Enforce least-privilege authorization in multi-agent AI chains using Cedar
Summary
When multiple AI agents work together and delegate tasks to each other, an agent might gain more permissions than the original user intended, even with standard access controls in place. This post explains how to prevent this using Cedar, an open source authorization policy language, which enforces permissions at three levels: checking if an agent can use a tool, checking if one agent can delegate to another agent, and verifying the original human user still has permission for the entire chain of delegated tasks.
Solution / Mitigation
The source provides a reference implementation using a three-layer Cedar policy model deployed on AWS. The solution involves: (1) authenticating the user through an OIDC-compliant identity provider (Amazon Cognito with MFA) to obtain a signed JWT; (2) filtering requests through AWS WAF with CommonRuleSet, SQLiRuleSet, rate limiting, and body size constraints; (3) verifying JWT signatures via Amazon API Gateway; (4) using an MCP adapter Lambda function to extract verified claims from the token and map them to Cedar context attributes (role, MFA status, user ID, session ID, and authentication method); (5) cryptographically signing the user context with HMAC-SHA256 to prevent tampering; and (6) evaluating authorization through three sequential Cedar policy layers that check agent-to-tool trust scores and lifecycle stage, agent-to-agent delegation hop counts and task capabilities, and originating user role and MFA status.
Classification
Affected Vendors
Related Issues
Original source: https://aws.amazon.com/blogs/security/enforce-least-privilege-authorization-in-multi-agent-ai-chains-using-cedar/
First tracked: July 6, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 85%