Agents that manage cloud infrastructure can rack up real cost in one tool call. Paybond's aws preset gives you a reviewed starting policy: side-effecting EC2 operations are capped, read-only describe calls pass through, and default_deny: true blocks anything not registered.
Presets are starting points
paybond policy init --preset aws writes an editable local paybond.policy.yaml. Raise caps, add RDS or Lambda tools, and commit the file — bundled YAML is not an immutable contract.
Try it
terminal
paybond login
paybond agent sandbox smoke \
--preset aws \
--operation aws.ec2.start_instance \
--requested-spend-cents 5000 \
--evidence-preset cost_and_completion \
--result-body '{"status":"completed","cost_cents":5000,"instance_id":"i-smoke"}' \
--format tableScaffold the aws preset
terminal
paybond policy init --preset aws --out paybond.policy.yaml
paybond policy presets show aws
paybond policy validate-tools --file paybond.policy.yaml --local-onlyOptional: raise the budget when scaffolding:
terminal
paybond policy init --preset aws --max-spend 1000 --out paybond.policy.yamlBundled defaults include:
| Tool | Side effecting | Cap |
|---|---|---|
aws.ec2.start_instance | Yes | $500 per call / $500 intent budget |
aws.ec2.describe_instances | No | — |
Wire middleware
Use the preset inline or from the scaffolded file:
paybond-session.ts
import { Paybond } from "@paybond/kit";
const paybond = await Paybond.open({ apiKey: process.env.PAYBOND_API_KEY! });
const instrumented = await paybond.instrument({
policy: "aws", // or "./paybond.policy.yaml"
tools: {
"aws.ec2.start_instance": startInstance,
"aws.ec2.describe_instances": describeInstances,
},
});Sandbox quickstart:
terminal
paybond init --solution aws --max-spend-usd 500 --framework generic --non-interactiveExtend for your operator catalog
Add tools to the policy file and registry together — CI catches drift:
tools:
aws.rds.start_instance:
side_effecting: true
max_spend_cents: 100000
evidence_preset: cost_and_completion
Re-run paybond policy validate-tools --file paybond.policy.yaml --remote after paybond login to catch Harbor template head drift.
Related guides
- Agent policy-as-code — compose domain + guardrails
- Agent-agnostic spend controls — generic tool wiring
- Agent middleware — production bind and lazy context
Developer reference: /docs/kit/agent-policy.