Giving AI the Keys: Controlling a Tesla with Amazon Bedrock AgentCore

Large language models are evolving from passive assistants into systems capable of taking action. With the rise of the Model Context Protocol (MCP) and agent frameworks, it is now possible to connect AI models to real-world systems in a structured and secure way.

As an internal experiment, one of our engineers built a demo that exposes Tesla vehicle controls to AI agents using AWS-native building blocks. The result is a secure, serverless architecture that allows an AI agent to check battery levels, start climate preconditioning, flash lights, or honk the horn through a controlled gateway.

This article provides a high-level overview of how the solution works, the architecture behind it, and how the workflow connects AWS services to a physical vehicle.

The Core Idea

At a high level, the system turns Tesla vehicle operations into MCP-compatible tools. Those tools are exposed to AI agents through Amazon Bedrock AgentCore Gateway, which acts as a managed bridge between language models and backend systems.

Instead of directly wiring a model to an API, the design introduces authentication, network isolation, observability, and controlled execution paths. Because AgentCore is built for production workloads, it provides structured tool invocation, identity enforcement, monitoring, and operational safeguards out of the box. The AI does not talk to the vehicle directly. It calls structured tools exposed through a gateway, and those tools are executed in a tightly controlled AWS environment.

Solution Architecture

The solution is built around five core components:

1. Bedrock AgentCore Gateway

The gateway exposes the MCP server endpoint that AI agents connect to. It acts as the public-facing control layer and ensures that all tool invocations are authenticated and properly routed.

2. AWS Lambda

A Lambda function serves as the execution engine for MCP tool calls. When the AI requests an action, such as retrieving vehicle data or triggering a command, the request is processed here. This layer handles business logic, token management, and API communication.

3. Amazon Cognito

Authentication is handled through Amazon Cognito, which issues JWT tokens. Only authenticated users or AI clients can invoke the MCP endpoint. This prevents anonymous access and ensures that vehicle commands are tightly controlled.

4. Amazon ECS on Fargate

Tesla’s vehicle-command proxy runs in Amazon ECS using Fargate. This proxy handles secure vehicle communication and operates inside a private subnet. It does not have direct public internet exposure.

5. VPC with Private Networking

The system is deployed in a Virtual Private Cloud with public and private subnets. Outbound traffic flows through a NAT gateway, ensuring the vehicle-command proxy remains inaccessible from the public internet while still reaching Tesla’s APIs securely.

Workflow Overview

The workflow can be broken down into a clear sequence:

1. A user authenticates via Cognito.
2. An AI agent connects to the Bedrock AgentCore Gateway using MCP.
3. The agent invokes a specific tool, for example retrieving vehicle state.
4. The Gateway forwards the call to Lambda.
5. Lambda:
6. • Validates authentication
   • Retrieves required secrets from AWS Secrets Manager
   • Orchestrates the request and forwards vehicle commands to the vehicle-command proxy running on ECS
   • Refreshes Tesla OAuth tokens when required
6. The vehicle-command proxy:
7. • Handles secure communication with the Tesla Fleet API
   • Signs and forwards vehicle commands
   • Returns the response to Lambda
7. The response flows back through the same path to the AI agent.

This separation ensures:

• No direct exposure of Tesla credentials
• No public exposure of the vehicle-command proxy
• Controlled execution of vehicle actions
• Automatic token refresh when Tesla OAuth tokens expire
• Clear separation between Lambda orchestration and the vehicle-command proxy, which handles direct communication with the Tesla Fleet API

Security Model

Security is a foundational aspect of the implementation.

• All sensitive credentials are stored in AWS Secrets Manager.
• The vehicle-command proxy runs in a private subnet.
• TLS encryption is used between Lambda and the proxy.
• Access to the MCP endpoint requires Cognito-issued JWT tokens.
• Tesla OAuth tokens are rotated automatically when needed.

Rather than embedding credentials or allowing direct vehicle API access, the system introduces layered trust boundaries. Every interaction must pass authentication and controlled execution logic before reaching the vehicle.

Why This Matters

This demo illustrates how AI agents can move beyond content generation into controlled, real-world actions without compromising security or architectural discipline.

It also demonstrates how AWS Lambda, Amazon ECS, and Amazon Cognito can be combined with Bedrock AgentCore to expose operational systems safely to AI-driven workflows.

While controlling a vehicle is a compelling example, the same pattern applies to:

• Media processing pipelines
• Infrastructure automation
• Internal business systems
• IoT devices
• Content publishing workflows

Any system that can be abstracted as structured tools can be exposed to AI agents using a similar architecture.

Implementation Reference

The complete implementation, deployment scripts, and infrastructure templates are available here:

GitHub Repository: https://github.com/trackit/agentcore-gateway-tesla/blob/main/README.md

Conclusion

This project demonstrates how AI agents can securely interact with physical systems using AWS-native components and the MCP standard. By combining Bedrock AgentCore Gateway, serverless compute, containerized services, and identity management, the architecture creates a controlled bridge between language models and real-world operations.