AgentShield Proxy is a lightweight and secure PII-safe proxy designed for use with AWS infrastructure, leveraging API Gateway and Lambda, facilitated by the Serverless Framework. The primary purpose of AgentShield is to safeguard personally identifiable information (PII), specifically by redacting sensitive data such as emails and social security numbers (SSNs) within request bodies. Additionally, the tool offers an optional feature for validating connectivity to a PostgreSQL database.

Key Features

• PII Redaction: Automatically replaces sensitive information:
  • Emails are redacted as [REDACTED_EMAIL]
  • SSNs are redacted as [REDACTED_SSN]
• Database Connectivity Check: Executes a simple database query using psycopg2 when the PG_DSN environment variable is configured.
• Secure API Access: Requires an API key for production environments, ensuring controlled access through API Gateway's usage plans.
• Efficient Bundles: Dependencies are managed within an AWS Lambda Layer, ensuring that the main function remains lightweight.
• Admin Operation Protection: Automatically blocks deletion requests to administrative endpoints for enhanced security.

Example Usage

A sample request to the proxy can be made using cURL:

curl -X POST "https://your-api.execute-api.us-east-2.amazonaws.com/dev/proxy/test" \
  -H "Content-Type: application/json" \
  -H "X-Agent-ID: test-agent" \
  -H "x-api-key: YOUR_API_KEY" \
  -d '{"email": "user@example.com", "ssn": "123-45-6789", "name": "John Doe"}'

An expected response will show the processed data:

{
  "status": "processed",
  "agent_id": "test-agent", 
  "redacted": true,
  "body": {
    "email": "[REDACTED_EMAIL]",
    "ssn": "[REDACTED_SSN]",
    "name": "John Doe"
  }
}

Architecture Overview

The architecture comprises:

• API Gateway forwarding requests to a Lambda Function which handles:
  • PII redaction
  • Security guards for operation protection
  • Optional health checks for PostgreSQL
• Implements API key validation and manages CORS policies.

Configuration Requirements

AgentShield requires specific environment variables and has defined API endpoints:

• PG_DSN: PostgreSQL connection string (secured via AWS SSM)

Available API endpoints include:

• POST /proxy/test: The primary proxy endpoint with an optional database check.
• DELETE /proxy/admin/drop: A blocked endpoint for security demonstration.

Contribution Guidelines

Contributions are welcomed. Steps include: forking the repository, creating a feature branch, committing changes, pushing to the branch, and submitting a Pull Request.

Community Engagement

Feedback is encouraged through issues or discussions on GitHub. Users are also invited to share their experiences on social media with the tag #AgentShield.