a2aws2Agentic Workspace Security Standard

Control Families

AWS2-SEC: Secrets, Credentials, And Sensitive Data Handling

Working draft

This page renders the current aws2 working draft. It is not a released standard, certification program, compliance framework, legal analysis, endorsement, or public conformance claim.

Objective:

The scoped agentic workspace system should prevent agents, tools, skills, memory, logs, and evidence exports from exposing or misusing secrets, credentials, tokens, private keys, confidential data, personal data, regulated data, intellectual property, tenant data, or other sensitive information.

Primary layer: workspace and endpoint.

Typical owner: workspace or endpoint.

Applicability:

Applies when agents can access credentials, secrets stores, environment variables, local files, browser sessions, connector tokens, source repositories, confidential documents, customer data, regulated data, model or retrieval context, logs, evidence exports, or external systems containing sensitive values.

Level 1 Candidate Requirements

AWS2-SEC-L1-001: The scoped agentic workspace system MUST identify likely secret, credential, token, key, and sensitive-data locations that agents could access directly or indirectly, including files, environment variables, secret stores, browser or application sessions, connector scopes, memory, logs, retrieval sources, and evidence artifacts where applicable.

AWS2-SEC-L1-002: The scoped agentic workspace system MUST define where secrets and credentials must not be stored, including portable project context, public notes, skill metadata, prompts, tool outputs, logs, memory, traces, summaries, and evidence artifacts unless explicitly protected.

AWS2-SEC-L1-003: The scoped agentic workspace system MUST identify action classes that could export, reveal, copy, persist, or transmit sensitive data outside the approved boundary, including derived sensitive outputs, screenshots, summaries, tool results, and external communications where applicable.

Level 2 Candidate Requirements

AWS2-SEC-L2-001: The scoped agentic workspace system MUST restrict agent access to secrets, credentials, tokens, and sensitive data to the minimum necessary for the approved workflow, with scope, duration, connector permissions, retrieval access, and tool access constrained where practical.

AWS2-SEC-L2-002: The scoped agentic workspace system MUST prevent or require approval before agents transmit sensitive data, credentials, or derived sensitive outputs to external systems, public files, shared channels, lower-trust tools, lower-trust models, or unapproved retrieval or memory locations.

AWS2-SEC-L2-003: The scoped agentic workspace system SHOULD use scanning, redaction, derived receipts, structured summaries, or equivalent controls to keep evidence useful without exposing raw secrets, personal data, regulated data, confidential payloads, or unnecessary business-sensitive content.

Level 3 Candidate Requirements

AWS2-SEC-L3-001: The scoped agentic workspace system MUST validate secret-handling and sensitive-data controls for high-impact workflows through testing, review, or controlled exercises, including denied-exfiltration paths, token or credential teardown, entitlement checks, redaction behavior, and sensitive-output handling where applicable.

AWS2-SEC-L3-002: The scoped agentic workspace system MUST retain evidence of sensitive-data access policy, redaction behavior, and relevant denied or approved export events for material production periods, without retaining raw sensitive payloads unless the assessment explicitly requires and protects them.

AWS2-SEC-L3-003: The scoped agentic workspace system SHOULD integrate with managed secret stores, data-loss prevention, endpoint controls, or equivalent enterprise controls where agent workflows involve sensitive production data, customer data, tenant data, regulated information, privileged credentials, or critical systems.

Minimum evidence examples:

  • secret and sensitive-data location inventory
  • credential access policy
  • connector token scope record
  • data category or sensitivity register
  • entitlement or least-privilege review
  • redaction or derived-evidence policy
  • secret scanning or evidence-sanitization result
  • denied-exfiltration or sensitive-output test record
  • sampled denied or approved sensitive-data export receipts
  • managed-secret, DLP, or endpoint-control integration note

Mapping notes:

  • The completed crosswalk treats AWS2-SEC as a candidate-control family shaped by authorization, output entitlement, MCP token handling, privacy, data access limits, DLP, tenant isolation, private-data exposure, least-privilege, credential-harvesting, secret-scanning, and exfiltration signals from OWASP AISVS, OWASP Agentic Skills Top 10, AIUC-1, NIST AI 600-1, ISO/IEC 23894, Five Eyes guidance, MITRE ATLAS, and selected EU AI Act data, logging, and cybersecurity signals.

Claim limits:

  • Secret-handling evidence supports selected candidate controls. It does not prove GDPR compliance, biometric-lawfulness, full privacy compliance, data-classification compliance, absence of all leakage paths, enterprise DLP effectiveness, or credential safety outside the scoped boundary.
Previous
AWS2-CTX: Context, Memory, And Instruction Boundary Control
Next
AWS2-LOG: Logs, Receipts, And Traceability