aws2 Documentation

Working draft

This page renders the current aws2 working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

ID	Family	Primary evidence examples	Level 1 focus	Level 2 focus	Level 3 focus
AWS2-SCP	Scope, inventory, and ownership	scope record, inventory export, owner matrix, intended-use note, component map	named boundary, owners, data/context sources, and exclusions	repeatable inventory, boundary review, and claim-scope review	historical scope records and drift review
AWS2-DEL	Delegation, authority, and identity	authority model, agent identity record, role matrix, authorization tests, approval records	documented authority paths and execution/approval roles	least privilege, approval expectations, and recorded high-impact identity context	separation of execution and approval authority
AWS2-WSB	Workspace and execution boundaries	resource inventory, sandbox config, egress policy, boundary tests	reachable resources, execution capabilities, and boundary exclusions	scoped production access, egress limits, monitoring, and review for broad impact	validated boundary enforcement, bypass monitoring, and retained boundary evidence
AWS2-RUN	Runtime policy, approvals, and action control	runtime policy, allowlists, approval receipts, denied-action logs, mediation tests	high-impact actions, policy gates, and runtime decision capabilities	enforced approval gates, recorded outcomes, interruption, rollback, and budget controls	pre-execution mediation, recurring policy-path tests, and stronger record integrity
AWS2-SRC	Skill, tool, and connector source trust	source register, source-trust profile record, permission declarations, version pins, update receipts, drift tests	inventory, origin records, requested permissions, and dependency chain	reviewed updates, provenance records, source-trust profile records, and runtime-version drift checks	integrity controls, high-impact source review, rollback or retirement path
AWS2-CTX	Context, memory, and instruction boundary control	context inventory, precedence rules, memory policy, retrieval inventory, boundary tests	known context sources, trust relationships, and prohibited storage locations	controls on lower-trust override, memory writes, redaction, and durable context attribution	poisoning tests, material change records, and isolation for high-risk workflows
AWS2-SEC	Secrets, credentials, and sensitive data handling	sensitive-location inventory, entitlement review, redaction policy, export receipts, denied-exfiltration tests	sensitive locations, prohibited storage, and sensitive-export action classes	least-privilege access, approval for sensitive movement, and redaction or derived evidence	validated secret handling, retained redaction/export evidence, and enterprise-control integration where applicable
AWS2-LOG	Logs, receipts, and traceability	log inventory, receipt schema, sampled receipts, retention policy, reconstruction tests	recorded events, receipt format, and redaction expectations	retained attributable records, structured exports, and sensitive-data-safe review packets	protected logs, integrity controls, high-impact workflow reconstruction, and monitoring linkage
AWS2-VAL	Validation, testing, and review	validation plan, control coverage matrix, policy tests, adversarial summary, monitoring review, findings tracker	scoped validation methods, review artifact, and gap record	pre-production tests, human oversight review, logging/sensitive-data review, and remediation tracking	recurring validation, independent review, adversarial/tabletop testing, and drift review
AWS2-GOV	Governance, exceptions, and change management	owner record, exception register, adoption gate, supplier due-diligence record, claim-limit record	governance owner, exception record, and conservative claim posture	review triggers, exception expiry, coordinated expansion, and external mapping review	separated review, governance procedure exercises, and formal reassessment triggers