Amazon Bedrock Agents

Add a Lambda layer that screens action group invocations through the safety shield.

Step 1: Configure your Lambda

Store your API key in AWS Secrets Manager or as an environment variable on the Lambda:

aws lambda update-function-configuration \
  --function-name my-bedrock-action \
  --environment "Variables={A2A_API_KEY=a2a_your_key_here}"

Add requests as a Lambda layer or bundle it with your deployment package:

pip install requests -t ./package

Step 2: Add the safety layer

In your action group Lambda, screen the incoming action before executing it:

import os, json, requests

A2A_URL = "https://a2ainfrastructure.com/v1/evaluate"
API_KEY = os.environ["A2A_API_KEY"]

def screen_command(command):
    """Check command against safety shield."""
    resp = requests.post(A2A_URL, json={
        "command": command,
        "context": {"agent": "bedrock", "runtime": "lambda"}
    }, headers={"Authorization": f"Bearer {API_KEY}"})
    return resp.json()

def lambda_handler(event, context):
    # Extract the action and parameters from Bedrock
    action = event["actionGroup"]
    api_path = event.get("apiPath", "")
    parameters = event.get("parameters", [])

    # Build command string from the action invocation
    param_str = " ".join(p["value"] for p in parameters)
    command = f"{api_path} {param_str}".strip()

    # Screen through safety shield
    result = screen_command(command)

    if not result["allowed"]:
        return {
            "messageVersion": "1.0",
            "response": {
                "actionGroup": action,
                "apiPath": api_path,
                "responseBody": {"TEXT": {
                    "body": f"BLOCKED: {result['reason']}"
                }}
            }
        }

    # Proceed with actual action execution
    output = execute_action(api_path, parameters)
    return {
        "messageVersion": "1.0",
        "response": {
            "actionGroup": action,
            "apiPath": api_path,
            "responseBody": {"TEXT": {"body": json.dumps(output)}}
        }
    }

Step 3: Verify

# Test locally with a sample event
python -c "
from handler import lambda_handler
event = {'actionGroup': 'ops', 'apiPath': '/run', 'parameters': [{'value': 'df -h'}]}
print(lambda_handler(event, None))  # action executes

event['parameters'] = [{'value': 'rm -rf /'}]
print(lambda_handler(event, None))  # BLOCKED
"
Gate 1 runs locally (free). Set A2A_API_KEY for Gate 2 + OCSF audit.
Get your API key Full API docs
Help

Help

Need help? Here are some quick links:

A2A Infrastructure
Air traffic control for AI agents
Ask me anything about pipelines, workspaces, channels, pricing, or integrations.