AWS Cloud Operations Blog
Scaling AWS Control Tower controls using Amazon Bedrock Agents
AWS Control Tower is the easiest way to set up and govern a security, multi-account AWS environment. A key feature of AWS Control Tower is to deploy and manage controls at scale across an entire AWS Organizations. These controls are categorized based on their behavior and guidance. The behavior of each control is one of detective, proactive or preventive.
This blog post shows you how to use Amazon Bedrock Agents to automate the enablement and disablement process for AWS Control Tower Controls. By leveraging Amazon Bedrock Agents and Control Tower Control APIs, users can interact through the chat interface while providing the necessary parameters, allowing the agent to handle the API calls, thus ensuring efficiency and accuracy.
A control provides instructions for configuring resources to mitigate or address specific risks i.e. assist you in expressing your policy intentions. For example, if you need to enable a detective control that detects whether unrestricted internet connection through SSH is allowed, you can enable this control and other controls through a single action using the Management Console or AWS Command Line (AWS CLI), AWS SDK, or Infrastructure as Code(IaC).
Walkthrough
Before we dive deep into the deployment, let’s walkthrough the key steps of the architecture as shown in Figure 1 below.
Figure 1. Architecture diagram
- The user interacts with Amazon Bedrock Agent via Test window, that supports actions such as enable, disable, list or enabled controls status information.
- The agent uses Amazon Bedrock Knowledge Base to retrieve detailed information about each control and its API control Identifier.
- The Amazon Bedrock Agent triggers the action group based on user’s request. The Lambda functions associated with the action group perform the actions by calling AWS Control Tower APIs with the required parameters. AWS Control Tower executes the following actions and manages the controls as specified by the Amazon Bedrock Agent.
- Find all relevant controls: Find all relevant control identifiers for a use-case.
- List enabled controls: Retrieves a list of currently enabled controls for a specific Region and Organizational Unit (OU) using Control Tower list_enabled_controls API.
- Enable/disable control: Handles requests to enable or disable a control for a particular Region and OU using AWS Control Tower enable_control and disable_control API’s respectively.
- Bulk enable/disable controls: Handles requests to enable or disable a set of controls for multiple OU’s using AWS Control Tower enable_control and disable_control API’s respectively.
- Get enabled control status/information: Handles requests to get enabled control status/information using get_enabled_control API.
Prerequisites
- An existing AWS environment with AWS Control Tower enabled.
- Access to the AWS management account.
- An account where the solution will be deployed, e.g. GenAI tooling account.
- Access to Titan Embeddings G1 – Text and Anthropic Claude foundation models in Amazon Bedrock.
Deployment Steps
The deployment of the solution consists of four steps:
- Configuring Amazon Bedrock knowledge base.
- Setting up Amazon Bedrock Agent.
- Configuring actions groups.
- Setting up AWS Identity and Access Management (IAM) permissions.
Step 1: Configuring Amazon Bedrock knowledge base:
- In an AWS account (e.g. GenAI Tooling Account) where you plan to deploy this solution, log in to the Amazon S3 console and navigate to Buckets on left pane. Select Create bucket. Provide a unique name and use the default settings. Click Create bucket.
- Upload the json file to the newly created S3 bucket. This file contains a list of unique API Control identifiers and description for each control.
- Log in Amazon Bedrock console and navigate to the Knowledge bases (KB) under Builder tools on the left. Select Create knowledge base.
- Provide a Knowledge base name and an optional Knowledge base description that reflects the purpose of your KB.
- In the IAM permissions section, select first option i.e. Create and use new service role. Provide a Service role name. This pre-configured IAM role has the required permissions. Choose Amazon S3 as data source. Provide an optional tag and click Next.
- Provide a Data source name. Select Data source location to be This AWS account.
- Provide the S3 URI of the object you uploaded to the bucket in step (ii).
- Select the embeddings model to be Titan Embeddings G1 – Text by Amazon. This model is pre-configured and ready to use.
- For the Vector database, select the recommended option Quick create a new vector store. Select Next, then review and Create knowledge base.
Step 2: Setting up Amazon Bedrock Agent:
- Open the Amazon Bedrock console, select Agents under Builder tools on the left navigation panel, then select Create Agent. Provide agent details including Name and an optional description then Create.
- Under Agent resource role section, select the first option Create and use a new service role. This (IAM) service role gives your agent access to required services, such as AWS Lambda.
- In Select model section, choose Anthropic and Claude V2.1
- In Instructions for the Agent, use the instructions provided here.
- In Knowledge bases section, select Add then use the knowledge base created in the above step. This will help in finding control identifiers using a description.
- Leave rest of the sections with default configuration. Next, click Save and exit.
Step 3: Configuring Action Groups:
We need to create a S3 bucket for storing OpenAPI schemas that is required for creating the action groups.
- Log in Amazon S3 console and navigate to Buckets on left pane. Select Create bucket. Provide a unique name and use the default settings. Click Create bucket.
- Upload the OpenAPI JSON files for five action groups – Action Group to Find all relevant controls (OpenAPI-schema), List enabled controls (OpenAPI-schema), Enable/disable control (OpenAPI-schema), Bulk enable/disable controls (OpenAPI-schema) and Get enabled control status/information (OpenAPI-schema)
Note: These files contain the schema that outlines the API description, structure, and parameters for the action group. The OpenAPI schemas manage the logic for receiving user inputs and triggering the corresponding Lambda functions.
- Navigate to Amazon Bedrock console . Select the agent created in previously. Click Edit in Agent Builder.
- In Action groups section, click Add.
- Provide Find all relevant controls as Action group name. For Action group type, select Define with API schemas. For Action group invocation, select Quick create a lambda function-recommended option.
- For action group schema section, click Select an existing API schema. Provide the path for S3 url for this action group created in previous step. Click Save and exit
- Add other four action groups List enabled controls, Enable/disable control, Bulk enable/disable controls, Get enabled control status by following similar steps.
- Navigate to AWS Lambda console . On the left, select Functions.
- Click Find all relevant controls function. Update the code from linked repository and click deploy.
- Next, click second lambda function – List enabled controls. Update the code from linked repository and click deploy.
- Next, click third lambda function – Enable/disable control. Update the code from linked repository and click deploy.
- Next, click Bulk enable/disable controls function. Update the code from linked repository and click deploy.
- Finally, click Get enabled control status function. Update the code from linked repository and click deploy.
Step 4: Setting up IAM permissions:
As a last step, we need to set up three IAM roles: two in the GenAI Tooling Account and one in the AWS Management Account. These will give access to the AWS Lambda functions to call AWS Control Tower Control APIs in the AWS Management account.
In GenAI Tooling Account:
- Navigate to the Amazon Identity and Access Management, and create an IAM policy using the policy code provided here.
- Create an IAM role using custom trust policy, and attach the permission policy created in the previous step. You can refer to the custom trust policy here.
- Navigate to AWS Lambda console and search for List enabled control Lambda function. Update the function’s execution role with the role created above. The same role needs to be updated for Enable/disable control, Bulk enable/disable controls and Get enabled control status Lambda functions.
- Follow steps (i) and (ii) to create another role and update the Find all relevant controls Lambda function. You can refer to the IAM policy and custom trust policy here.
In the AWS Management Account:
- Follow steps (i) and (ii) to create another role that grants cross-account permissions for Lambda functions in the GenAI Tooling Account to manage AWS Control Tower controls in the AWS Management Account. You can refer to the IAM policy and custom trust policy here.
Note: Update account IDs and cross-account role names to ensure they are current and accurate.
Example Interactions
Now that the solution has been deployed, let’s take a look at example interactions with Amazon Bedrock Agent with AWS Control Tower Controls.
Use-case 1: A user initiates a session with the Amazon Bedrock Agent intending to bulk enable controls, as shown in Figure 2, however they don’t know the control identifiers. Then, the user provides a description, such as, “Public IP addresses” to locate the relevant control identifier. The Amazon Bedrock Agent then invokes the Find all relevant controls action group, which lists all controls related to the provided description.
Figure 2. Amazon Bedrock Agent lists the relevant control identifiers for user provided description
From the provided list of relevant control identifiers, the user specifies the controls that need to be enabled. The Amazon Bedrock Agent gathers the required parameters such as Region and OUs from the user and triggers the Bulk enable/disable controls action group to enable the controls for “Autoscaling Launch Configuration Public IP Disabled” and “EC2 Instance No Public IP” as shown in Figure 3.
Figure 3. Amazon Bedrock Agent confirms that user provided controls have been enabled
Use-case 2: To obtain detailed information and the current status of a specific enabled control, the user needs to pass the enabled controls Amazon Resource Names (ARN) to the Amazon Bedrock agent. The agent triggers the Get enabled control status action group which uses the GetControl API to retrieve the details. An example is shown in Figure 4 below:
Figure 4. Example use case to get details about specific enabled control
Clean up
The services used in this demonstration can incur costs. Complete the following steps to clean up your resources:
- Delete the Lambda functions if they’re no longer required.
- Delete action groups and Amazon Bedrock agent that were created.
- Empty and delete the S3 bucket used for storing files.
- Delete the Amazon Bedrock knowledge base Bedrock if it’s no longer needed.
Conclusion
By leveraging Amazon Bedrock Agents to automate AWS Control Tower control management, we can streamline the AWS Control Tower control operations. The solution eliminates the need for control identifier lookups and improves the experience of interacting with AWS Control Tower control APIs. Users can now specify their requirements through an Amazon Bedrock Agent chat interface, and the agent handles the rest, ensuring accurate and efficient control management. This approach not only saves time, but also enhances the overall user experience, making AWS Control Tower control operations more accessible and user-friendly.