AWS Bedrock AgentCore adds Chrome enterprise policy support with 450+ browser settings

Amazon Bedrock AgentCore Browser now supports Chrome enterprise policies and custom root CA certificates, according to AWS. Organizations can now configure over 450 browser settings for AI agents, including URL filtering, download restrictions, and password manager controls.

Two-tier policy enforcement

The implementation uses two layers of policy enforcement. Managed policies operate at the browser level through Chrome's /etc/chromium/policies/managed/ directory. These policies are provided during browser creation via the control plane API and apply to every session. Recommended policies operate at the session level through Chrome's /etc/chromium/policies/recommended/ directory and can be provided when starting a browser session through the data plane API.

When managed and recommended policies conflict on the same setting, the managed policy takes precedence. This follows standard Chrome enterprise behavior.

Custom root CA certificate support

Organizations can store root CA certificates in AWS Secrets Manager and reference them when creating a browser or AgentCore Code Interpreter. The service imports the certificate into the certificate trust store, enabling connections to internal services and SSL-intercepting proxies without disabling certificate validation.

This addresses a specific barrier for organizations with internal services using private certificate authorities, where HTTPS connections previously failed with certificate validation errors.

Implementation architecture

Chrome policy JSON files are stored in Amazon S3. The control plane fetches these files when CreateBrowser is called and retrieves optional root CA certificates from AWS Secrets Manager. Applications call the CreateBrowser API followed by the StartBrowserSession API. The control plane passes browser configuration metadata to the data plane, which deploys managed policies, recommended policies, and root CA certificates to the isolated browser session.

Use case: domain restriction

The feature addresses three organizational requirements. First, URL allowlists and denylists restrict agent scope to approved domains. An agent processing invoices on a specific portal can be prevented from accessing social media or search engines through browser-level enforcement.

Second, organizations can disable risky browser features including password managers, file downloads, and autofill capabilities. Third, policy management is separated from agent development—security teams define browser configurations while development teams focus on agent logic.

Availability

The feature is available now in AWS Regions where Amazon Bedrock AgentCore is supported. AWS provides a complete sample implementation as a Jupyter notebook in the amazon-bedrock-agentcore-samples repository on GitHub. The sample demonstrates policy enforcement through session recording and custom root CA certificate configuration using a public test site.

Prerequisites include Python 3.10 or later, AWS credentials, and access to an AI model. The sample uses Anthropic Claude through Amazon Bedrock, though AgentCore is model-agnostic.

What this means

This is infrastructure-level security for browser-based AI agents. Organizations running agents that interact with web services can now enforce the same browser restrictions they apply to human users. The separation of managed and recommended policies provides a clear boundary between security team controls and application-level configuration. Custom root CA support removes a significant deployment blocker for enterprises with private certificate authorities, where agent browser sessions previously couldn't connect to internal services without disabling certificate validation entirely.