Search
AWS Blogs
The integration of Generative AI into cloud governance transforms AWS account management into a more automated and efficient process. Leveraging the generative AI capabilities of Amazon Bedrock alongside tools such as AWS Control Tower and Account Factory for Terraform (AFT), organizations can now expedite the AWS account setup and management process, aligning with best practices while minimizing development effort.
Customers need to factor in a number of organizational requirements and evaluate AWS best practices while provisioning an AWS account. Hence, they end up spending significant amount of development cycles to create the customizations for an AWS account.
In this blog post, we illustrate the power of leveraging Amazon Bedrock Agents orchestrating multistep tasks during account vending process with AFT which sets you up with a Terraform pipeline to provision and customize AWS accounts in AWS Control Tower. Behind the scenes, Agents for Amazon Bedrock automates the orchestration of user-requested tasks, such as a new AWS Account request or generating account customizations. An agent automatically builds the orchestration prompt and, if connected to knowledge bases, augments it with your company-specific information and invokes APIs to provide responses to the user in natural language. Using AFT, you create an account request in Terraform and commit to the repository that triggers the AFT workflow for Account Factory. After Account Factory execution is complete, AFT runs additional customization steps automatically.
In the following sections, we walk through an example use case of provisioning a “Security Tooling Account ” and detail how Bedrock Agents and foundational model (Claude 2.1) can be used to accelerate the IaC development for a specific security tooling use case. Finally, you will learn how to deploy the generated IaC from Bedrock and scale your infrastructure deployments through AFT.
Prior to delving into the deployment, let’s walkthrough the key steps of the architecture that will be establishing as shown in Figure 1.
Figure 1 : An example of “Security Tooling Account” vended leveraging AFT and Amazon Bedrock
This solution follows AWS Security Reference Architecture (SRA), and can be utilized to create AWS account types such as security tooling, infrastructure, workload accounts, and deploy respective AWS services for each type of AWS account. For the purpose of this blog post, we focus on creating the security tooling account and deployment of the recommended AWS security services. There are 4 steps to deploy our solution. These are described below.
Step 1 : Configure Knowledge Base: Configuring a Knowledge Base (KB) enables your Bedrock agents to access a repository of information for AWS account provisioning. Follow these steps to set up your KB:
Step 2 : Configure the Bedrock Agent:
“Assist users in creating AWS accounts based on account type. Ask user which AWS account type(customization name) they would like to create: Security or Infrastructure AWS account. Ask user which AWS services they would like to deploy for their chosen account type. DO NOT assume AWS services for account type, ask user. Query the knowledge base for the approved AWS services list for the selected AWS account type. Present the AWS services to the user for service selection. Collect required user details for the account creation, for e.g.; “Please provide first name, last name, organization unit, account email and name”. Upon AWS services selection, invoke the account customization Lambda to generate the appropriate Terraform code. After successful execution of account customization lambda provide users repository link and ask for user confirmation of terraform code before triggering the AWS account creation lambda. Ask user to update code if needed. DO NOT trigger account creation lambda unless you receive confirmation from user. After user confirmation, initiate the account creation Lambda. Let the user know the account has been created with the customization.“
Step 3 : Configuring Agent Action Groups: After initial agent configuration and adding the above instruction to the agent. There are two actions that need to be added to the agent to enable account creation and customization via AFT.
Step 4 : Add the Action groups to Agent:
A screenshot of user interaction with Amazon Bedrock to vend a “Security Tooling Account” is shown in Figure 2.
Figure 2 : An example User interaction with Amazon Bedrock to vend a “Security Tooling Account leveraging AFT
To avoid unnecessary charges, delete the resources created during the testing. To perform a cleanup of the resources, perform the following steps in the sequential order defined here:
The integration of Generative AI transforms AWS account management into a more automated and efficient process. Leveraging the generative AI capabilities of Amazon Bedrock alongside tools such as AWS Control Tower and Account Factory for Terraform (AFT) allows organizations to expedite the AWS account setup and management process, aligning with best practices while minimizing development effort. This approach not only streamlines operations but also embeds security and compliance into every layer of development for building a AWS cloud environment.
The solution in this post equips organizations with a plausible AFT architecture with Amazon Bedrock, deployment code and instructions that help provision cloud resources efficiently and securely as per AWS best practices.
Shiva Vaidyanathan is a Principal Cloud Architect at AWS. He provides technical guidance, design and leads complex customer migration and modernization intiatives ensuring their success on AWS. He focuses on building agents for migration and modernization use cases leveraging Generative AI making AWS cloud adoption simpler for everyone. Prior to joining AWS, he has worked on several NSF funded research initiatives on how to perform secure computing in public cloud infrastructures. He holds a MS in Computer Science from Rutgers University and a MS in Electrical Engineering from New York University.
Ebbey Thomas is a Senior Cloud Architect at AWS, with a strong focus on leveraging generative AI to enhance cloud infrastructure automation and accelerate migrations. In his role at AWS Professional Services, Ebbey designs and implements solutions that improve cloud adoption speed and efficiency while ensuring secure and scalable operations for AWS users. He is known for solving complex cloud challenges and driving tangible results for clients. Ebbey holds a BS in Computer Engineering and an MS in Information Systems from Syracuse University.