All posts
June 18, 20263 min read

Putting access controls around Devin: guardrails for AI coding agents (on AWS)

When guardrails are in place, AI coding agents such as Devin only execute code that has been explicitly approved, every request is recorded, and sensitive data never leaves the controlled environment. Current practice leaves the door open Most teams hand Devin a static AWS access key that carries broad permissions across multiple accounts. The key is stored in a configuration file that the agent reads at start‑up. Because the credential is static, any compromise of the agent or the file gives

Free White Paper

AI Guardrails + AWS Control Tower: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When guardrails are in place, AI coding agents such as Devin only execute code that has been explicitly approved, every request is recorded, and sensitive data never leaves the controlled environment.

Current practice leaves the door open

Most teams hand Devin a static AWS access key that carries broad permissions across multiple accounts. The key is stored in a configuration file that the agent reads at start‑up. Because the credential is static, any compromise of the agent or the file gives an attacker unrestricted access to the same resources. There is no per‑request audit, no way to see which API call originated from the AI, and no protection against accidental exposure of secrets in generated code.

Why simple credential scoping isn’t enough

Limiting the IAM policy attached to the key is a necessary first step, but it does not solve the core problem. The request still travels directly from Devin to AWS services, bypassing any runtime check. Without a control point in the data path, you cannot:

  • Block a dangerous API call before it reaches the service.
  • Require a human to approve high‑risk operations.
  • Mask sensitive fields in responses that the agent might log.
  • Record the full session for later replay or forensic analysis.

These enforcement outcomes only appear when a gateway sits between the identity and the target.

hoop.dev as the guardrail enforcement point

hoop.dev is a Layer 7 gateway that proxies every connection between an identity and an AWS resource. When Devin initiates a request, the traffic is routed through hoop.dev’s data path. At that point hoop.dev can apply the full suite of guardrails:

Continue reading? Get the full guide.

AI Guardrails + AWS Control Tower: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Inline masking of secret fields in AWS responses.
  • Command‑level approval workflows for privileged actions.
  • Just‑in‑time credential issuance that expires as soon as the session ends.
  • Comprehensive session recording that can be replayed for audit or debugging.

Each of these outcomes is performed by hoop.dev, not by the IAM role or the AI agent itself. If you removed hoop.dev, none of the guardrails would exist. The gateway authenticates users and agents via OIDC or SAML, reads group membership, and then enforces policy based on that identity. An agent running inside the customer network holds the AWS credential, but the credential never touches Devin. This separation guarantees that the AI can only act within the boundaries defined by the guardrails.

Implementing guardrails for Devin

Start by deploying hoop.dev using the official Docker Compose quick‑start or a Kubernetes manifest. The deployment includes an agent that lives close to the AWS resources you want to protect. Register the AWS connection in the hoop.dev console, supplying the service‑level credential that the gateway will use. Configure OIDC authentication so that only the service account representing Devin can obtain a short‑lived token from your identity provider. In the hoop.dev policy UI, define guardrails such as:

  • Allow read‑only S3 operations without approval.
  • Require a manual approval step for any IAM role modification.
  • Mask values that match the pattern of AWS secret keys in all responses.

When Devin runs a command, hoop.dev evaluates the policy, records the request, applies masking, and either forwards the call or pauses it for approval. All activity appears in the audit log, which can be exported for compliance reporting. For detailed steps, see the getting‑started guide and the learn section for deeper explanations of guardrail configuration.

FAQ

Do I need to change the way Devin writes code?

No. Devin continues to use the same SDKs and CLI tools. The only change is that traffic is routed through hoop.dev, which is transparent to the agent.

Can I retroactively apply guardrails to existing sessions?

hoop.dev records each session as it happens. Past sessions are available for replay, but guardrails only affect future traffic once the policy is in place.

What happens if the guardrail policy blocks a request?

hoop.dev returns an informative error to Devin, indicating the reason for the block. If the request is configured for approval, an authorized human receives a notification to approve or deny the operation.

Ready to see the code and contribute? Explore the repository on GitHub and start securing your AI agents today.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot