AWS for Industries

How Amazon Devices Eliminated Credential Risk to Scale AI across Engineering Tools

Amazon Devices engineers needed AI assistance directly in their design tools to accelerate hardware development. But AI agents running locally on engineering workstations had no way to authenticate with AWS services without distributing credentials, creating unacceptable security risks. The Design Technologies team solved this challenge by implementing browser-based authentication that establishes user identity and enables Amazon Bedrock access with zero credentials stored locally. The result: AI-powered design assistance deployed to engineering teams with complete audit trails and individual accountability.

Amazon Devices: Engineering at Scale

The Amazon Devices organization develops hardware and software that powers products like Echo, Fire tablets, Fire TV, and Kindle e-readers. Within the Hardware Engineering division, the Design Technologies (DT) team creates AI-powered applications that integrate with an extensive ecosystem of over 60 engineering tools, supporting more than 10,000 engineers across Amazon.

As Amazon Devices continues to innovate and scale its hardware portfolio, the team is bringing AI solutions directly into engineering workflows to speed up hardware development and reduce costs. To eliminate repetitive tasks and accelerate development, the team is deploying AI into the design tools that engineers use every day—optimizing design workflows, lowering costs per cycle, and fostering effective knowledge transfer.

The solution required seamless Amazon Bedrock integration across the Design Technologies engineering toolchain, including:

  • Mechanical CAD: Creo Parametric, SOLIDWORKS with Amazon Bedrock-powered design assistance
  • Electronics Design: Altium Designer, Cadence OrCAD/Allegro with AI routing optimization
  • Analysis & Simulation: ANSYS, Flotherm with Amazon Bedrock model parameter tuning
  • Product Data Management: PTC Windchill with AI-powered design pattern recognition

“The future of hardware development relies on intelligent agents meeting engineers exactly where they work. By securely connecting local design tools to the power of Amazon Bedrock, we’re unlocking the agentic world—delivering seamless, secure AI innovation that accelerates how we build physical products.” — Prasad Chaparala, Director of Product Integrity at Amazon Devices 

The Problem: Local Application Authentication at Scale

When the Design Technologies team integrated Amazon Bedrock for access to foundation models and Amazon Bedrock AgentCore for orchestration of multi-step AI workflows, they encountered a critical challenge: how do you authenticate and identify users when agents run locally on engineering workstations? Without solving this authentication challenge, the team couldn’t securely deploy AI-powered design assistance to meet enterprise security requirements—blocking adoption across the engineering organization.

Securely connecting local applications to Amazon Bedrock requires solving three authentication challenges: 

  • AWS credentials cannot be distributed or embedded in local applications. Engineers don’t have AWS credentials on their laptops to assume IAM roles, making it difficult to run local agents that need to access Amazon Bedrock. Distributing credentials would create security vulnerabilities through exposure in version control, logs, or backups.
  • Amazon Bedrock cannot identify which user is behind agent requests. Without user identity context, personalized AI assistance becomes impossible. Usage billing cannot be attributed to specific users, and compliance audit trails cannot track who accessed which services when—critical requirements for enterprise deployments.
  • Local-to-cloud integration requirements are demanding. AI agents require real-time access to foundation models hosted on Amazon Bedrock. Model Context Protocol (MCP) servers hosted on Amazon Bedrock AgentCore need to authenticate local agent requests. Engineering workflows require AI assistance integrated directly into design tools. User attribution is required for Amazon Bedrock usage billing and compliance, making it essential to know which user is behind each request.

The team needed to implement a secure authentication flow that establishes user identity and enables Amazon Bedrock access while adhering to rigorous enterprise security requirements.

The Solution: Browser-Based Authentication with Amazon Cognito

The Design Technologies team developed a browser-based authentication solution to enable AI agents to access Amazon Bedrock services. The primary challenge was architectural: local agents cannot establish connectivity with AWS without initial credentials, yet enterprise security policies prohibit distributing or embedding AWS credentials in local applications.

The solution establishes user identity through browser authentication first, then exchanges that identity for AWS credentials. This approach leverages OAuth 2.0 flows that users already trust from consumer applications, making the experience familiar while solving the bootstrapping problem.

Core Components

  • Amazon Cognito User Pool: Establishes user identity through browser authentication
  • Amazon Cognito Identity Pool: Maps authenticated users to IAM roles for Amazon Bedrock access
  • Browser-based OAuth 2.0 flow: Captures user identity without requiring pre-existing credentials
  • Python Session Manager: Manages the complete authentication and credential lifecycle
  • AWS Cloud Development Kit (AWS CDK): Automates deployment of Amazon Cognito and IAM configurations

Authentication Flow for Amazon Bedrock Agents

When a local agent needs Amazon Bedrock access, the authentication flow orchestrates a seamless handoff between browser-based identity and AWS credentials. From the engineer’s perspective, it’s as simple as logging in once. The complexity happens behind the scenes.

  1. Local agent needs Amazon Bedrock access
  2. Check for valid user tokens
  3. Launch browser OAuth flow (if expired/missing)
  4. User authenticates (establishes identity)
  5. Exchange user identity for AWS credentials
  6. Agent accesses Amazon Bedrock with user-scoped permissions

The innovation lies in breaking the circular dependency. Browser OAuth establishes who the user is through corporate authentication. That identity then enables AWS credential generation through the Amazon Cognito Identity Pool with no pre-existing AWS access required. Once authenticated, the session manager handles token refresh automatically, keeping sessions active throughout the workday without repeated prompts.

Figure 1: PTC Creo – Amazon Bedrock integration for Amazon Devices

What This Unlocks: AI-Enhanced Engineering at Scale

The authentication solution unlocks capabilities that were previously impossible with traditional credential distribution. The benefits span technical implementation, developer experience, and security compliance.

  • Real-Time AI Integration: AI agents can now invoke foundation models in real-time with millisecond latency and use Amazon Bedrock AgentCore and MCP servers with proper session management. Each user’s agent sessions are properly attributed, enabling personalized AI interactions that consider role, project context, and history. Agents switch between different Amazon Bedrock models based on user permissions, allowing junior engineers to access basic models while senior engineers leverage more sophisticated capabilities.
  • Personalized Engineering Workflows: Engineering workflows integrate with Amazon Bedrock directly in engineering tools with personalized AI assistance tailored to an engineer’s access level and project context. AI understands both the technical problem and the organizational context around it. AI-enhanced design tools now integrate Amazon Bedrock-powered assistance directly into familiar CAD applications. Analysis tools leverage Amazon Bedrock for intelligent parameter optimization, exploring design spaces more efficiently than traditional algorithms.
  • Enterprise-Grade Security: Individual accountability is now embedded into the architecture, with all Amazon Bedrock usage tied to specific user identities through JWT (JSON Web Tokens). No credentials are distributed or stored on local machines, eliminating exposure through version control, logs, or backups. Complete audit trails provide visibility into who accesses which Amazon Bedrock services when, satisfying compliance requirements. Permission boundaries allow users to only access Amazon Bedrock resources appropriate to their role, with IAM role mapping enforcing fine-grained access control.
  • Deployment Automation: The AWS CDK infrastructure codifies the entire deployment as infrastructure-as-code, enabling consistent environments across development, staging, and production. Comprehensive deployment automation using Python Invoke tasks makes adoption simple, allowing engineers to deploy the entire stack with a single command.

Results: Secure AI Deployed at Scale

The Amazon Devices Design Technologies team has successfully deployed the browser-based authentication solution through proof-of-concept implementations with early adopter engineering teams. Engineers experience near real-time model inference with sub-second authentication and no perceptible delay when accessing Amazon Bedrock services. Individual user attribution enables proper billing and compliance tracking across all users. No authentication-related issues were reported during pilot testing. The DT team has operational AI-enhanced design workflows in pilot deployments across MCAD, ECAD, and simulation tools. Amazon Bedrock AgentCore integration successfully supports MCP servers and sophisticated multi-step AI interactions for hardware development use cases.

What Engineers Are Saying

“The authentication flow works well for our use case. I can authenticate once in the morning and my AI agent accesses Amazon Bedrock models throughout the day based on my permissions. It’s helpful for getting AI assistance in design tools like Creo.” — Senior Engineer, Amazon Devices 
 
“Our AgentCore MCP servers can now properly authenticate requests from local engineering agents. This enables the sophisticated AI workflows we’ve been wanting to build.” — Midhun Mathew, Engineering Manager, Amazon Devices 

Measuring Impact

The Amazon Devices team established clear KPIs to measure the impact of AI-enhanced engineering:

  • Tool Adoption: The team has instrumented adoption tracking across engineering tools to measure user engagement with AI-enhanced workflows.
  • Design Cycle Time Reduction: The team is actively measuring time from concept to validated design as pilot deployments expand across MCAD, ECAD, and simulation workflows.
  • Cost Per Cycle: Individual user attribution enables tracking of Amazon Bedrock usage costs per design cycle, providing visibility into AI assistance costs and ROI.
  • Security Incident Rate: Zero credential exposure or unauthorized access incidents reported since pilot deployment, validating the security benefits of eliminating local credential storage.
  • Knowledge Transfer Effectiveness: Personalized AI assistance is delivered based on authenticated identity and access level, with junior engineers receiving more explanatory guidance while senior engineers get concise suggestions.

What This Means for Your Organization

By solving the local agent authentication challenge, the DT team has enabled rapid expansion of AI-powered engineering capabilities across Amazon Devices’ 13 business units.

The authentication framework provides a foundation for sophisticated agent ecosystems where local agents can securely orchestrate interactions with cloud-hosted AI services, MCP servers, and foundation models with proper user context and permissions. This approach positions organizations as leaders in secure AI integration patterns, addressing one of the most common challenges in enterprise AI adoption: how to bring cloud AI capabilities to local applications without compromising security.

The future of engineering productivity depends on AI agents that can securely access cloud services from local applications. The authentication foundation you build today determines how quickly you can deploy that future tomorrow.

TAGS: , ,
Madhur Bajaj

Madhur Bajaj

Madhur Bajaj is a Senior Software Development Engineer at Amazon Devices. With over 8 years at Amazon, he builds internal developer platforms, enterprise search solutions, and cloud-native tools that help R&D engineering teams work more efficiently. He has experience across cloud-based research and engineering platforms, including high-performance computing and virtual desktop infrastructure. Madhur drives generative AI adoption across engineering organizations, from early proof-of-concepts to production-ready solutions and broad team enablement. He believes the most impactful solutions are built where real problems meet effortless user experiences.

Walker Stemple

Walker Stemple

Walker Stemple leads the Amazon Web Services Worldwide PLM Practice for Automotive and Manufacturing. He is passionate about helping customers achieve rapid innovation for their engineering and development applications, bringing deep expertise in high-performance computing, research and development solutions, and product lifecycle management. His career spans the intersection of cutting-edge technology and industrial applications—from helping unlock the mysteries of subatomic particles and modeling earthquakes to solving intractable business problems through scale-out computing. Based in Austin, Texas, Walker works within the AWS Industries organization, focusing on transforming how automotive and manufacturing companies approach product development and engineering workflows in the cloud.