Secure browser for AI agents: how AWS Bedrock uses Chrome policies

AWS Bedrock AgentCore now supports Chrome enterprise security policies, allowing organizations to restrict AI agents' web access to specific domains and websites.

Why browser AI agents need protection

AI agents in the browser perform real business tasks: research information on the internet, work with web applications, interact with data. Without restrictions, such an agent can potentially access any website on the internet. For corporate security, this represents a serious risk.

An agent can accidentally or as a result of a prompt injection attack disclose confidential company data, get infected with malware from a fake website, gain access to internal systems through an open browser. Previously, companies were cautious about browser agents in production — it was impossible to guarantee where the agent would browse and what it might accidentally reveal. AWS solves this problem with built-in support for Chrome Enterprise policies — the same access management system that has protected corporate employees in large networks for decades.

Now these same tools work for AI.

How restrictions work on Bedrock AgentCore

Chrome enterprise policies provide detailed control over browser behavior. For AI agents on Bedrock, this means:

• Whitelist of sites — the agent can only access specified domains and subdomains, everything else is blocked
• Blacklist — explicit prohibition of certain websites and services, everything else is allowed
• Protocol control — allow only HTTPS and prohibit insecure HTTP connections
• Certificate validation — support for custom root CA to work with company internal systems
• Logging and audit — see in logs which sites the agent visited and what actions it performed

Such control is ideal for enterprise: the company knows exactly where its agent can browse, and can quickly detect any anomalies.

Session recording and compliance verification

AWS demonstrates a session recording tool — a video record of all agent actions in the browser. This makes it possible to see in reality how policies work: when the browser rejects a transition to a prohibited site, a blocking error is visible. An example from the documentation: a browser agent is configured on a whitelist — it can only research AWS Bedrock AgentCore documentation and related reference materials. If you try to force the agent to access another site through a prompt, the policy blocks the request and logs the attempt.

Custom certificates for internal systems

Many companies use their own HTTPS CA for internal systems — this is necessary to protect confidential information. AWS shows how an AI agent can work with such systems without getting certificate validation errors. AWS uses a public test website for demonstration, but in production a company can upload its own root certificate, and the agent will safely access internal resources.

What this means for enterprise

This is critical for mass deployment of AI agents in production. Previously, companies were afraid to run browser agents on real tasks — it was unclear where the agent could browse and what it might accidentally disclose. Now there is a complete guarantee: the agent cannot go beyond the boundaries set by security policies. It cannot access external websites, cannot disclose data through the internet, cannot get infected with malware. This makes AI agents safer and more ready for real enterprise deployment, where security and audit requirements are very high.