{"id":28973,"date":"2026-05-06T04:46:01","date_gmt":"2026-05-06T04:46:01","guid":{"rendered":"https:\/\/www.europesays.com\/ai\/28973\/"},"modified":"2026-05-06T04:46:01","modified_gmt":"2026-05-06T04:46:01","slug":"aws-open-sources-trusted-remote-execution-to-control-what-ai-agents-touch","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ai\/28973\/","title":{"rendered":"AWS open sources Trusted Remote Execution to control what AI agents touch"},"content":{"rendered":"

Production scripts that read a log file generally hold the same permissions as scripts that delete one. The execution context decides what gets touched, and that gap widens once an AI agent<\/a> is the one writing the script at runtime. Code review and approval workflows offer little help when the code did not exist a second ago.<\/p>\n

Amazon Web Services has released Trusted Remote Execution, or Rex, an open source runtime that ties every system operation to a Cedar authorization policy.<\/p>\n

Scripts in Rhai, policies in Cedar<\/p>\n

Rex pairs two pieces of technology. Scripts are written in Rhai, a lightweight embedded scripting language with no built-in access to the host operating system. Authorization is handled by Cedar, the open source policy language Amazon released in 2023.<\/p>\n

Every file open, network call, process signal, or system query passes through Rex\u2019s purpose-built SDK, and each operation is checked against the policy before the underlying system call runs. If the policy denies an action, the script receives an error and the operation never reaches the kernel.<\/p>\n

Designed with AI agents in mind<\/p>\n

The agent use case is central to the project. Most agentic sandboxes work by constraining the agent. Rex constrains what any agent can do to the host, regardless of what the agent generates or requests. A script produced by hallucination, prompt injection, or an overly broad task interpretation will receive an ACCESS_DENIED_EXCEPTION that the agent can observe and reason about, leaving the host untouched.<\/p>\n

This makes it practical to give agents operational access to systems for tasks like reading logs, inspecting configurations, and restarting services, with the host owner retaining hard limits on what is reachable.<\/p>\n

\"Trusted<\/p>\n

Rex is organized into layers: a Rhai Script Engine for sandboxed execution, Cedar Authorization that gates every call, and an SDK that bridges scripts to system operations (Source: AWS)<\/p>\n

What ships in the repository<\/p>\n

The codebase is organized into three layers. The core crates contain the Cedar authorization engine, the script runner, structured logging, metrics, and a registrar that wires Rust functions into the Rhai engine.<\/p>\n

A Rust SDK provides safe wrappers for file and directory work, networking (including tools like nc, nslookup, dig, and curl), process management with systemctl support, system information queries, and disk statistics. A matching Rhai SDK exposes those operations to scripts, with HTTP and DNS bindings layered on top.<\/p>\n

The implementation also addresses time-of-check to time-of-use vulnerabilities by using file descriptors in place of paths where possible, reducing exposure to symlink races.<\/p>\n

Trusted Remote Execution is available for free on GitHub<\/a>.<\/p>\n

<\/p>\n

Must read:<\/p>\n

<\/p>\n

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!<\/a><\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"Production scripts that read a log file generally hold the same permissions as scripts that delete one. The…\n","protected":false},"author":2,"featured_media":28974,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[405,7537,322,313,3282,335,136],"class_list":{"0":"post-28973","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-agentic-ai","8":"tag-ai-agents","9":"tag-artificial-intelligence-agents","10":"tag-aws","11":"tag-cybersecurity","12":"tag-github","13":"tag-open-source","14":"tag-software"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/28973","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/comments?post=28973"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/posts\/28973\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media\/28974"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/media?parent=28973"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/categories?post=28973"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/ai\/wp-json\/wp\/v2\/tags?post=28973"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}