Automate AWS infrastructure operations by using Amazon Bedrock
Ishwar Chauthaiwale and Anand Bukkapatnam Tirumala, Amazon Web Services
Summary
In cloud native solutions, automating common infrastructure operations play a vital role in maintaining efficient, secure, and cost-effective environments. Manually handling operations is time-consuming and prone to human error. Additionally, team members with varying levels of AWS expertise need to perform these tasks while ensuring compliance with security protocols. This pattern demonstrates how to use Amazon Bedrock to automate common AWS infrastructure operations through natural language processing (NLP).
This pattern can help organizations to develop reusable, modular, and secure code for deploying generative AI-based infrastructure across multiple environments. Through its focus on infrastructure as code (IaC) and automation, it delivers key DevOps benefits including version control, consistent deployments, reduced errors, faster provisioning, and improved collaboration.
The pattern implements a secure architecture that enables teams to manage operations related to key AWS services including:
- Amazon Simple Storage Service (Amazon S3) bucket versioning management 
- Amazon Relational Database Service (Amazon RDS) snapshot creation 
- Amazon Elastic Compute Cloud (Amazon EC2) instance management 
The architecture employs Amazon Virtual Private Cloud (Amazon VPC) endpoints and private networking for secure communication, with AWS Lambda functions operating as task executors within private subnets. Amazon S3 provides data management and implements comprehensive AWS Identity and Access Management (IAM) roles and permissions to ensure proper access controls. This solution doesn’t include a chat history feature, and the chat isn’t stored.
Prerequisites and limitations
- An active AWS account. 
- Proper access control measures should be in place to help secure and control access. Examples of access control include using AWS Systems Manager, foundation models access, an IAM role for deployment, and service-based roles, disabling public access to Amazon S3 buckets, and setting up a dead-letter queue. 
- An AWS Key Management Service (AWS KMS) customer managed key. 
- AWS Command Line Interface (AWS CLI) version 2 or later, installed and configured on the deployment environment. 
- Terraform AWS Provider version 4 or later installed - and configured. 
- Terraform version 1.5.7 or later installed - and configured. 
- Review and Define OpenAPI schemas for your agent's action groups in Amazon Bedrock to help protect against unauthorized access and maintain data integrity. 
- Access enabled in your AWS account for the required Amazon Titan Text Embeddings v2 and either the Claude 3.5 Sonnet or Claude 3 Haiku foundation models. To avoid deployment failure, confirm that your target deployment AWS Region supports the required models. 
- A configured virtual private cloud (VPC) that follows the AWS Well Architected Framework best practices. 
- Completed review of the Amazon Responsible AI policy - . 
Product versions
- Amazon Titan Text Embeddings v2 
- Anthropic Claude 3.5 Sonnet or Claude 3 Haiku 
- Terraform AWS Provider version 4 or later 
- Terraform version 1.5.7 or later 
Architecture
The following diagram shows the workflow and architecture components for this pattern.

The solution architecture consists of multiple layers that work together to process natural language requests and execute corresponding AWS operations:
- The user makes operations requests through the Amazon Bedrock chat console. 
- The chatbot uses Amazon Bedrock Knowledge Bases for request processing. It implements the Amazon Titan Text Embeddings v2 model for natural language processing. 
- If the user prompt includes an action request, the Amazon Bedrock action group uses either the Anthropic Claude 3 Haiku or the Claude 3.5 Sonnet model (depending on your choice) for execution logic and defines operations through an OpenAPI schema. 
- The action group reaches the Amazon VPC endpoints using AWS PrivateLink for secure service communication. 
- The AWS Lambda function is reached through Amazon VPC endpoints for Amazon Bedrock services. 
- The Lambda functions are the primary execution engine. Based on the request, the Lambda function calls the API to perform actions on the AWS services. The Lambda function also handles operation routing and execution. 
- The AWS services get the API request from the Lambda function and corresponding operations are performed. 
- The Lambda function computes an output payload that is understood by Amazon Bedrock. 
- This payload is sent to Amazon Bedrock by using PrivateLink for secure service communication. The large language model (LLM) used by Amazon Bedrock understands this payload and converts it into human understandable format. 
- The output is then shown to the user on the Amazon Bedrock chat console. 
The solution enables the following primary operations:
- Amazon S3 – Enable bucket versioning for version control. 
- Amazon RDS – Create database snapshots for backup. 
- Amazon EC2 – List instances and control the start and stop of instances. 
Tools
AWS services
- Amazon Bedrock is a fully managed service that makes high-performing foundation models (FMs) from leading AI startups and Amazon available for your use through a unified API. 
- AWS Command Line Interface (AWS CLI) is an open source tool that helps you interact with AWS services through commands in your command-line shell. 
- Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the AWS Cloud. You can launch as many virtual servers as you need and quickly scale them up or down. 
- AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them. 
- AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use. 
- Amazon OpenSearch Serverless is an on-demand serverless configuration for Amazon OpenSearch Service. 
- AWS PrivateLink helps you create unidirectional, private connections from your virtual private clouds (VPCs) to services outside of the VPC. 
- Amazon Relational Database Service (Amazon RDS) helps you set up, operate, and scale a relational database in the AWS Cloud. 
- Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data. 
- AWS Systems Manager helps you manage your applications and infrastructure running in the AWS Cloud. It simplifies application and resource management, shortens the time to detect and resolve operational problems, and helps you manage your AWS resources securely at scale. 
- Amazon Virtual Private Cloud (Amazon VPC) helps you launch AWS resources into a virtual network that you’ve defined. This virtual network resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS. 
Other tools
Code repository
The code for this pattern is available in the GitHub aws-samples/infra-ops-orchestrator
Best practices
- Monitor Lambda execution logs regularly. For more information, see Monitoring and troubleshooting Lambda functions. For more information about best practices, see Best practices for working with AWS Lambda functions. 
- Review security configurations periodically to ensure compliance with your organization's requirements. For more information, see Security best practices. 
- Follow the principle of least privilege and grant the minimum permissions required to perform a task. For more information, see Grant least privilege and Security best practices in the IAM documentation. 
Epics
| Task | Description | Skills required | 
|---|---|---|
| Clone the repository. | To clone the repository on your local machine, run the following command: 
 | AWS DevOps, DevOps engineer | 
| Edit the environment variables. | Edit the  | AWS DevOps, DevOps engineer | 
| Create the infrastructure. | To create the infrastructure, run the following commands: 
 
 Review the execution plan carefully. If the planned changes are acceptable, then run the following command: 
 | AWS DevOps, DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Access the solution. | After successful deployment, follow these steps to use the chat-based interface: 
 | AWS DevOps, DevOps engineer | 
| Task | Description | Skills required | 
|---|---|---|
| Delete the created resources. | To delete all infrastructure created by this pattern, run the following command: 
 Review the destruction plan carefully. If the planned deletions are acceptable, then run the following command: 
 Note: This command will permanently delete all resources created by this pattern. The command will prompt for confirmation before removing any resources. | AWS DevOps, DevOps engineer | 
Troubleshooting
| Issue | Solution | 
|---|---|
| Agent behavior | For information about this issue, see Test and troubleshoot agent behavior in the Amazon Bedrock documentation. | 
| Lambda network issues | For information about these issues, see Troubleshoot networking issues in Lambda in the Lambda documentation. | 
| IAM permissions | For information about these issues, see Troubleshoot IAM in the IAM documentation. |