All posts
June 18, 20264 min read

Putting access controls around Cursor: database access for AI coding agents (on AWS)

When an AI coding assistant can query production databases without leaving a trace, the organization loses control over database access, visibility, and compliance. The ideal state is a system where every query generated by Cursor is scoped to the minimum privilege, inspected for sensitive data, approved before destructive actions, and recorded for later review. Enforcing database access requires a control point that can see each request, apply policy, and log the outcome. A dedicated gateway p

Free White Paper

Cursor / AI IDE Security + Vector Database Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When an AI coding assistant can query production databases without leaving a trace, the organization loses control over database access, visibility, and compliance. The ideal state is a system where every query generated by Cursor is scoped to the minimum privilege, inspected for sensitive data, approved before destructive actions, and recorded for later review.

Enforcing database access requires a control point that can see each request, apply policy, and log the outcome. A dedicated gateway placed between the AI agent and the database can mask sensitive fields, block dangerous statements, require just‑in‑time approval, and capture a replayable session. This approach turns raw database traffic into a policy‑driven interaction without changing the AI code.

In many teams, the first step to enable Cursor is to create a static database user, grant it broad read‑write rights, and embed the credential in the agent’s configuration. The agent then talks directly to the PostgreSQL or MySQL instance, bypassing any review process. No one can tell which tables were read, whether a credit‑card number was returned, or if a DROP statement was executed. The audit logs are limited to the database’s own logging, which often lacks user‑level granularity for AI‑generated traffic.

This practice violates the principle of least privilege and leaves the environment open to accidental data exposure or intentional abuse. The situation is especially risky on AWS, where the same credential may be reused across multiple services and regions, amplifying the blast radius of a single compromised token.

Why the current fix is incomplete

Moving to a non‑human identity, such as a service account or an OIDC‑issued token, addresses the question of *who* is making the request. It also allows the team to assign a narrow set of permissions to the AI agent. However, the request still travels straight to the database without an intervening control point. At that point there is no gateway to enforce inline masking, to require just‑in‑time approval for risky commands, or to capture a replayable session. The setup alone does not provide auditability, data protection, or the ability to stop a destructive operation before it reaches the target.

Introducing hoop.dev as the enforcement layer

hoop.dev is a Layer 7 gateway that sits between the Cursor agent and the database. By placing the gateway in the data path, hoop.dev becomes the only place where policy can be applied to the traffic. The gateway authenticates the AI agent with OIDC or SAML, reads group membership, and then decides whether the request is allowed to proceed.

Because hoop.dev controls the connection, it can enforce several outcomes that are impossible with a direct link:

Continue reading? Get the full guide.

Cursor / AI IDE Security + Vector Database Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • It records each query and the full response, creating a replayable session for forensic analysis.
  • It masks sensitive fields, such as credit‑card numbers or personal identifiers, before they leave the database, ensuring that downstream logs never contain raw PII.
  • It blocks commands that match a denylist, for example DROP DATABASE or ALTER USER, unless an authorized approver explicitly grants a one‑time exception.
  • It routes high‑risk statements to an approval workflow, allowing a human reviewer to approve or reject the operation in real time.
  • It scopes access to the exact tables and columns required for the AI‑generated task, preventing accidental over‑reach.

All of these enforcement outcomes exist only because hoop.dev sits in the data path. The identity and token validation performed during setup determine *who* can ask for access, but the gateway enforces *what* that identity may actually do.

How the architecture fits together

The implementation follows three logical layers:

  1. Setup: Configure an OIDC provider (Okta, Azure AD, Google Workspace, etc.) and create a service account that represents the Cursor AI agent. Assign the account the minimal database role required for the intended queries.
  2. The data path: Deploy hoop.dev as a Docker Compose service or as a Kubernetes pod inside the same VPC as the database. The gateway runs a network‑resident agent that holds the actual database credentials, so the AI agent never sees them.
  3. Enforcement outcomes: When Cursor issues a SQL statement, hoop.dev intercepts the wire protocol, applies masking rules, checks for deny‑listed commands, and, if needed, triggers a just‑in‑time approval request. The full session is stored for replay and audit.

This separation makes it clear that the security guarantees come from the gateway, not from the identity provider or the static credential alone.

Practical considerations and common pitfalls

When integrating an AI coding assistant, teams often forget to adjust the database’s own logging configuration. Relying solely on the database logs will miss the masking and approval steps that happen inside hoop.dev. Ensure that the database’s native logs are still enabled for low‑level troubleshooting, but treat hoop.dev’s audit trail as the authoritative source for compliance.

Another frequent mistake is to grant the AI agent blanket SELECT rights on all schemas. Even though hoop.dev can block destructive commands, it cannot prevent a query that unintentionally scans an entire dataset and exfiltrates it. Scope the service account to the specific schemas and tables the agent needs, and let hoop.dev enforce column‑level masking for any fields that contain regulated data.

Getting started

To try this pattern, follow the getting started guide for deploying hoop.dev in a Docker Compose environment. The documentation walks you through configuring OIDC authentication, registering a PostgreSQL connection, and enabling inline masking for sensitive columns. For deeper insight into masking policies, approval workflows, and session replay, explore the learn section of the site.

All of the configuration files and example policies are available in the open‑source repository. Contribute or view the source on GitHub to adapt the setup to your AWS environment.

FAQ

Can I use hoop.dev with an existing Cursor deployment?

Yes. hoop.dev acts as a transparent proxy, so you only need to point the Cursor client at the gateway’s endpoint instead of the raw database host. No code changes are required on the AI side.

Does hoop.dev store database credentials?

The gateway holds the credentials in memory on the agent that runs inside your VPC. They never leave the network boundary, and the AI agent never receives them directly.

What happens if an approval request is denied?

hoop.dev aborts the offending statement and returns an error to the Cursor agent. The denied request is still recorded in the session log, providing evidence for audit purposes.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot