DocumentationAgent Action Firewall
GitHub

Security Best Practices

Guidelines for securing your Agent Action Firewall deployment and protecting your AI agents.

Defense in Depth

Multiple layers of security controls

Zero Trust

Verify every action, trust nothing

Full Auditability

Tamper-evident logging of all actions

Least Privilege

Minimal permissions for each agent

API Key Management

Key Rotation

Rotate API keys regularly and immediately if compromised:

  1. Generate a new key in Settings → API Keys
  2. Update your agent configuration with the new key
  3. Verify the agent works with the new key
  4. Revoke the old key

Key Storage

  • Never commit API keys to version control
  • Use environment variables or secrets managers (Vault, AWS Secrets Manager)
  • Restrict key access to only necessary services
  • Use separate keys for development, staging, and production

Key Scoping

Create dedicated keys for each agent with minimal permissions:

TypeScript
// Good: Dedicated key per agent
const orderAgent = new AgentFirewallClient({
  apiKey: process.env.ORDER_AGENT_KEY,
  agentId: 'order-processor',
});

const supportAgent = new AgentFirewallClient({
  apiKey: process.env.SUPPORT_AGENT_KEY,
  agentId: 'support-bot',
});

Policy Configuration

Default Deny

Start with a deny-all policy and explicitly allow needed operations:

Go
package aaf.policies

default decision = {"action": "deny", "reason": "No matching allow rule"}

# Explicitly allow specific operations
decision = {"action": "allow"} {
  input.tool == "http_proxy"
  input.operation == "GET"
  allowed_domains[input.params.url]
}

allowed_domains[url] {
  startswith(url, "https://api.trusted.com/")
}

Risk-Based Approvals

Require human approval for high-risk operations:

Go
decision = {
  "action": "require_approval",
  "risk_level": "high",
  "reason": "Write operations require approval"
} {
  input.operation in ["POST", "PUT", "DELETE"]
  not input.context.pre_approved
}

Rate Limiting

Limit action frequency to prevent abuse:

Go
decision = {
  "action": "deny",
  "reason": "Rate limit exceeded"
} {
  rate_limit_exceeded(input.agent_id)
}

Network Security

SSRF Protection

The HTTP proxy connector automatically blocks:

  • Private IP ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
  • Localhost (127.0.0.1, ::1)
  • Cloud metadata endpoints (169.254.169.254)
  • Internal hostnames

Domain Allowlisting

Restrict outbound requests to approved domains:

TypeScript
// In your policy or connector config
const allowedDomains = [
  'api.stripe.com',
  'api.github.com',
  'slack.com',
];

TLS Requirements

  • Always use HTTPS for API communication
  • Enforce TLS 1.2+ for all connections
  • Validate SSL certificates (no self-signed in production)

Data Protection

Sensitive Data Handling

  • Redaction: Automatically redact sensitive fields from logs
  • Encryption: Sensitive params encrypted at rest
  • Retention: Configure audit log retention policies

Configuring Redaction

TypeScript
// Redact sensitive fields before logging
const sensitiveFields = [
  'password',
  'api_key',
  'token',
  'credit_card',
  'ssn',
];

Audit Trail Integrity

Audit events use cryptographic hash chaining for tamper evidence. Each event includes a hash of the previous event, creating an immutable chain.

Access Control

Role-Based Access

RolePermissions
adminFull access, manage users, policies, billing
approverApprove/reject actions, view audit
auditorRead-only access to audit trail
viewerView dashboard and basic stats

Organization Isolation

Multi-tenant isolation is enforced at the database level with Row-Level Security (RLS). Each organization can only access its own data.

Monitoring and Alerting

Security Events to Monitor

  • Failed authentication attempts
  • Policy denials (especially repeated)
  • Unusual action patterns
  • High-risk action submissions
  • Approval timeouts

Setting Up Alerts

TypeScript
// Example: Alert on repeated denials
if (denialCount > 10 && timeWindow < '5m') {
  sendAlert({
    severity: 'warning',
    message: 'Unusual denial rate for agent',
    agent_id: agentId,
  });
}

Incident Response

If an API Key is Compromised

  1. Immediately revoke the key in Settings → API Keys
  2. Review audit logs for unauthorized actions
  3. Generate a new key and update your agent
  4. Investigate how the key was exposed
  5. Document the incident

Exporting Evidence

Use Proof Packs to export forensic evidence:

Bash
# Export proof pack for an action
curl -H "Authorization: Bearer $TOKEN" \
  "https://api.agentactionfirewall.com/v1/proof-pack/action-id" \
  -o proof-pack.zip

Compliance

Audit Requirements

  • All actions are logged with timestamps
  • Hash chaining provides tamper evidence
  • Proof packs support compliance exports
  • Configurable retention periods

Data Residency

Cloud-hosted data is stored in your selected region with full encryption at rest and in transit.

Security Checklist

  • API keys stored in secrets manager, not code
  • Default-deny policies configured
  • SSRF protection enabled
  • Domain allowlist configured
  • TLS enforced for all connections
  • Sensitive field redaction enabled
  • Audit log retention configured
  • Monitoring and alerting set up
  • Incident response plan documented
  • Regular key rotation schedule

Need Help?

For security questions or to report vulnerabilities, contact info@agentactionfirewall.com.