惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

The Cloudflare Blog
U
Unit 42
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
腾讯CDC
罗磊的独立博客
博客园 - 聂微东
博客园_首页
雷峰网
雷峰网
云风的 BLOG
云风的 BLOG
Jina AI
Jina AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
D
DataBreaches.Net
The GitHub Blog
The GitHub Blog
人人都是产品经理
人人都是产品经理
Y
Y Combinator Blog
量子位
Microsoft Azure Blog
Microsoft Azure Blog
阮一峰的网络日志
阮一峰的网络日志
小众软件
小众软件
月光博客
月光博客
T
The Exploit Database - CXSecurity.com
Google DeepMind News
Google DeepMind News
H
Help Net Security
O
OpenAI News
Blog — PlanetScale
Blog — PlanetScale
S
Security Affairs
S
Security @ Cisco Blogs
Microsoft Security Blog
Microsoft Security Blog
T
The Blog of Author Tim Ferriss
AI
AI
MongoDB | Blog
MongoDB | Blog
G
Google Developers Blog
MyScale Blog
MyScale Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
D
Docker
Hugging Face - Blog
Hugging Face - Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Schneier on Security
Cloudbric
Cloudbric
H
Heimdal Security Blog
J
Java Code Geeks
N
News and Events Feed by Topic
Hacker News - Newest:
Hacker News - Newest: "LLM"
宝玉的分享
宝玉的分享
有赞技术团队
有赞技术团队
S
SegmentFault 最新的问题
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
爱范儿
爱范儿
I
Intezer
GbyAI
GbyAI

AWS Open Source Blog

Open Protocols with the Strands Agents SDK | Amazon Web Services Building secure AI agents at scale: Introducing Loom for AWS | Amazon Web Services Introducing MCP server for Registry of Open Data on AWS | Amazon Web Services Building a Stateful IT Service Desk Agent with LangGraph on Amazon EKS | Amazon Web Services Open Governance for MySQL: A Step Forward for the Community | Amazon Web Services Governing AI Assets at Scale with MCP Gateway and Registry | Amazon Web Services Decoupling Authorization at Scale: MongoDB Atlas and Cedar-Based Resource Policies | Amazon Web Services Deploying cloud-based engineering workbenches with the Virtual Engineering Workbench on AWS | Amazon Web Services OCSF Achieves ITU Support: Powering AI-Ready Security Operations | Amazon Web Services AWS and Others Invest $12.5M to Defend the Open Source Ecosystem from AI Threats | Amazon Web Services Introducing Strands Labs: Get hands-on today with state-of-the-art, experimental approaches to agentic development | Amazon Web Services Cedar Joins CNCF as a Sandbox Project | Amazon Web Services Building intelligent physical AI: From edge to cloud with Strands Agents, Bedrock AgentCore, Claude 4.5, NVIDIA GR00T, and Hugging Face LeRobot | Amazon Web Services Shaping the future of MCP: AWS’s commitment and vision | Amazon Web Services Introducing Strands Agent SOPs – Natural Language Workflows for AI Agents | Amazon Web Services Announcing ml-container-creator for easy BYOC on SageMaker | Amazon Web Services The Swift AWS Lambda Runtime moves to AWSLabs | Amazon Web Services Jupyter Deploy: Create a JupyterLab application with real-time collaboration in the cloud in minutes | Amazon Web Services Introducing CLI Agent Orchestrator: Transforming Developer CLI Tools into a Multi-Agent Powerhouse | Amazon Web Services Strands Agents and the Model-Driven Approach | Amazon Web Services AWS joins the DocumentDB project to build interoperable, open source document database technology | Amazon Web Services Open Protocols for Agent Interoperability Part 4: Inter-Agent Communication on A2A | Amazon Web Services Powering AI-Driven Security with the Open Cybersecurity Schema Framework | Amazon Web Services Introducing Strands Agents 1.0: Production-Ready Multi-Agent Orchestration Made Simple | Amazon Web Services Open Protocols for Agent Interoperability Part 3: Strands Agents & MCP | Amazon Web Services Open Protocols for Agent Interoperability Part 2: Authentication on MCP | Amazon Web Services Introducing AWS CDK Community Meetings | Amazon Web Services Secure your Express application APIs in 5 minutes with Cedar | Amazon Web Services
Introducing Trusted Remote Execution: Policy-Enforced Scripts for AI Agents and Humans | Amazon Web Services
cold-sandwic · 2026-05-05 · via AWS Open Source Blog

AWS Open Source Blog

Today, we’re announcing Trusted Remote Execution (Rex, for short) — an open source scripting runtime where every system operation is authorized by policy.

Scripts are written in Rhai, a lightweight language with no built-in system access. The only way to reach the host is through operations Rex explicitly provides, which are authorized against a Cedar policy upon invocation.

Our Journey

Running operations on production systems is a fact of life when managing software — reading logs, checking disk usage, restarting a service. The problem is that most script execution environments give a script whatever permissions the execution context has. A script intended to read a log file can just as easily delete one.

This gets worse with AI agents. When an agent generates and executes a script autonomously, there’s no human in the loop reviewing each system call. The usual safety nets — code review, approval workflows, allowlisted commands — don’t apply when the code is written at runtime.

We wanted a different model: one where an authorization policy — defined by the service owner, separate from the script — controls what the code is allowed to do at runtime. That’s what Trusted Remote Execution does.

How It Works

Trusted Remote Execution pairs every script with a Cedar policy. The script says what to do — the policy says what’s allowed. Every operation is checked against the policy before it runs.

When a script runs, the Rhai engine has no direct access to the host. The only way to reach the system is through Rex’s purpose-built SDK of operations — read, write, open, and so on — each of which evaluates the Cedar policy before performing the underlying system call. If the policy doesn’t permit the action, the script receives an error and the operation never executes.

Agentic Operations: A Case Study

Most agentic sandboxes constrain the agent. Rex constrains what the agent can do to the host — giving the host owner full control over which operations are permitted, regardless of what the agent requests.

If an agent generates a script that exceeds the policy — from hallucination, prompt injection, or an overly eager interpretation of the task — it receives a clear ACCESS_DENIED_EXCEPTION rather than causing unintended side effects. The agent can observe this, reason about it, and adjust.

This makes it practical to give agents real operational access — reading logs, inspecting configurations, restarting services — while keeping a hard boundary around what they can touch. The policy creates a contract between the service owner and the agent, and Rex enforces it.

Want to learn how to enable agents to safely interface with your systems? See how to pair Rex with IAM and SSM.

Getting Started

Rex runs on Linux and macOS. You’ll need Rust installed — if you don’t have it yet, see rustup.rs.

Install rex-runner via Cargo:

cargo install rex-runner

Create a policy:

cat > policy.cedar << 'EOF'
permit(
    principal,
    action in [
        file_system::Action::"open",
        file_system::Action::"read",

        // Uncomment to allow the write command:
        //file_system::Action::"create",
        //file_system::Action::"write",
    ],
    resource
);
EOF

Create a script that writes a file, then reads it back and returns it as the script output:

cat > script.rhai << 'EOF'
write("/tmp/hello.txt", "Hello from Rex!");
cat("/tmp/hello.txt")
EOF

Run it:

rex-runner \
  --script-file script.rhai \
  --policy-file policy.cedar \
  --output-format human

The write fails because write and create are not in the policy:

error: Permission denied:
  file_system::Action::"create" on /tmp/hello.txt

Uncomment create and write in policy.cedar and run again — the script completes and prints Hello from Rex!. The script didn’t change; only the policy did.

For the full setup guide and more examples, visit the Getting Started guide or try the interactive playground.

Get Involved

Trusted Remote Execution is open source under the Apache 2.0 License. We’re excited to build in the open — contributions are welcome, whether that’s adding new SDK extensions, improving documentation, or sharing how you’re using it.