IBM TechXchange AWS Cloud Native User Group

AWS Cloud Native User Group

This group focuses on AWS Cloud Native services. All the discussions, blogs and events will be very specific to AWS Cloud.

 View Only

Automating AWS Infrastructure Creation with Amazon Bedrock Agent

By Reza Beykzadeh posted 6 days ago

  

In today’s fast-paced cloud-native world, automating infrastructure provisioning is essential for efficiency, scalability, and security. AWS Bedrock Agentic enables organizations to automate cloud resource management by processing natural language requests to create, configure, and manage AWS infrastructure. This serverless solution simplifies the process of cloud resource provisioning, enabling teams to scale and manage their environments with minimal effort.

In this blog post, we will explore how AWS Bedrock, in conjunction with Lambda functions and Amazon OpenSearch Serverless, empowers organizations to automate cloud infrastructure tasks. We’ll guide you through using the Bedrock Agentic feature, testing it with user input, and demonstrating how it can be leveraged to manage VPCs, EC2 instances, and other AWS resources dynamically.

Key Components of the Solution

1. Amazon OpenSearch Serverless for Bedrock Knowledge Base

  • Purpose: Enables the Bedrock Agent to reference contextual and historical information by querying a vectorized knowledge base. This enhances the agent's ability to make informed decisions and offer intelligent, context-aware automation.
  • How It Works: Data is ingested into an Amazon S3 bucket and indexed in OpenSearch Serverless using vector embeddings. The Bedrock Agent connects to this collection to retrieve relevant documentation or configuration references during conversations.
  • Execution Role: A dedicated IAM role grants Bedrock permissions to read from S3, access the OpenSearch Serverless collection, and invoke foundation models for embedding and reasoning tasks.

2. Bedrock Agent with Lambda Action Groups

  • Purpose: Enables users to create and manage AWS infrastructure (e.g., VPCs, subnets, EC2 instances, endpoints) by simply interacting with the Bedrock Agent via natural language.
  • How It Works: The Bedrock Agent routes user intents to Lambda-backed action groups. Each Lambda function is responsible for executing a specific AWS operation such as provisioning a VPC or launching an EC2 instance.
  • Dynamic Permissions: The agent's execution role is granted permissions to invoke these Lambda functions securely. The functions themselves are given scoped permissions to manage AWS resources like EC2, VPC, IAM, and SSM—allowing end-to-end automation without manual intervention.

The Benefits of Using Bedrock Agentic Automation

  • Conversational Infrastructure Management: Users can provision, update, or tear down infrastructure by simply typing natural language instructions to the Bedrock Agent—no CLI or console navigation needed.
  • Serverless and Scalable: With Lambda handling backend execution and OpenSearch serving as the agent’s knowledge base, the system remains fully serverless and scales automatically with demand.
  • Secure by Design: IAM policies restrict each function and role to the least privileges necessary, ensuring that automation does not compromise security.
  • Context-Aware Intelligence: Leveraging OpenSearch Serverless, the agent can recall past tasks, read documentation, and make decisions that align with enterprise standards and patterns.

How the Agentic Solution Works

  • User Input: A user types a prompt like “Please create a VPC named CloudOpsVpc with a CIDR of 10.10.0.0/16 in us-gov-west-1” into the Bedrock Agent test console.
  • Intent Matching: The agent matches the request to an action group (e.g., CreateVPC) and invokes the associated Lambda function.
  • Lambda Execution: The function carries out the task—creating the VPC, assigning tags, configuring attributes—and returns a success message to the agent.
  • Knowledge Integration: If additional guidance is needed (e.g., “What’s the best subnet size for a VPC?”), the agent pulls information from the OpenSearch-backed knowledge base to assist.
  • Repeatable Automation: Each step taken by the agent is logged and repeatable, ensuring consistent infrastructure provisioning aligned with cloud best practices.

The diagram below illustrates how AWS Bedrock Agent interprets user requests, consults a vector-based knowledge base via OpenSearch Serverless, and routes the intent to the appropriate Lambda action group. Each Lambda function (Action A, B, C) performs specific tasks—such as provisioning AWS infrastructure, integrating with external APIs, automating workflows, or querying internal databases. This modular and event-driven design allows for a scalable and intelligent automation layer that responds to natural language commands with real-world infrastructure actions.

Key Features Enabled by the Agentic Architecture

  1. OpenSearch-Powered Knowledge Base: The Bedrock Agent uses a vector index for semantically rich answers from documentation, templates, or prior interactions.
  2. Lambda-Based Action Groups: Modular, event-driven functions let the agent perform complex AWS tasks such as network provisioning, EC2 launches, or endpoint setup.
  3. Role-Scoped Security: All roles and permissions are tightly controlled to ensure secure execution across agent, function, and data layers.
  4. Natural Language to Infrastructure: Users don’t need to know CloudFormation, Terraform, or CLI syntax—the agent interprets intent and handles orchestration under the hood.

Deployment Steps

To deploy this infrastructure, follow the steps below:

1. Clone the Repository

Clone the repository containing the CloudFormation templates to your local machine:

git clone https://github.ibm.com/Reza-Beykzadeh/bedrock-agentic-ai.git

cd bedrock-agentic-ai

Apply the changes mentioned in the README.md file.

2. Configure and Deploy the CloudFormation Stack

Deploy the CloudFormation stack for both the OpenSearch Serverless knowledge base and Bedrock agent. Ensure you have the correct parameters set for your environment:

aws cloudformation deploy --template-file opensearch.yml --stack-name opensearch-stack --capabilities CAPABILITY_NAMED_IAM

aws cloudformation deploy --template-file agentic.yml --stack-name agentic-stack --capabilities CAPABILITY_NAMED_IAM

3. Monitor Stack Creation

  • After the deployment, monitor the progress through the AWS Management Console under CloudFormation.
  • Check the Resources tab to confirm that all resources such as Lambda functions, IAM roles, and OpenSearch collections are created successfully.

4. Verify Lambda Function Permissions

  • Ensure that the necessary permissions for Lambda functions (such as EC2, VPC, S3, etc.) are correctly applied through the IAM roles in the CloudFormation stack.
  • You can verify the IAM roles and their policies in the IAM Console.

Testing the Solution

Once the deployment is complete, it’s time to test if the automation works as expected. Here's how to test the solution:

Testing the Solution

Once the deployment is complete, you can test the solution using the Bedrock Agent Test feature. This feature allows you to simulate user input and check if the agent correctly handles requests to create AWS resources. Below are the steps for testing the solution:

1. Login to the Bedrock Agent Console

  • Go to the Bedrock Agent console in the AWS Management Console.
  • If you haven't already created an agent, create one by providing the necessary details. For example, we can use an agent named rag-sagemaker-agent.

2. Enter the Test Command

In the Test section of the console, input your test command that requests the creation of a specific AWS resource. For example, if you want to create a VPC, you can enter the following command:

please create a vpc named CloudOpsVpc with a cidr space of 10.10.0.0/16 in us gov west 1

This command requests the agent to create a VPC named CloudOpsVpc with a CIDR block of 10.10.0.0/16 in the US Gov West 1 region.

3. Check the Agent’s Response

After entering the request, the agent will process the input and return a response. The response should confirm the creation of the VPC with the following details:

  • VPC Name: CloudOpsVpc
  • CIDR Block: 10.10.0.0/16
  • VPC ID: vpc-0c88b7b9521851efc

The agent also confirms that while it didn’t explicitly specify the region, it inferred us-gov-west-1 as the region, assuming it’s correctly configured for your AWS account.

Here’s an example of a successful response from the agent:

4. Verify the VPC in the Console

After receiving confirmation from the agent, go to the VPC Dashboard in the EC2 Console and verify that the VPC CloudOpsVpc was created. It should have the correct CIDR block (10.10.0.0/16) and match the VPC ID provided in the response (vpc-0c88b7b9521851efc).

5. Test Additional Commands

To further test the solution, try adding more complex requests. For example:

  • Create Public and Private Subnets
  • Create endpoints such as ssm, ssmmessages, ec2messages, and logs
  • Create a Linux or Windows instances within the private subnet.

The agent should handle these requests by invoking the appropriate Lambda functions defined in the CloudFormation template.

Example test command to create a subnet:

please create a public and a private subnet with equal cidr in us gov west 1a

6. Troubleshooting

  • No Resources Created: If no resources are created, check the CloudFormation or Lambda function logs for any errors.
  • Region Issues: If the region is incorrect, ensure that the region is correctly configured for your AWS account. If not specified, the agent assumes the default region of your AWS account.

Conclusion

The AWS Bedrock Agentic feature allows for dynamic, serverless infrastructure management by automating the process of provisioning resources based on user inputs. With Bedrock's ability to process natural language requests, you can easily deploy, manage, and modify AWS resources such as VPCs, EC2 instances, and security groups — all triggered by simple commands.

By integrating AWS Bedrock, Lambda, and Amazon OpenSearch Serverless, this solution leverages the full power of automation, eliminating manual steps while ensuring that cloud environments are provisioned securely and efficiently. The Bedrock Agentic interface takes user input and translates it into real-time infrastructure actions, making cloud management much more accessible and responsive.

With the deployment steps and testing guidance outlined, you are now equipped to test and deploy this fully automated system. The Bedrock Agentic feature not only simplifies cloud resource provisioning but also reduces human error, ensuring a smooth and reliable cloud infrastructure setup. By automating the management of your AWS resources, you can scale your cloud environment quickly, securely, and with minimal effort.

Reza Beykzadeh is an IBM Cloud Enterprise Solutions Architect responsible for defining the overall structure of AWS technical programs for Federal clients. Mr. Beykzadeh primarily designs functional technology solutions, oversees development and implementation of programs, and provides technical leadership as well as support to software development teams. He holds 13 AWS certifications, including SAP on AWS and Machine Learning. Mr. Beykzadeh has a strong focus on generative AI, leveraging it to innovate and optimize legacy code conversion solutions. IBM has recognized Mr. Beykzadeh as a ‘rockstar’ for his dedication to client success and his contributions to integrating GenAI with AWS solutions. He was recently named a Federal Market Circle Golden Circle Honoree, an elite group of top performing IBMers who delivered outstanding business results in 2024. Mr. Beykzadeh holds a B.A. in Information Technology from George Mason University.
0 comments
28 views

Permalink

https://community.ibm.com/community/user/blogs/reza-beykzadeh/2025/06/19/automating-aws-infrastructure-creation-bedrock