phase where the agent selects model calls or tool calls. Because model outputs can trigger further tool usage, the loop is recursive; each phase therefore offers distinct points where guardrails can be inserted, and each point has different access to state and control.

The comparison highlights an engineering trade‑off. Managed systems like Amazon Bedrock Agents supply a convenient, integrated runtime but often expose a single extension point, which can limit in‑app governance. Self‑orchestrated approaches demand more engineering work to implement and maintain, yet they enable pre‑tool, post‑tool and decision‑time checks that are better suited to catching indirect injections delivered via retrieved data.