AWS Cloud Operations Blog
Modernizing Account Management with Amazon Bedrock and AWS Control Tower
Introduction
The integration of Generative AI into cloud governance transforms AWS account management into a more automated and efficient process. Leveraging the generative AI capabilities of Amazon Bedrock alongside tools such as AWS Control Tower and Account Factory for Terraform (AFT), organizations can now expedite the AWS account setup and management process, aligning with best practices while minimizing development effort.
Customers need to factor in a number of organizational requirements and evaluate AWS best practices while provisioning an AWS account. Hence, they end up spending significant amount of development cycles to create the customizations for an AWS account.
In this blog post, we illustrate the power of leveraging Amazon Bedrock Agents orchestrating multistep tasks during account vending process with AFT which sets you up with a Terraform pipeline to provision and customize AWS accounts in AWS Control Tower. Behind the scenes, Agents for Amazon Bedrock automates the orchestration of user-requested tasks, such as a new AWS Account request or generating account customizations. An agent automatically builds the orchestration prompt and, if connected to knowledge bases, augments it with your company-specific information and invokes APIs to provide responses to the user in natural language. Using AFT, you create an account request in Terraform and commit to the repository that triggers the AFT workflow for Account Factory. After Account Factory execution is complete, AFT runs additional customization steps automatically.
In the following sections, we walk through an example use case of provisioning a “Security Tooling Account ” and detail how Bedrock Agents and foundational model (Claude 2.1) can be used to accelerate the IaC development for a specific security tooling use case. Finally, you will learn how to deploy the generated IaC from Bedrock and scale your infrastructure deployments through AFT.
Overview of Solution
Prior to delving into the deployment, let’s walkthrough the key steps of the architecture that will be establishing as shown in Figure 1.
- The user utilizes the Bedrock Agent chat console to input their AWS account creation requirements. For instance, the user might specify, “Create an AWS Account for Security Tooling”. The agent is configured with instructions and Bedrock knowledge base to customize and create an AWS account via Account Factory for Terraform.
- On receiving the above example request, the agent queries a Bedrock Knowledge Base predefined with recommended AWS security services for a Security Tooling AWS account. The agent presents these security services to the user. The user inputs a subset or all of the recommended security services.
- Next, the agent collects user information for account creation. Based on the AWS services the user selects, the agent passes the service information to an action group that invokes an AWS Lambda function. The Lambda function retrieves approved Terraform module configurations to construct modular terraform code, and pushes the terraform code to AFT account customization repository (learn-terraform-aft-account-customizations). Before moving to the next step for account creation with the user selected AWS security services, the agent asks the user to confirm/update terraform code that was published to the AFT account customization repo.
- Once the agent receives user confirmation, the agent passes the information to another action group that invokes a Lambda function that publishes the AWS account creation terraform module to AFT account request repository (learn-terraform-aft-account-request) and AWS Control Tower Account Factory for Terraform (AFT) pipeline is triggered.
- Next, the AFT pipeline calls the AFT Service Catalog product, registers the account to a particular organizational unit, applies the guardrails leveraging AWS Control Tower and AWS Organizations.
- Finally, the new AWS account for security tooling is provisioned and registered in Security OU. This account will contain the AWS security services created by the AFT account customizations.
Prerequisites
- To manage AWS accounts using this workflow, you will need an active AWS management account with admin rights, knowledge of Terraform for setting up account configurations, and appropriate AWS IAM permissions. You must also have AWS Control Tower and AFT set up, with an understanding of the AFT repositories and AWS Control Tower’s role in securing a multi-account AWS environment.
- Understanding of key terms :
Deployment Steps
This solution follows AWS Security Reference Architecture (SRA), and can be utilized to create AWS account types such as security tooling, infrastructure, workload accounts, and deploy respective AWS services for each type of AWS account. For the purpose of this blog post, we focus on creating the security tooling account and deployment of the recommended AWS security services. There are 4 steps to deploy our solution. These are described below.
Step 1 : Configure Knowledge Base: Configuring a Knowledge Base (KB) enables your Bedrock agents to access a repository of information for AWS account provisioning. Follow these steps to set up your KB:
- Access the Amazon Bedrock Console: Log in and go directly to the ‘Knowledge Base’ section. This is your starting point for creating a new KB.
- Name Your Knowledge Base: Choose a clear and descriptive name that reflects the purpose of your KB, such as “AWS Account Setup KB.”
- Select an IAM Role: Assign a pre-configured IAM role with the necessary permissions. It’s typically best to let Amazon Bedrock create this role for you to ensure it has the correct permissions.
- Define the Data Source: Upload a JSON file to an S3 bucket with encryption enabled for security. This file should contain a structured list of AWS services and Terraform modules. For the JSON structure, use the example provided in the repository.
- Choose the Default Embeddings Model: For most use cases, the Amazon Bedrock Titan G1 Embeddings – Text model will suffice. It’s pre-configured and ready to use, simplifying the process.
- Opt for the Managed Vector Store: Allow Amazon Bedrock to create and manage the vector store for you in Amazon OpenSearch Service.
- Review and Finalize: Double-check all entered information for accuracy. Pay special attention to the S3 bucket URI and IAM role details.
Step 2 : Configure the Bedrock Agent:
- Open the Bedrock console, select Agents in the left navigation panel, then choose Create Agent
- Provide agent details including agent name, description (optional).
- Next, grant the agent permissions to AWS services via AWS Identity and Access Management (IAM) service role. This gives your agent access to required services, such as AWS Lambda.
- Select a foundation model from Bedrock(e.g. Anthropic Claude V2).
- To automate AFT via Bedrock agents attach the following instruction to the agent:
“Assist users in creating AWS accounts based on account type. Ask user which AWS account type(customization name) they would like to create: Security or Infrastructure AWS account. Ask user which AWS services they would like to deploy for their chosen account type. DO NOT assume AWS services for account type, ask user. Query the knowledge base for the approved AWS services list for the selected AWS account type. Present the AWS services to the user for service selection. Collect required user details for the account creation, for e.g.; “Please provide first name, last name, organization unit, account email and name”. Upon AWS services selection, invoke the account customization Lambda to generate the appropriate Terraform code. After successful execution of account customization lambda provide users repository link and ask for user confirmation of terraform code before triggering the AWS account creation lambda. Ask user to update code if needed. DO NOT trigger account creation lambda unless you receive confirmation from user. After user confirmation, initiate the account creation Lambda. Let the user know the account has been created with the customization.“
Step 3 : Configuring Agent Action Groups: After initial agent configuration and adding the above instruction to the agent. There are two actions that need to be added to the agent to enable account creation and customization via AFT.
- Action Group for Account Customization: Create an action group linked to a Lambda function (for creating lambda function, please follow instructions) that generates Terraform configuration files for account customization. This group is triggered by the agent after the user inputs the AWS services that needs to be provisioned in the AWS account. The Terraform configurations are pushed to the “learn-terraform-aft-account-customizations” repository. AFT uses this repository to apply specific configurations to the newly created AWS accounts. Refer repository lambda code.
- Action Group for Account Creation: Establish a second action group tied to a different Lambda function responsible for creating the AWS account using AFT. This group is triggered only after the user reviews and confirms the Terraform configuration. Refer linked repository lambda code.
Step 4 : Add the Action groups to Agent:
- Provide a name for each of your action group and describe what the action does in the Description for action groups.
- In Select Lambda function, for both your action groups choose the appropriate Lambda functions that you created in AWS Lambda. The Lambda function provides the business logic that is carried out upon invoking the action. Choose the version of the function to use. For more information, see Action group Lambda functions.
- In Select API schema, provide a link to the Amazon S3 URI of the schema with the API description, structure, and parameters for the action group. APIs manages the logic for receiving user inputs and triggering the Lambda functions for account creation and customization. The API should be designed to handle various tasks, such as validating user inputs, initiating the Terraform module creation process, and monitoring the status of account provisioning. For more information, see Action group OpenAPI schemas.
- Select Add another Action group to set up another action group for your agent. When you are done adding action groups, select Next.
A screenshot of user interaction with Amazon Bedrock to vend a “Security Tooling Account” is shown in Figure 2.
Clean Up
To avoid unnecessary charges, delete the resources created during the testing. To perform a cleanup of the resources, perform the following steps in the sequential order defined here:
- Delete the knowledge base
Open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/.
Before the following steps, make sure to delete the knowledge base from any agents that it’s associated with. To do this, carry out the following steps:- From the left navigation pane, select Agents.
- Choose the Name of the agent that you want to delete the knowledge base from.
- A red banner appears to warn you to delete the reference to the knowledge base, which no longer exists, from the agent.
- Select the radio button next to the knowledge base that you want to remove. Select More and then choose Delete.
- From the left navigation pane, select Knowledge base.
- To delete a source, either choose the radio button next to the source and select Delete or choose the Name of the source and then select Delete in the top right corner of the details page.
- Review the warnings for deleting a knowledge base. If you accept these conditions, enter delete in the input box and select Delete to confirm.
- Delete the Agent
- In the Amazon Bedrock console, select Agents from the left navigation pane.
- Select the radio button next to the agent to delete.
- A modal appears warning you about the consequences of deletion. Enter delete in the input box and select Delete to confirm.
- A blue banner appears to inform you that the agent is being deleted. When deletion is complete, a green success banner appears.
- Delete all the other resources including AWS Lambda functions and any AWS services used for Account customization.
Conclusion
The integration of Generative AI transforms AWS account management into a more automated and efficient process. Leveraging the generative AI capabilities of Amazon Bedrock alongside tools such as AWS Control Tower and Account Factory for Terraform (AFT) allows organizations to expedite the AWS account setup and management process, aligning with best practices while minimizing development effort. This approach not only streamlines operations but also embeds security and compliance into every layer of development for building a AWS cloud environment.
The solution in this post equips organizations with a plausible AFT architecture with Amazon Bedrock, deployment code and instructions that help provision cloud resources efficiently and securely as per AWS best practices.