Building multi-tenant agents with Amazon Bedrock AgentCore

This article explores architectural design considerations for building production-ready multi-tenant agentic applications using Amazon Bedrock AgentCore, covering ten key components and three deployment patterns.

• Agent runtime deployment: session-isolated microVMs provide tenant isolation without full VM overhead
• Model selection: shared, tier-specific, or fine-tuned models balance cost, performance, and customization
• Workflows: silo, pool, and bridge patterns manage tenant-specific business logic and processes
• Multi-tenant RAG: dedicated or shared vector databases with metadata-based tenant filtering
• Tenant context: JWT tokens encode security, tenant, and request context for secure propagation
• Act-on-behalf pattern: recommended over impersonation for least-privilege agent authorization
• Fine-grained access control: policies, tool interceptors, and ABAC enforce tenant isolation
• Memory: hierarchical namespace isolation across global, strategy, tenant, user, and session levels
• Agent identity and discovery: AgentCore Identity, Agent Registry, and ANS v2 framework
• Cost tracking and observability: tenant-tagged metrics and OpenTelemetry integration for attribution
• Guardrails: pre/post-processing safety controls prevent prompt injection and data leakage
• Silo model: dedicated resources per tenant maximize isolation for compliance-sensitive workloads
• Pool model: shared resources across tenants optimize cost and efficiency for many small tenants
• Bridge model: hybrid approach combines siloed and pooled components at different architectural layers

AgentCore provides integrated Runtime, Gateway, Memory, Identity, and Observability components enabling secure, scalable multi-tenant agent architectures without reinventing foundational infrastructure.