AWS Cloud Operations Blog

Scaling AWS Control Tower controls using Amazon Bedrock Agents

AWS Control Tower is the easiest way to set up and govern a security, multi-account AWS environment. A key feature of AWS Control Tower is to deploy and manage controls at scale across an entire AWS Organizations. These controls are categorized based on their behavior and guidance. The behavior of each control is one of detective, proactive or preventive.

This blog post shows you how to use Amazon Bedrock Agents to automate the enablement and disablement process for AWS Control Tower Controls. By leveraging Amazon Bedrock Agents and Control Tower Control APIs, users can interact through the chat interface while providing the necessary parameters, allowing the agent to handle the API calls, thus ensuring efficiency and accuracy.

A control provides instructions for configuring resources to mitigate or address specific risks i.e. assist you in expressing your policy intentions. For example, if you need to enable a detective control that detects whether unrestricted internet connection through SSH is allowed, you can enable this control and other controls through a single action using the Management Console or AWS Command Line (AWS CLI), AWS SDK, or Infrastructure as Code(IaC).

Walkthrough

Before we dive deep into the deployment, let’s walkthrough the key steps of the architecture as shown in Figure 1 below.

Archicture diagram of the solution

Figure 1. Architecture diagram

  1. The user interacts with Amazon Bedrock Agent via Test window, that supports actions such as enable, disable, list or enabled controls status information.
  2. The agent uses Amazon Bedrock Knowledge Base to retrieve detailed information about each control and its API control Identifier.
  3. The Amazon Bedrock Agent triggers the action group based on user’s request. The Lambda functions associated with the action group perform the actions by calling AWS Control Tower APIs with the required parameters. AWS Control Tower executes the following actions and manages the controls as specified by the Amazon Bedrock Agent.
    • Find all relevant controls: Find all relevant control identifiers for a use-case.
    • List enabled controls: Retrieves a list of currently enabled controls for a specific Region and Organizational Unit (OU) using Control Tower list_enabled_controls API.
    • Enable/disable control: Handles requests to enable or disable a control for a particular Region and OU using AWS Control Tower enable_control and disable_control API’s respectively.
    • Bulk enable/disable controls: Handles requests to enable or disable a set of controls for multiple OU’s using AWS Control Tower enable_control and disable_control API’s respectively.
    • Get enabled control status/information: Handles requests to get enabled control status/information using get_enabled_control API.

Prerequisites

  1. An existing AWS environment with AWS Control Tower enabled.
  2. Access to the AWS management account.
  3. An account where the solution will be deployed, e.g. GenAI tooling account.
  4. Access to Titan Embeddings G1 – Text and Anthropic Claude foundation models in Amazon Bedrock.

Deployment Steps

The deployment of the solution consists of four steps:

  1. Configuring Amazon Bedrock knowledge base.
  2. Setting up Amazon Bedrock Agent.
  3. Configuring actions groups.
  4. Setting up AWS Identity and Access Management (IAM) permissions.

 Step 1: Configuring Amazon Bedrock knowledge base:

  • In an AWS account (e.g. GenAI Tooling Account) where you plan to deploy this solution, log in to the Amazon S3 console and navigate to Buckets on left pane. Select Create bucket. Provide a unique name and use the default settings. Click Create bucket.
  • Upload the json file to the newly created S3 bucket. This file contains a list of unique API Control identifiers and description for each control.
  • Log in Amazon Bedrock console and navigate to the Knowledge bases (KB) under Builder tools on the left. Select Create knowledge base.
  • Provide a Knowledge base name and an optional Knowledge base description that reflects the purpose of your KB.
  • In the IAM permissions section, select first option i.e. Create and use new service role. Provide a Service role name. This pre-configured IAM role has the required permissions. Choose Amazon S3 as data source. Provide an optional tag and click Next.
  • Provide a Data source name. Select Data source location to be This AWS account.
  • Provide the S3 URI of the object you uploaded to the bucket in step (ii).
  • Select the embeddings model to be Titan Embeddings G1 – Text by Amazon. This model is pre-configured and ready to use.
  • For the Vector database, select the recommended option Quick create a new vector store. Select Next, then review and Create knowledge base.

Step 2: Setting up Amazon Bedrock Agent:

  • Open the Amazon Bedrock console, select Agents under Builder tools on the left navigation panel, then select Create Agent. Provide agent details including Name and an optional description then Create.
  • Under Agent resource role section, select the first option Create and use a new service role. This (IAM) service role gives your agent access to required services, such as AWS Lambda.
  • In Select model section, choose Anthropic and Claude V2.1
  • In Instructions for the Agent, use the instructions provided here.
  • In Knowledge bases section, select Add then use the knowledge base created in the above step. This will help in finding control identifiers using a description.
  • Leave rest of the sections with default configuration. Next, click Save and exit.

Step 3: Configuring Action Groups:

We need to create a S3 bucket for storing OpenAPI schemas that is required for creating the action groups.

  • Log in Amazon S3 console and navigate to Buckets on left pane. Select Create bucket. Provide a unique name and use the default settings. Click Create bucket.
  • Upload the OpenAPI JSON files for five action groups – Action Group to Find all relevant controls (OpenAPI-schema), List enabled controls (OpenAPI-schema), Enable/disable control (OpenAPI-schema)Bulk enable/disable controls (OpenAPI-schema) and Get enabled control status/information (OpenAPI-schema)

Note: These files contain the schema that outlines the API description, structure, and parameters for the action group. The OpenAPI schemas manage the logic for receiving user inputs and triggering the corresponding Lambda functions.

  • Navigate to Amazon Bedrock console . Select the agent created in previously. Click Edit in Agent Builder.
  • In Action groups section, click Add.
  • Provide Find all relevant controls as Action group name. For Action group type, select Define with API schemas. For Action group invocation, select Quick create a lambda function-recommended option.
  • For action group schema section, click Select an existing API schema. Provide the path for S3 url for this action group created in previous step. Click Save and exit
  • Add other four action groups List enabled controls, Enable/disable control, Bulk enable/disable controls, Get enabled control status by following similar steps.
  • Navigate to AWS Lambda console . On the left, select Functions.
  • Click Find all relevant controls function. Update the code from linked repository and click deploy.
  • Next, click second lambda function – List enabled controls. Update the code from linked repository and click deploy.
  • Next, click third lambda function – Enable/disable control. Update the code from linked repository and click deploy.
  • Next, click Bulk enable/disable controls function. Update the code from linked repository and click deploy.
  • Finally, click Get enabled control status function. Update the code from linked repository and click deploy.

Step 4: Setting up IAM permissions:

As a last step, we need to set up three IAM roles: two in the GenAI Tooling Account and one in the AWS Management Account. These will give access to the AWS Lambda functions to call AWS Control Tower Control APIs in the AWS Management account.

 In GenAI Tooling Account:

In the AWS Management Account:

  • Follow steps (i) and (ii) to create another role that grants cross-account permissions for Lambda functions in the GenAI Tooling Account to manage AWS Control Tower controls in the AWS Management Account. You can refer to the IAM policy and custom trust policy here.

Note: Update account IDs and cross-account role names to ensure they are current and accurate.

Example Interactions

Now that the solution has been deployed, let’s take a look at example interactions with Amazon Bedrock Agent with AWS Control Tower Controls.

Use-case 1: A user initiates a session with the Amazon Bedrock Agent intending to bulk enable controls, as shown in Figure 2, however they don’t know the control identifiers. Then, the user provides a description, such as, “Public IP addresses” to locate the relevant control identifier. The Amazon Bedrock Agent then invokes the Find all relevant controls action group, which lists all controls related to the provided description.

Example interaction with Amazon Bedrock Agent and AWS Control Tower Control APIs

Figure 2. Amazon Bedrock Agent lists the relevant control identifiers for user provided description

From the provided list of relevant control identifiers, the user specifies the controls that need to be enabled. The Amazon Bedrock Agent gathers the required parameters such as Region and OUs from the user and triggers the Bulk enable/disable controls action group to enable the controls for “Autoscaling Launch Configuration Public IP Disabled” and “EC2 Instance No Public IP” as shown in Figure 3.

Example interaction with Amazon Bedrock Agent and AWS Control Tower APIs

Figure 3. Amazon Bedrock Agent confirms that user provided controls have been enabled

Use-case 2: To obtain detailed information and the current status of a specific enabled control, the user needs to pass the enabled controls Amazon Resource Names (ARN) to the Amazon Bedrock agent. The agent triggers the Get enabled control status action group which uses the GetControl API to retrieve the details. An example is shown in Figure 4 below:

Use case to get details about specific enabled control presentFigure 4. Example use case to get details about specific enabled control

Clean up

The services used in this demonstration can incur costs. Complete the following steps to clean up your resources:

  1. Delete the Lambda functions if they’re no longer required.
  2. Delete action groups and Amazon Bedrock agent that were created.
  3. Empty and delete the S3 bucket used for storing files.
  4. Delete the Amazon Bedrock knowledge base Bedrock if it’s no longer needed.

Conclusion

By leveraging Amazon Bedrock Agents to automate AWS Control Tower control management, we can streamline the AWS Control Tower control operations. The solution eliminates the need for control identifier lookups and improves the experience of interacting with AWS Control Tower control APIs. Users can now specify their requirements through an Amazon Bedrock Agent chat interface, and the agent handles the rest, ensuring accurate and efficient control management. This approach not only saves time, but also enhances the overall user experience, making AWS Control Tower control operations more accessible and user-friendly.


About the Authors

Akhil Raj Yallamelli

Akhil Raj Yallamelli is a Cloud Infrastructure Architect at AWS, specializing in architecting cloud infrastructure solutions for enhanced data security and cost efficiency. He is experienced in integrating technical solutions with business strategies to create scalable, reliable, and secure cloud environments. Akhil enjoys developing solutions focusing on customer business outcomes, incorporating generative AI (Gen AI) technologies to drive innovation and cloud enablement. He holds an MS degree in Computer Science. Outside of his professional work, Akhil enjoys watching and playing sports.

Shiva Vaidyanathan

Shiva Vaidyanathan is a Principal Cloud Architect at AWS. He provides technical guidance, design and lead implementation projects to customers ensuring their success on AWS. He works on GenAI initiatives that make AWS cloud journeys simpler for customers. Prior to joining AWS, he has worked on several NSF funded research initiatives on performing secure computing in public cloud infrastructures. He holds a MS in Computer Science from Rutgers University and a MS in Electrical Engineering from New York University.

Matheus Arrais

Matheus Arrais is a Senior Worldwide CloudOps Specialist based in Dallas, Texas. He has extensive experience in cloud operations, cloud governance, compliance, migration, and security, and is focused on cloud governance services including AWS Control Tower, AWS Organizations, AWS Service Catalog, and AWS Config. For over 5 years, Matheus has been helping customers and partners enhance their governance, compliance, and security posture for a successful cloud journey. Find on LinkedIn: matheusarrais

Ebbey Thomas

Ebbey Thomas is a Senior Cloud Architect at AWS, with a strong focus on leveraging generative AI to enhance cloud infrastructure automation and accelerate migrations. In his role at AWS Professional Services, Ebbey designs and implements solutions that improve cloud adoption speed and efficiency while ensuring secure and scalable operations for AWS users. He is known for solving complex cloud challenges and driving tangible results for clients. Ebbey holds a BS in Computer Engineering and an MS in Information Systems from Syracuse University.