🛡️Blocking Bedrock Agents and Flows Using AWS Service Control Policies (SCPs)

Implementing strong governance and security controls is essential as organizations embrace Amazon Bedrock for Generative AI. This comprehensive guide explains how to use Service Control Policies (SCPs)—a feature of AWS Organizations—to centrally block access to Amazon Bedrock Agents and Bedrock Agent Core (Flows) across your entire organization.

What You’re Blocking: Bedrock Agents and Flows

Amazon Bedrock Agents: These are intelligent assistants that autonomously break down tasks, interact with company systems via API integrations, and process information. While powerful, organizations often need to restrict their use for security compliance, cost management, or a phased AI adoption strategy.
Bedrock Agent Core (Flows): This includes Prompt Flows and Prompt Management, allowing developers to chain multiple foundation model invocations to create complex AI workflows. Blocking this ensures standardized AI patterns and control over development.

🛑 Why Use SCPs to Block Bedrock Agents?

Using an SCP is the most effective way to enforce non-negotiable guardrails at the organizational level.

Common Use Case	Benefit of Blocking with SCP
Compliance & Regulatory	Prevents autonomous operations until proper audit trails and approval processes are in place.
Cost Control	Protects against unexpected charges from automated API calls and extended reasoning chains during pilot phases.
Security Posture	Restricts capabilities that can make autonomous decisions or access external systems until security reviews are complete.
Phased Adoption	Ensures the enterprise starts with basic model inference before enabling advanced features like autonomous agents.

Understanding AWS Service Control Policies (SCPs)

SCPs are a powerful feature of AWS Organizations that define the maximum available permissions for all accounts and principals (including the root user) within your organization.

Guardrail Mechanism: SCPs act as a filter. They do not grant permissions; they only restrict what actions an IAM policy can ultimately allow. The effective permission is the intersection of the SCP and the IAM policy.
Organizational Scope: A single SCP can enforce a restriction across hundreds of AWS accounts simultaneously by attaching it to an Organizational Unit (OU) or the root of the organization.

📝 Creating the Comprehensive Bedrock Agent Blocking SCP

The complete policy requires explicitly denying actions across the Bedrock control plane, agent runtime, and flow orchestration namespaces.

Step 1: Identify Key Actions to Block

You must block actions from four service areas to ensure a full block:

Agent Lifecycle Management (e.g., CreateAgent, DeleteAgent, UpdateAgent).
Agent Runtime Operations (e.g., InvokeAgent, Retrieve, RetrieveAndGenerate).
Flow Lifecycle Management (e.g., CreateFlow, UpdateFlow, PrepareFlow).
Flow Runtime Operations (e.g., InvokeFlow).

Step 2: The Complete SCP JSON Policy

Use a single Deny effect policy with descriptive Statement IDs (Sids) for clarity.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyBedrockAgents",
      "Effect": "Deny",
      "Action": [
        "bedrock:CreateAgent",
        "bedrock:UpdateAgent",
        "bedrock:DeleteAgent",
        "bedrock:GetAgent",
        "bedrock:ListAgents",
        "bedrock:PrepareAgent",
        "bedrock:CreateAgentActionGroup",
        "bedrock:UpdateAgentActionGroup",
        "bedrock:DeleteAgentActionGroup",
        "bedrock:GetAgentActionGroup",
        "bedrock:ListAgentActionGroups",
        "bedrock:CreateAgentAlias",
        "bedrock:UpdateAgentAlias",
        "bedrock:DeleteAgentAlias",
        "bedrock:GetAgentAlias",
        "bedrock:ListAgentAliases",
        "bedrock:AssociateAgentKnowledgeBase",
        "bedrock:DisassociateAgentKnowledgeBase",
        "bedrock:GetAgentKnowledgeBase",
        "bedrock:ListAgentKnowledgeBases",
        "bedrock:UpdateAgentKnowledgeBase"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyBedrockAgentRuntime",
      "Effect": "Deny",
      "Action": [
        "bedrock-agent-runtime:InvokeAgent",
        "bedrock-agent-runtime:Retrieve",
        "bedrock-agent-runtime:RetrieveAndGenerate"
      ],
      "Resource": "*"
    },    
    {
      "Sid": "DenyBedrockFlowRuntime",
      "Effect": "Deny",
      "Action": [
        "bedrock-agent-runtime:InvokeFlow"
      ],
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyBedrockAgents",
      "Effect": "Deny",
      "Action": [
        "bedrock:CreateAgent",
        "bedrock:UpdateAgent",
        "bedrock:DeleteAgent",
        "bedrock:GetAgent",
        "bedrock:ListAgents",
        "bedrock:PrepareAgent",
        "bedrock:CreateAgentActionGroup",
        "bedrock:UpdateAgentActionGroup",
        "bedrock:DeleteAgentActionGroup",
        "bedrock:GetAgentActionGroup",
        "bedrock:ListAgentActionGroups",
        "bedrock:CreateAgentAlias",
        "bedrock:UpdateAgentAlias",
        "bedrock:DeleteAgentAlias",
        "bedrock:GetAgentAlias",
        "bedrock:ListAgentAliases",
        "bedrock:AssociateAgentKnowledgeBase",
        "bedrock:DisassociateAgentKnowledgeBase",
        "bedrock:GetAgentKnowledgeBase",
        "bedrock:ListAgentKnowledgeBases",
        "bedrock:UpdateAgentKnowledgeBase"
      ],
      "Resource": "*"
    },
    {
      "Sid": "DenyBedrockAgentRuntime",
      "Effect": "Deny",
      "Action": [
        "bedrock-agent-runtime:InvokeAgent",
        "bedrock-agent-runtime:Retrieve",
        "bedrock-agent-runtime:RetrieveAndGenerate"
      ],
      "Resource": "*"
    },    
    {
      "Sid": "DenyBedrockFlowRuntime",
      "Effect": "Deny",
      "Action": [
        "bedrock-agent-runtime:InvokeFlow"
      ],
      "Resource": "*"
    }
  ]
}

🚀 Implementation and Validation Guide

Prerequisites: Ensure AWS Organizations is enabled, and you have administrative access to the Management Account.
Policy Creation: In the AWS Organizations console, navigate to Service control policies, and create a new policy. Name it descriptively (e.g., Deny-Bedrock-Agents-and-Flows).
Attachment: Attach the SCP to the target Organizational Units (OUs) or individual accounts. Remember: attaching it to an OU applies it to all accounts within that OU.
Testing and Validation:
- Test in a sandbox environment first.
- Attempt to run the aws bedrock create-agent command in a restricted account. You should receive an AccessDenied error.
- Monitor AWS CloudTrail logs for AccessDenied events to confirm the policy is working as expected.

What the SCP DOES NOT Block

This policy is targeted. It preserves core Bedrock functionality, allowing organizations to still benefit from foundation models:

Core Inference: bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream remain accessible.
Governance Features: Guardrails for Amazon Bedrock and model customization (fine-tuning) continue to function.
Data Sources: Knowledge Bases for Amazon Bedrock remain available unless explicitly blocked.

What You’re Blocking: Bedrock Agents and Flows

Amazon Bedrock Agents: These are intelligent assistants that autonomously break down tasks, interact with company systems via API integrations, and process information. While powerful, organizations often need to restrict their use for security compliance, cost management, or a phased AI adoption strategy.
Bedrock Agent Core (Flows): This includes Prompt Flows and Prompt Management, allowing developers to chain multiple foundation model invocations to create complex AI workflows. Blocking this ensures standardized AI patterns and control over development.

🛑 Why Use SCPs to Block Bedrock Agents?

Using an SCP is the most effective way to enforce non-negotiable guardrails at the organizational level.

Common Use Case	Benefit of Blocking with SCP
Compliance & Regulatory	Prevents autonomous operations until proper audit trails and approval processes are in place.
Cost Control	Protects against unexpected charges from automated API calls and extended reasoning chains during pilot phases.
Security Posture	Restricts capabilities that can make autonomous decisions or access external systems until security reviews are complete.
Phased Adoption	Ensures the enterprise starts with basic model inference before enabling advanced features like autonomous agents.