Rules File
Overview¶
In this lab, you'll create a rules file that sets guardrails for your AI coding agent — enforcing deletion confirmation, least-privilege IAM, region restrictions, and resource tagging. Rules files tell your agent what it should and shouldn't do, acting as a safety net for AWS operations.
What You'll Learn¶
- How rules files constrain agent behavior and enforce security policies
- How to write rules covering deletion confirmation, least-privilege IAM, and region restrictions
- How to upload your rules file to S3 for workshop progress tracking
Instructions¶
Explore¶
Try to accomplish this goal using your agent. Here are some hints if you get stuck:
- Create a rules file that instructs your agent to always use the MCP Server, never delete resources without confirmation, and only deploy to us-east-1
- Include rules about least-privilege IAM (no
*for both Action and Resource) and mandatory resource tagging - Upload the rules file to your workshop S3 bucket under the
rules-file/prefix
Step-by-step Walkthrough
- First, review the example rules file provided in the workshop repository. Ask your agent:
Show me the example rules file for this workshop that covers MCP Server usage, deletion confirmation, least-privilege IAM, encryption, region restrictions, and tagging.
- Create your own rules file. Use the following prompt to have your agent help you write one:
Create a rules file for this workshop with the following guardrails: - Always use the AWS MCP Server for AWS operations - Never delete resources without explicit user confirmation - IAM policies must follow least-privilege (no Action: with Resource:) - Enable encryption at rest for all storage resources - Only create resources in us-east-1 - Tag all resources with Workshop=AgentToolkit
-
Save the rules file in the appropriate location for your agent (see Agent-Specific Tips below).
-
Upload the rules file to your workshop S3 bucket for progress tracking:
Upload my rules file to the workshop S3 bucket under the key prefix "rules-file/". The bucket is named agent-toolkit-workshop-{participant-id}.
Replace {participant-id} with your actual participant ID.
- Test that your rules file is working by asking your agent to do something the rules should prevent:
Delete the workshop S3 bucket.
Your agent should refuse or ask for confirmation based on the deletion rule.
Validation¶
Open the CloudWatch Dashboard in the AWS Console. The Module 4 widget checks:
- ✅ A file exists in your S3 bucket under the
rules-file/prefix
You can also verify by asking your agent:
List objects in my workshop S3 bucket under the rules-file/ prefix.
Agent-Specific Tips¶
Claude Code uses a CLAUDE.md file in your project root. Create this file with your rules:
Claude Code automatically reads CLAUDE.md at session start. You can also place it in a parent directory for organization-wide rules.
The workshop provides an example at rules-examples/CLAUDE.md — review it for the expected format.
To upload:
Kiro uses steering files in .kiro/steering/ directory. Create a file like .kiro/steering/aws-guardrails.md:
Kiro steering files support YAML front-matter with triggers that activate rules on file save or deploy commands. The workshop provides an example at rules-examples/.kiro/steering/aws-guardrails.md.
To upload:
Cursor uses a .cursorrules file in your project root. Create this file with your rules in plain text format:
Cursor reads .cursorrules automatically when you open the project. The workshop provides an example at rules-examples/.cursorrules.
To upload:
Codex uses a codex.md file in your project root. Create this file with your rules in Markdown format:
Codex reads codex.md at the start of each session. The workshop provides an example at rules-examples/codex.md.
To upload: