feat: restrict trust permissions for non-readonly AWS operations in use_aws tool #2443
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…se_aws tool - Introduce new PermissionEvalResult::AskWithoutTrust evaluation type specifically for use_aws tool - Modify use_aws tool permission logic to return AskWithoutTrust for write/modify operations, preventing users from granting session-wide trust for potentially destructive AWS actions - Update ChatSession to track pending_tool_allows_trust flag and conditionally render acceptance prompts: - Show full [y/n/t] prompt with trust option for PermissionEvalResult::Ask - Show restricted [y/n] prompt without trust option for PermissionEvalResult::AskWithoutTrust - Ensure use_aws write operations (put-object, delete-*, create-*, etc.) always require per-action approval regardless of whether the tool is in the agent's allowed_tools list - Read-only use_aws operations (list-*, describe-*, get-*) continue to allow trust and session-wide approval - Add comprehensive test coverage for trusted vs untrusted use_aws tool behavior across read and write operations - Remove trust option handling when pending_tool_allows_trust is false to prevent 't' input from being processed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces enhanced security controls for the
use_awstool by implementing a new permission evaluation type that restricts session-wide trust for potentially destructive AWS operations.Changes
Core Implementation
PermissionEvalResult::AskWithoutTrustto the permission evaluation systemuse_awstool to returnAskWithoutTrustfor write/modify operations, preventing users from accidentally granting session-wide trust for destructive AWS actionsChatSessionto conditionally render acceptance prompts based on permission type:Ask: Shows full[y/n/t]prompt with trust optionAskWithoutTrust: Shows restricted[y/n]prompt without trust optionSecurity Model
put-object,delete-*,create-*,update-*, etc.list-*,describe-*,get-*, etc.Technical Details
pending_tool_allows_trustflag to track permission level during tool executionMotivation
Previously, users could grant session-wide trust to the
use_awstool for any operation, including potentially destructive actions like deleting S3 buckets or terminating EC2 instances. This created a security risk where a single trust decision could lead to unintended destructive operations throughout the session.Testing
AskWithoutTrust)Allow)AskWithoutTrust)Allow)Impact
Example
Before: User could trust
use_awsonce and all subsequent AWS operations (including destructive ones) would execute without confirmation.After:
Screenshot:
