ALPHA - Autonomous Least-Privilege Hardening Agent

Architecture diagram

Inspiration

Every AWS developer has copy-pasted "Action": ["s3:*"] from Stack Overflow. It works, ships to prod, and suddenly your CI runner has admin access. 95% of IAM permissions are never used. Security teams spend weeks auditing policies while developers fear touching them. When AgentCore went GA days before this hackathon, we saw the opportunity: What if AI could analyze real usage and safely deploy least-privilege policies autonomously?

What it does

ALPHA analyzes CloudTrail activity, uses Bedrock AI to generate least-privilege policies, and safely deploys them:

CLI workflow (3 commands): alpha analyze --role-arn arn:aws:iam::123:role/MyRole --output proposal.json alpha propose --repo org/infra --branch harden/role --input proposal.json alpha apply --state-machine-arn --proposal proposal.json --canary 10

AgentCore Runtime (managed endpoints): uv run agentcore invoke '{"action":"analyze_fast_policy","roleArn":"...","usageDays":1}' uv run agentcore invoke '{"action":"enforce_policy_guardrails","policy":{...},"preset":"prod"}'

Key features:

Fast Mode (default): CloudTrail Event History → policies in seconds (perfect for CI/CD)
Analyzer Mode (optional): IAM Access Analyzer → resource-scoped policies (slower, precise)
Bedrock Reasoning: Claude Sonnet 4.5 or Nova Pro explains why each permission is needed, assesses risk
Guardrails: Hard constraints that block wildcards, enforce region conditions—can't be bypassed
Multi-format outputs: JSON, CloudFormation, Terraform—paste directly into IaC
Staged rollouts: Step Functions canary deploys → monitors errors → auto-rollback
AgentCore Runtime: Production endpoints via agentcore_entrypoint.py for managed deployment

Exit codes gate CI: 0 = safe, 1 = error, 2 = risky, 3 = guardrail violation.

How we built it

Day 1: Dual-Path Architecture IAM Access Analyzer takes 30+ seconds per job. For CI pipelines and demos, that's unacceptable. We built:

Fast collector: CloudTrail Event History → best-effort policies in seconds (default)
Analyzer collector: Access Analyzer → resource-scoped (opt-in with --no-fast)

Tech stack:

Python 3.11 + Poetry
Amazon Bedrock AgentCore Runtime with entrypoint at agentcore_entrypoint.py
Bedrock (provider-aware for Claude/Nova) with graceful fallback
Pydantic v2 for schemas (PolicyDocument, PolicyProposal, PolicyDiff)
Click for CLI
Step Functions + Lambda for rollouts
AWS CDK for infrastructure

AgentCore Integration:

Runtime entrypoint (agentcore_entrypoint.py): Single-file deployment with action dispatch
- analyze_fast_policy: CloudTrail → best-effort policy
- enforce_policy_guardrails: Sanitize policy + return violations
Starter Toolkit deployment: uv run agentcore configure → launch → instant managed endpoints
Tools library (agentcore.py): Full orchestration for broader workflows

Day 2: Guardrails & Outputs Three guardrail presets (none/sandbox/prod) enforce org constraints after Bedrock reasoning. Built exporters for JSON, CFN YAML, Terraform HCL, and GitHub PR markdown with privilege reduction metrics.

Day 3: Polish & Production Readiness

Bedrock model switching (Claude ↔ Nova via ALPHA_BEDROCK_MODEL_ID)
AgentCore Runtime testing with Starter Toolkit
Timeout controls, comprehensive error handling
Test suite (test_judge_mode.sh) for CI validation

Challenges we ran into

Access Analyzer latency: Jobs take 30–120s. Solution: dual-path with fast mode default.

Bedrock provider differences: Anthropic uses messages, Nova uses prompt. Built provider detection + graceful fallback when Bedrock unavailable.

CloudTrail mapping: eventName doesn't map 1:1 to IAM actions (e.g., ConsoleLogin → sts:GetCallerIdentity). Built best-effort mapper for 90%+ of cases.

AI reasoning vs. safety: Bedrock occasionally suggests risky permissions. Guardrails run post-reasoning and strip violations with exit code 3.

AgentCore entrypoint design: Had to design a single-file entrypoint that balances simplicity (easy deployment) with functionality (multiple actions). Settled on action dispatch pattern that's production-ready yet hackathon-demo-friendly.

Accomplishments that we're proud of

✅ Production-ready CLI + AgentCore Runtime—not a toy ✅ Fast mode: seconds, not minutes ✅ Explainable AI: Bedrock adds rationale + risk scores ✅ Multi-format outputs: CFN/TF ready to merge ✅ Unbypassable guardrails: exit codes block bad changes ✅ Real AgentCore integration: Managed Runtime endpoints via Starter Toolkit ✅ Dual deployment models: CLI for developers, AgentCore for managed agents ✅ Comprehensive tests: passes CI without credentials

What we learned

Fast feedback beats perfection. Developers accept Resource: "*" for instant results; Analyzer mode exists when they need precision.

AI + constraints = trust. Bedrock reasoning is powerful, but guardrails enforce org policy. Exit codes make this trustworthy in CI.

AgentCore Runtime is production-grade. The Starter Toolkit (uv run agentcore configure/launch/invoke) turned our code into managed endpoints in minutes—judges evaluating "Best AgentCore Implementation" will see real deployment, not mocks.

Single entrypoint, multiple actions. The agentcore_entrypoint.py pattern (action dispatch) balances simplicity with extensibility—easy to demo, easy to extend.

Exit codes are the universal API. Any CI system understands if: failure().

What's next for ALPHA

Near-term: