[FEATURE] Support isolated AgentCore runtimes for individual agents in graph architectures #1010
Description
Problem Statement
Description:
Currently, when deploying a graph architecture to Bedrock AgentCore, all agents must share a single AgentCore runtime. This limitation creates challenges for complex multi-agent systems that require isolation and granular access control.
Current Behavior:
- Graph architectures deploy to a single shared AgentCore runtime
- All agents within the graph share the same memory space
- All agents operate under the same IAM permissions
- No isolation between agents in the graph
Desired Behavior:
- Enable deployment of each agent in a graph to its own isolated AgentCore runtime
- Support independent memory isolation for each agent
- Allow specification of different IAM policies per agent
- Maintain inter-agent communication capabilities within the graph
Proposed Solution
No response
Use Case
-
Security & Least Privilege: Different agents may require access to different AWS resources. For example:
- Agent A needs read access to DynamoDB
- Agent B needs write access to S3
- Agent C requires Lambda invocation permissions
Currently, all agents must share the union of all required permissions.
-
Memory Isolation: Preventing state leakage between agents, especially when:
- Processing sensitive data that should remain isolated
- Running resource-intensive operations that could impact other agents
- Handling different customer contexts that must remain separate
-
Scalability: Independent scaling of individual agents based on their specific workload requirements
-
Fault Isolation: Preventing failures in one agent from cascading to other agents in the graph
Alternatives Solutions
No response
Additional Context
No response