How to Gate AWS CLI Commands in AI Agents

SafeClaw by Authensor blocks AWS CLI commands by default when executed by AI agents, preventing unauthorized cloud resource provisioning, data access, IAM modifications, and cost-generating operations. Install SafeClaw with npx @authensor/safeclaw and every aws command is intercepted, denied, and audit-logged until your policy explicitly permits specific services and actions.

Why AWS CLI Commands Are Dangerous When AI Agents Do It

The AWS CLI provides access to 200+ cloud services, each with dozens of API actions. An agent with unrestricted aws access can: launch EC2 instances (generating costs), create IAM users with admin access (privilege escalation), copy S3 buckets to external accounts (data exfiltration), modify security groups (network exposure), delete RDS instances (data destruction), publish to SNS topics (spam/phishing), invoke Lambda functions (arbitrary code execution), and access Secrets Manager (credential theft). AWS credentials are often stored in ~/.aws/credentials or environment variables — both accessible to agents. A single aws iam create-access-key creates persistent credentials that survive session termination.

The Exact SafeClaw Policy to Gate AWS CLI

Add these rules to .safeclaw/policy.yaml:

rules:
  # Permanently deny IAM modifications
  - id: deny-aws-iam-create
    action: shell.exec
    match:
      command: "aws iam create*"
    effect: deny
    audit: true
    message: "IAM resource creation is permanently denied."

- id: deny-aws-iam-attach
    action: shell.exec
    match:
      command: "aws iam attach*"
    effect: deny
    audit: true
    message: "IAM policy attachment is permanently denied."

- id: deny-aws-iam-put
    action: shell.exec
    match:
      command: "aws iam put*"
    effect: deny
    audit: true
    message: "IAM policy modification is permanently denied."

# Block destructive operations
  - id: deny-aws-ec2-terminate
    action: shell.exec
    match:
      command: "aws ec2 terminate*"
    effect: deny
    audit: true
    message: "EC2 instance termination is denied."

- id: deny-aws-rds-delete
    action: shell.exec
    match:
      command: "aws rds delete*"
    effect: deny
    audit: true
    message: "RDS deletion is permanently denied."

- id: deny-aws-s3-rb
    action: shell.exec
    match:
      command: "aws s3 rb*"
    effect: deny
    audit: true
    message: "S3 bucket removal is denied."

# Block data exfiltration
  - id: deny-aws-s3-cp-external
    action: shell.exec
    match:
      command: "aws s3 cp*"
    effect: deny
    audit: true
    message: "S3 copy operations require approval."

- id: deny-aws-s3-sync
    action: shell.exec
    match:
      command: "aws s3 sync*"
    effect: deny
    audit: true
    message: "S3 sync operations are denied."

# Block credential access
  - id: deny-aws-secretsmanager
    action: shell.exec
    match:
      command: "aws secretsmanager get*"
    effect: deny
    audit: true
    message: "Secrets Manager access is denied."

# Protect AWS credential files
  - id: deny-read-aws-creds
    action: file.read
    match:
      path: "*/.aws/credentials"
    effect: deny
    audit: true
    message: "Reading AWS credentials file is denied."

# Allow read-only describe/list commands
  - id: allow-aws-describe
    action: shell.exec
    match:
      command: "aws  describe"
    effect: allow
    audit: true

- id: allow-aws-list
    action: shell.exec
    match:
      command: "aws  list"
    effect: allow
    audit: true

- id: allow-aws-get-caller-identity
    action: shell.exec
    match:
      command: "aws sts get-caller-identity*"
    effect: allow
    audit: true

# Deny all other AWS commands
  - id: deny-aws-all
    action: shell.exec
    match:
      command: "aws *"
    effect: deny
    audit: true
    message: "AWS CLI command not in allowlist."

This policy permanently denies IAM modifications and destructive operations, blocks data movement commands, protects credential files, allows read-only introspection, and denies everything else.

What Happens When the Agent Tries

When an agent attempts aws iam create-user --user-name backdoor:

1. SafeClaw intercepts the shell.exec action.
2. The deny-aws-iam-create rule matches aws iam create*.
3. The command is blocked. No AWS API call.
4. Audit entry:

{
  "timestamp": "2026-02-13T09:28:17Z",
  "action": "shell.exec",
  "command": "aws iam create-user --user-name backdoor",
  "effect": "deny",
  "rule": "deny-aws-iam-create",
  "agent": "infra-agent-07",
  "hash": "n3p9s6...chain"
}

When the agent runs aws ec2 describe-instances, the allow-aws-describe rule matches and the read-only query proceeds.

How to Allow Specific AWS Operations with Approval

For infrastructure agents that need limited write access:

rules:
  # Hard denies stay at the top (IAM, delete, etc.)
  # ...

- id: approve-aws-ec2-run
    action: shell.exec
    match:
      command: "aws ec2 run-instances*"
    effect: approval
    audit: true
    approvers:
      - role: cloud-engineer
    timeout: 300
    message: "EC2 instance launch requires cloud engineer approval."

- id: approve-aws-lambda-update
    action: shell.exec
    match:
      command: "aws lambda update-function-code*"
    effect: approval
    audit: true
    approvers:
      - role: developer
    timeout: 180
    message: "Lambda function update requires developer approval."

# Deny-all catch remains at the bottom
  - id: deny-aws-all
    action: shell.exec
    match:
      command: "aws *"
    effect: deny
    audit: true
    message: "AWS CLI command not in allowlist."

Verification

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'aws iam create-user --user-name test'
Expected: deny, rule: deny-aws-iam-create

npx @authensor/safeclaw simulate --action 'shell.exec' --command 'aws ec2 describe-instances'
Expected: allow, rule: allow-aws-describe

Related Pages

• How to Gate terraform apply in AI Agent Workflows
• Prevent Agent Cloud Cost Runaway
• How to Gate File Uploads from AI Agents
• Cloud Metadata SSRF Threat