[Update] Amazon Bedrock AgentCore Policy now supports Amazon Bedrock Guardrails

This is Ishikawa from the Cloud Business Division. At AWS New York Summit on June 17, 2026, it was announced that Amazon Bedrock AgentCore Policy now supports Amazon Bedrock Guardrails. This makes it possible to evaluate AI agent actions and tool calls in real time at the gateway boundary, blocking risks such as prompt injection and sensitive information leakage.

https://aws.amazon.com/about-aws/whats-new/2026/06/amazon-bedrock-agentcore-policy-guardrails-generally-available/

For those looking to scale AI agents in production environments, this is a noteworthy update that significantly strengthens safety and security controls without touching the agent's code.

What is Policy in Amazon Bedrock AgentCore

Policy in Amazon Bedrock AgentCore is an authorization feature that became generally available (GA) in March 2026, controlling which actions AI agents can perform. It intercepts all agent traffic passing through AgentCore Gateway and determines allow/deny per request against the policy.

Policies are written in "Cedar," an authorization policy language developed as open source by AWS. Cedar is human-readable, supports analysis through automated reasoning, and is designed with a default-deny approach that only allows through permitted tool calls. It also includes a feature that converts and validates rules written in natural language (plain English) into Cedar policies.

The key point is that these controls are enforced outside the agent's code — at the gateway boundary. This ensures consistent, deterministic control independent of how the agent is implemented.

What is Policy's Amazon Bedrock Guardrails Support

With this update, Amazon Bedrock Guardrails can now be used within Policy evaluation. Guardrails provides defenses against representative security and safety risks in AI agent workloads, such as prompt injection attacks and sensitive data exposure.

The main changes are as follows.

• The "output" of all authorized agent actions and the "input" of each call to gateway targets (tools, agents, models) are evaluated in real time
• Prompt injection attacks, harmful content, and sensitive information exposure are detected and blocked before reaching downstream systems
• Guardrails evaluation results are assessed within the Policy at the gateway boundary, ensuring consistent control regardless of the degree of agent autonomy
• All policy evaluations are logged through AgentCore observability for use in optimization and auditing
• Works as-is with existing AgentCore Gateway deployments, with no new infrastructure required
• Policies can be written in natural language or policy-as-code

The processing flow looks something like this.

Supported Regions

This feature is available in the following 5 regions.

• US East (N. Virginia)
• Europe (London)
• Europe (Stockholm)
• Asia Pacific (Sydney)
• Asia Pacific (Tokyo)

Since the Asia Pacific (Tokyo) region is included, you can start testing immediately with domestic workloads.

Pricing Impact

Pricing is consumption-based for policy evaluation. Please check the official pricing page for detailed pricing information.

How to Use

If you have an existing AgentCore Gateway, you can start using it without building new infrastructure. Policies can be written directly in Cedar, or you can write them in natural language and convert and validate them into Cedar before applying. Evaluation results can be reviewed through AgentCore observability (integrated with CloudWatch metrics/logs) for auditing and tuning purposes.

Closing

Amazon Bedrock AgentCore Policy now supports Amazon Bedrock Guardrails, enabling real-time evaluation of agent actions and tool calls at the gateway boundary. A major advantage is the ability to consistently block risks such as prompt injection and sensitive information leakage from outside the agent's code.

For those considering deploying and scaling AI agents in production environments, why not explore leveraging this feature, which can be applied directly to your existing gateway?