AWS Secrets Manager introduces safe secrets handling in the Agent Toolkit for AWS

AWS Secrets Manager now offers a secret safety skill as part of the aws-core plugin in the Agent Toolkit for AWS, an open-source repository that equips AI coding agents with tools, knowledge, and guardrails for building on AWS. This skill enables developers to use secrets within agentic workflows without ever exposing secret values to the underlying model or session logs. Previously, developers using AI coding agents could retrieve secrets as plain text without guardrails, bringing sensitive values into agent context. The skill uses a two-layer approach: first, it steers the agent so the model never requests or receives raw secret values-instead prompting the developer to clarify intent and constructing a command that uses the secret rather than retrieving it. Second, a child process resolves secret references to actual values only at execution time, outside the agent process. Together, these layers ensure plaintext secrets never appear in model context, session logs, or agent memory-without disrupting the developer's workflow. The secret safety skill is available today for all agent harnesses supported by the Agent Toolkit for AWS-including Claude Code, Codex, and Cursor-and in all AWS Regions where Secrets Manager is available.

AWS Secrets Manager

Read the original AWS announcement

Updates from around the same time

New featureHigh

Amazon Bedrock Managed Knowledge Base is now generally available

Amazon Bedrock Managed Knowledge Base, a fully managed retrieval-augmented generation service, is now generally available, allowing developers to build production-ready AI agents grounded in enterprise data without managing vector databases, data pipelines, or retrieval infrastructure

Amazon Bedrock

New featureMedium

Oracle Database@AWS now supports Oracle Autonomous AI Database Serverless

Oracle Database@AWS now supports Oracle Autonomous AI Database Serverless (ADB-S), a fully managed Oracle database service on Exadata infrastructure. ADB-S can be provisioned directly from the AWS Management Console, AWS CLI, or AWS APIs, supporting four workload types: AI Transaction Processing, AI Lakehouse, AI JSON Database, and Oracle APEX.

New featureMedium

AWS Security Agent announces support for Threat Modeling

AWS Security Agent now includes AI-powered threat modeling, automatically generating threat models from design documents or source code. Developers can integrate it into IDEs for early threat mitigation, while security teams can use it for pre-deployment assessments.

New serviceMedium

Introducing AWS Continuum for security at machine speed

AWS Continuum discovers, prioritizes, validates, and remediates security risks at machine speed within user-defined guardrails. It integrates findings from existing tools and its own scans, prioritizes them using a context graph of the environment and business, and validates exploitability by building reproducible proof in an isolated sandbox. Confirmed exposures receive fast, reversible mitigations within guardrails, followed by durable fixes routed through the user's review and deployment process

New featureMedium

Amazon Bedrock Guardrails announces new API for agentic AI workflows

Amazon Bedrock Guardrails now offers the InvokeGuardrailChecks API, allowing users to apply individual safeguards at any point in agentic AI applications without creating guardrail resources. The API provides granular control over which safeguards to run at each step, returning severity and confidence scores for custom thresholds and actions.

Amazon Bedrock

New featureMedium

AWS Glue Data Catalog now supports business context and semantic search (Preview)

AWS Glue Data Catalog adds business context and semantic search in preview, allowing users to enrich tables with glossary terms and metadata, and enabling AI agents to find data by meaning rather than inferred context.

Related articles and terms