Streamline Amazon EC2 compliance management with Amazon Bedrock agents and AWS Config
Anand Bukkapatnam Tirumala, Amazon Web Services
Summary
This pattern describes how to integrate Amazon Bedrock with AWS Config rules to facilitate compliance management for Amazon Elastic Compute Cloud (Amazon EC2) instances. The approach uses advanced generative AI capabilities to provide tailored recommendations that are aligned with the AWS Well-Architected Framework, to ensure optimal instance type selection and system efficiency. Key features of this pattern include:
Automated compliance monitoring: AWS Config rules continuously assess EC2 instances against predefined criteria for desired instance types.
AI-driven recommendations: The generative AI models in Amazon Bedrock analyze infrastructure patterns. These models provide intelligent suggestions for improvements based on best practices that are outlined in the AWS Well-Architected Framework.
Remediation: Amazon Bedrock action groups enable automated remediation steps to swiftly address non-compliant instances and minimize potential performance or cost inefficiencies.
Scalability and adaptability: The solution is designed to scale with your infrastructure and adapt to your evolving cloud architecture needs.
Enhanced security recommendations: Compliance with AWS Well-Architected principles contributes to improved security posture and system performance.
You can use this pattern as a blueprint to deploy your own generative AI-based infrastructure into multiple environments with minimal changes, using DevOps practices as necessary.
Prerequisites and limitations
Prerequisites
An active AWS account.
An AWS Identity and Access Management (IAM) role with permissions to create and manage resources in Amazon Simple Storage Service (Amazon S3) buckets, AWS Config, AWS Lambda functions, Amazon Bedrock, IAM, Amazon CloudWatch Logs, and Amazon EC2.
An EC2 instance to flag as non-compliant. Do not use the
t2.smalltype for this instance.Amazon Titan Text Embeddings V2 and Anthropic Claude 3 Haiku models enabled in your AWS account. To enable model access for the AWS Region where you are deploying the solution, see Add or remove access to Amazon Bedrock foundation models in the Amazon Bedrock documentation.
Terraform
, installed and configured. The AWS Command Line Interface (AWS CLI) v2 installed and configured in the deployment environment.
Completed review of the Amazon Responsible AI policy
.
Limitations
Some AWS services aren’t available in all AWS Regions. For Region availability, see AWS services by Region
. For specific endpoints, see Service endpoints and quotas, and choose the link for the service. This solution has been tested by using the Amazon Titan Text Embeddings V2 and Claude 3 Haiku models. If you prefer to use other models, you can customize the Terraform code, which is parameterized for easy changes.
This solution does not include a chat history feature, and the chat isn't stored.
Architecture
The following diagram shows the workflow and architecture components for this pattern.
The workflow consists of these steps:
The user interacts with the model through the Amazon Bedrock chat console. The user asks questions such as:
What can you help me with?List non-complaint resourcesSuggest security best practices
If the model is pre-trained, it responds to the prompts directly from its existing knowledge. Otherwise, the prompt goes to the Amazon Bedrock action group.
The action group reaches the VPC endpoints by using AWS PrivateLink
for secure service communication. The request reaches the Lambda function through the VPC endpoints for Amazon Bedrock services.
The Lambda function is the primary execution engine. Based on the request, the function calls the API to perform actions on the AWS services. It also handles operation routing and execution.
The Lambda function calls AWS Config to determine non-complaint resources (the non-compliant EC2 instance that you created as a prerequisite).
AWS Config flags the non-complaint resource. This pattern deploys the AWS Config desired-instance-type rule to find the ideal EC2 instance size.
AWS Config prompts the user to pause or remediate the instance, and takes action accordingly on the EC2 instance. Amazon Bedrock understands this return payload.
The user receives a response on the Amazon Bedrock chat console.
Automation and scale
This solution uses Terraform as an infrastructure as code (IaC) tool to enable easy deployment to AWS accounts and to function as a standalone utility across multiple accounts. This approach simplifies management and improves consistency in deployments.
Tools
AWS services
AWS Config enables you to assess, audit, and evaluate the configurations of your AWS resources for compliance and desired settings.
Amazon Bedrock is a fully managed AI service that provides access to many high-performing foundation models through a unified API.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them.
AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
Other tools
Code repository
The code for this pattern is available in the GitHub sample-awsconfig-bedrock-compliance-manager
Best practices
Follow the principle of least privilege and grant the minimum permissions required to perform a task. For more information, see Grant least privilege and Security best practices and use cases in the IAM documentation.
Monitor Lambda execution logs regularly. For more information, see Monitoring, debugging, and troubleshooting Lambda functions and Best practices for working with AWS Lambda functions in the Lambda documentation.
Epics
| Task | Description | Skills required |
|---|---|---|
Clone the repository. | To clone the repository for this pattern, use the following command:
| AWS DevOps, Build lead, DevOps engineer, Cloud administrator |
Edit the environment variables. | In the root directory of the cloned repository on your local machine, edit the | AWS systems administrator, AWS DevOps, DevOps engineer, AWS administrator |
Create the infrastructure. |
| AWS DevOps, DevOps engineer, AWS systems administrator, Cloud administrator |
| Task | Description | Skills required |
|---|---|---|
Chat with the agent. | Deploying the solution in the previous step deploys To use the agent:
| AWS DevOps, DevOps engineer, AWS systems administrator, Cloud administrator |
| Task | Description | Skills required |
|---|---|---|
Delete the infrastructure and resources. | When you’ve completed your work with this solution, you can delete the infrastructure created by this pattern by running the command:
| AWS DevOps, DevOps engineer, AWS systems administrator, Cloud administrator |
Troubleshooting
| Issue | Solution |
|---|---|
Agent behavior issues | For troubleshooting information, see Test and troubleshoot agent behavior in the Amazon Bedrock documentation. |
AWS Lambda network issues | For more information, see Troubleshoot networking issues in Lambda in the Lambda documentation. |
IAM permissions | For more information, see Troubleshoot IAM in the IAM documentation. |
Related resources
Use action groups to define actions for your agent to perform (Amazon Bedrock documentation)
desired-instance-type rule (AWS Config documentation)
How AWS Config works (AWS Config documentation)
