How to deploy Microsoft’s Agent Governance Toolkit on ECS/Fargate and govern your Bedrock agents
I’m going to say something that might surprise you: Microsoft’s best open-source security toolkit runs perfectly on AWS. No Azure subscription. No vendor lock-in. Just pip install and go.
The Agent Governance Toolkit (AGT) is an MIT-licensed runtime governance layer for AI agents. It intercepts every tool call, API request, and inter-agent message before execution — enforcing policies at sub-millisecond latency. It covers all 10 OWASP Agentic AI risks, and it works with LangChain , CrewAI , AutoGen , Bedrock agents, and anything else you’re building on AWS.
Here’s how to get it running on your AWS infrastructure in under 30 minutes.
Why You Need This
If you’re running AI agents on Bedrock, Lambda, or ECS, you probably already know the problem:
- Unpredictable Tool Calls: Your agents can call tools or parameters you didn’t anticipate.
- Invisible Audit Trails: There’s no deterministic record of what actions agents took and why.
- Least-Privilege Enforcement: You can’t easily prove to your CISO that agents follow security best practices.
- Compliance Deadlines: The EU AI Act (August 2026) requires demonstrable human oversight and risk management for high-risk AI systems.
AGT solves this by placing a deterministic safety kernel between agent “thought” and system “action.” Everything gets logged, dangerous actions get blocked, and your compliance team gets the evidence they need.
Architecture
┌─────────────────────────────────────────────┐
│ Your AWS Account │
│ │
│ ┌──────────┐ ┌──────────────────────┐ │
│ │ Bedrock │───▶│ AGT Policy Engine │ │
│ │ Agent │ │ (ECS/Fargate) │ │
│ └──────────┘ │ │ │
│ │ ✓ Policy check │ │
│ ┌──────────┐ │ ✓ Identity verify │ │
│ │ Lambda │───▶│ ✓ Audit log │ │
│ │ Agent │ │ ✓ Rate limit │ │
│ └──────────┘ └──────────┬───────────┘ │
│ │ │
│ ┌────────▼────────┐ │
│ │ CloudWatch / │ │
│ │ S3 Audit Logs │ │
│ └─────────────────┘ │
└─────────────────────────────────────────────┘
Zero Azure dependencies. Pure Python containers.
Step 1: The 3-Line Quick Start
Before we containerize, let’s prove it works locally:
pip install agent-os-kernel
from agent_os.lite import govern
# One line: define what's allowed and what's blocked
check = govern(
allow=["web_search", "read_file", "query_database"],
deny=["execute_code", "delete_file", "ssh_connect"],
)
# One line: check any agent action
check("web_search") # ✅ Allowed
check("execute_code") # 💥 GovernanceViolation raised
check.is_allowed("delete_file") # False (non-raising)
That’s it. Three lines. Sub-millisecond. No complex YAML, no config files, no trust mesh. Just a fast allow/deny gate.
Step 2: Create the Dockerfile
FROM python:3.12-slim
WORKDIR /app
# Install AGT
RUN pip install --no-cache-dir agent-os-kernel[full]
# Copy your policies and agent code
COPY policies/ ./policies/
COPY app.py .
CMD ["python", "app.py"]
Step 3: Write Your Governed Agent
Here’s a real agent wrapper that works with any Bedrock model:
# app.py — Governed agent on AWS
import json
import boto3
from agent_os.lite import govern
# --- Governance setup ---
check = govern(
allow=["invoke_model", "read_s3", "query_dynamodb", "send_sns"],
deny=["delete_s3", "modify_iam", "execute_code", "create_ec2"],
blocked_content=[
r'\b\d{3}-\d{2}-\d{4}\b', # SSN
r'\b(?:\d[-]*?){13,16}\b', # Credit cards
],
max_calls=100,
log=True,
)
bedrock = boto3.client("bedrock-runtime", region_name="us-east-1")
def governed_invoke(action: str, payload: dict) -> dict:
"""Every action goes through governance first."""
# Check the action
check(action)
# Check the content for PII
content = json.dumps(payload)
if not check.is_allowed(action, content=content):
return {"error": "Blocked: content contains sensitive data"}
# Execute the actual action
if action == "invoke_model":
response = bedrock.invoke_model(
modelId=payload["model"],
body=json.dumps(payload["body"]),
)
return json.loads(response["body"].read())
return {"error": f"Unknown action: {action}"}
# --- Your agent loop ---
if __name__ == " __main__":
# This will work
result = governed_invoke("invoke_model", {
"model": "anthropic.claude-sonnet-4-20250514",
"body": {"prompt": "Summarize Q4 earnings"}
})
print(f"✅ Model response received")
# This will be blocked
try:
governed_invoke("delete_s3", {"bucket": "production-data"})
except Exception as e:
print(f"🚫 Blocked: {e}")
# Print governance stats
print(f"\n📊 {json.dumps(check.stats, indent=2)}")
Step 4: Deploy to ECS/Fargate
Create the ECR repository and push:
aws ecr create-repository --repository-name agt-governed-agent
aws ecr get-login-password | docker login --username AWS --password-stdin $ACCOUNT.dkr.ecr.us-east-1.amazonaws.com
docker build -t agt-governed-agent .
docker tag agt-governed-agent:latest $ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/agt-governed-agent:latest
docker push $ACCOUNT.dkr.ecr.us-east-1.amazonaws.com/agt-governed-agent:latest
ECS Task Definition:
{
"family": "agt-governed-agent",
"networkMode": "awsvpc",
"requiresCompatibilities": ["FARGATE"],
"cpu": "512",
"memory": "1024",
"containerDefinitions": [
{
"name": "governed-agent",
"image": "${ACCOUNT}.dkr.ecr.us-east-1.amazonaws.com/agt-governed-agent:latest",
"essential": true,
"environment": [
{"name": "AWS_DEFAULT_REGION", "value": "us-east-1"}
],
"logConfiguration": {
"logDriver": "awslogs",
"options": {
"awslogs-group": "/ecs/agt-governed-agent",
"awslogs-region": "us-east-1",
"awslogs-stream-prefix": "agt"
}
}
}
],
"executionRoleArn": "arn:aws:iam::${ACCOUNT}:role/ecsTaskExecutionRole"
}
Create the service:
aws ecs create-service \
--cluster default \
--service-name agt-governed-agent \
--task-definition agt-governed-agent \
--desired-count 1 \
--launch-type FARGATE \
--network-configuration "awsvpcConfiguration={subnets=[subnet-xxx],securityGroups=[sg-xxx],assignPublicIp=ENABLED}"
Your governed agent is now running on AWS. Every action is policy-checked and audit-logged.
Step 5: Production Policy (Optional Upgrade)
When you outgrow the 3-line govern() call, AGT has production-ready policy files:
# Copy the enterprise policy template
cp examples/policies/production/enterprise.yaml policies/
# Or for financial services:
cp examples/policies/production/financial.yaml policies/
These include action rules, content filters (PII/PCI), escalation triggers, and retention settings — all in YAML. No OPA or Rego required unless you want it.
Step 6: Ship Audit Logs to S3
AGT’s audit trail integrates with CloudWatch. For compliance archival:
# Send governance stats to CloudWatch
import boto3
cloudwatch = boto3.client("cloudwatch")
stats = check.stats
cloudwatch.put_metric_data(
Namespace="AGT/Governance",
MetricData=[
{"MetricName": "TotalDecisions", "Value": stats["total"], "Unit": "Count"},
{"MetricName": "Denied", "Value": stats["denied"], "Unit": "Count"},
]
)
What You Get
FAQ
Q: Does this need Azure?
No. Zero Azure dependencies. It’s a Python package that runs anywhere you can run Python.
Q: Does it slow down my agents?
No. Policy checks take 0.003ms on average. Your Bedrock API call takes 500–2000ms. The governance overhead is invisible.
Q: Can I use this with LangChain on AWS?
Yes. AGT works with LangChain, CrewAI, AutoGen, and any other Python agent framework.
Q: What about the full AGT stack (trust mesh, SRE, etc.)?
Start with agent_os.lite for basic governance. Add the full stack when you need cryptographic identity, lifecycle management, or execution sandboxing.
Links
The Agent Governance Toolkit is MIT-licensed. Star it on GitHub if it’s useful to your team.
Top comments (0)