How to protect automated scripts with Rex: complete guide

Introduction to Rex: Security and Authorization for Scripts

Rex, an acronym for Trusted Remote Execution, is an open-source runtime developed by Amazon that enhances script security through the application of authorization policies before performing system operations. This tool is particularly useful for system administrators and developers who need granular control over the actions performed by scripts, ensuring that these operations are authorized and secure.

The project addresses a common issue in automation: often, scripts inherit the permissions of the execution environment, which can lead to security risks. For example, a script designed to read a log file might accidentally modify or delete files if permissions allow it. Rex separates the script's intentional actions from the permissions granted by the host system user, thereby reducing security risks.

Rex is particularly relevant for AI agents, where scripts can be dynamically generated without human review of every system call. Issues such as hallucinated code, prompt injection, or overly broad task interpretations can be mitigated thanks to Rex's ability to deny any operation not authorized by the policy.

Using Cedar, Amazon's policy language, Rex defines script access. Policies can allow or deny actions such as opening files, reading directories, writing data, resolving host names, and other operations. Scripts do not have direct access to the host system; all operations are mediated through Rust-based APIs provided by the runtime.

Rex is available for Linux and macOS and can be installed using Rust's Cargo package manager with the command cargo install rex-runner. The project is published under the Apache 2.0 license and the source code is publicly available on GitHub.

Prerequisites

• Operating System: Linux or macOS
• Rust and Cargo: Rust and its package manager Cargo must be installed. You can install them by following the official guide at https://www.rust-lang.org/tools/install
• Access to a Terminal: A terminal must be available to run the necessary commands

Procedure: Installing and Using Rex

By the end of this guide, you will be able to install and use Rex to run Rhai scripts with permissions controlled by Cedar policies.

• Run the command to install rex-runner using Cargo:

cargo install rex-runner

• Create a Cedar policy file. For example, create a file named policy.cedar with the following content:

 // Cedar policy example permission allow if true; action FileOperations::Read; action FileOperations::Write; action FileOperations::Create; resource "file:/tmp/example.txt"; allow FileOperations::Read, FileOperations::Write, FileOperations::Create, resource;

 // Rhai script example let file = openfile("/tmp/example.txt", "w"); writefile(file, "Hello, Rex!"); close_file(file);

• Run the script using rex-runner with the defined policy:

rex-runner --policy policy.cedar script.rhai

• Verify that the operation is performed correctly if the policy allows it. Otherwise, receive an authorization error.

Verification and Troubleshooting

By the end of this section, you will be able to test Rex's correct operation and resolve any authorization issues.

Functionality Test

• Run a test script: Create a simple Rhai script that attempts to perform an operation allowed by your Cedar policy, such as reading a file.
• Check the output: Run the script using rex-runner and ensure the operation is performed correctly.
• Test a non-permitted operation: Modify the script to attempt an operation not permitted by the policy, such as writing to a file. Ensure Rex blocks the operation and returns an authorization error.

Troubleshooting

• Authorization Error: If a script is blocked despite it being allowed, verify the Cedar policy to ensure the rules are correct.
• Installation Issues: If cargo install rex-runner fails, ensure you have the latest version of Rust and Cargo installed on your system.
• System Compatibility: Rex is only supported on Linux and macOS. If you are using another operating system, you will not be able to run Rex.

Educational Summary and Practical Invitation

By the end of this guide, you will have understood how to use Rex to securely run Rhai scripts, applying Cedar authorization policies. Now you are ready to put these knowledge into practice to improve the security of your automated scripts.

• Review Key Concepts: Rex separates the intentional actions of scripts from the permissions granted by the execution environment.
• Explore Cedar Policies: Define specific policies to control the operations allowed for scripts.
• Install and Configure Rex: Use the command cargo install rex-runner to install Rex and start running Rhai scripts securely.
• Test Your Policies: Create Rhai scripts and verify how Rex blocks unauthorized operations.

For more details, consult the official project documentation.