Amazon has released Rex, an open-source runtime that enhances script security by enforcing authorization policies before allowing system operations.
Rex, short for Trusted Remote Execution, pairs scripts with Cedar policies and checks each operation against these policies at runtime. Scripts are written in Rhai, a lightweight language without built-in system access. Host access is only available through Rex-provided operations, each requiring authorization before execution.
The main idea behind the project is simple – to address a common automation issue when scripts often inherit the permissions of their execution environment. For example, a script intended to inspect a log file may also be able to modify or delete files if permitted by the context. Rex separates the script’s intended actions from the permissions granted by the host owner.
Amazon notes that this is especially important for AI agents, where scripts may be generated dynamically without human review of each system call. Issues can arise from hallucinated code, prompt injection, or overly broad task interpretation. Rex denies any operation not permitted by the policy.
Under the hood, Rex uses Cedar, Amazon’s policy language, to define script access. Policies can allow or deny actions such as opening files, reading directories, writing data, resolving hostnames, or performing other operations. Scripts do not have direct host access; all operations are mediated through Rust-based APIs provided by the runtime.
According to the project’s GitHub repository, Rex is a sandboxed Rhai script execution engine that applies Cedar authorization to every system operation. It controls file I/O, network access, process management, and system queries through fine-grained authorization checks. Rex also uses file descriptors instead of paths when possible to reduce symlink and race-condition risks.
Administrators define a Cedar policy and execute Rhai scripts using rex-runner. If a script attempts an operation not permitted by the policy, Rex blocks it and returns an authorization error. For example, if a script tries to create and write a file while the policy only allows reading, the write attempt will fail until the policy is updated.
Rex is available for Linux and macOS and can be installed using Rust’s Cargo package manager with cargo install rex-runner. The project is licensed under Apache 2.0 and developed publicly on GitHub.
For more details, refer to the project’s documentation.
