AWS maps egress controls to AI-agent exfiltration risk

Amazon Web Services (AWS) is treating egress control as the place where ordinary cloud compromise and agentic AI abuse meet. The post’s reference architecture puts workloads in spoke virtual private clouds (VPCs), uses AWS Transit Gateway as the hub, pushes AWS service traffic through VPC endpoints with endpoint policies where possible, and sends internet-bound traffic through AWS Network Firewall. Route 53 Resolver DNS Firewall is the DNS layer, with the important limitation AWS states plainly: queries sent directly to other resolvers bypass it.

The vendor framing is predictable: data exfiltration, CVE-2025-55182, React2Shell exploitation, OWASP Agent Goal Hijack (ASI01) and Unexpected Code Execution (ASI05), followed by the AWS services that reduce the blast radius. The technical point is still useful. If an application with remote code execution or a manipulated AI agent can open arbitrary outbound channels, the incident response team is already behind. The egress decision has to happen before an audit, complaint, or incident notification makes the data loss visible.

Read this as consolidation rather than product magic. AWS has already published separate guidance on Network Firewall egress TLS inspection (https://aws.amazon.com/blogs/security/tls-inspection-configuration-for-encrypted-egress-traffic-and-aws-network-firewall/) and Amazon EKS outbound HTTPS filtering by Server Name Indication (https://aws.amazon.com/blogs/security/use-aws-network-firewall-to-filter-outbound-https-traffic-from-applications-hosted-on-amazon-eks/). What changes here is the packaging: the same controls are now being applied to AI agents with access to tools, APIs, and code interpreters. Monday’s work is inventorying direct internet and direct-DNS paths, forcing service calls through VPC endpoints where feasible, and writing allowlists that application owners can defend.