AWS Bedrock

Overview

This guide provides step-by-step instructions for setting up AKTO's AWS Bedrock monitoring solution in your AWS account. This solution automatically captures, processes, and sends AWS Bedrock agent conversations to your AKTO instance for security analysis.

System Architecture

What You'll Achieve

✅ Automated Bedrock Monitoring: Capture all AWS Bedrock agent conversations ✅ Real-time Processing: Process logs every 5 minutes automatically ✅ Security Analysis: Send conversation data to AKTO for threat detection ✅ Multi-Model Support: Works with Amazon Nova, Claude, and other Bedrock models ✅ Client-Side Deployment: Complete data isolation in your AWS account

Prerequisites

1. AWS Account Requirements

AWS CLI installed and configured with user who has below permissions
IAM permissions for:
- Lambda functions
- S3 buckets
- EventBridge rules
- Bedrock service access
- IAM role creation

2. AKTO Instance Requirements

AKTO Data ingestion service instance running and accessible
AKTO API key for authentication

Step-by-Step Setup

Install AWS CLI if not installed

If AWS CLI is already configured then move to Step 2

# On Mac:
brew install awscli

# On Windows: Download from https://aws.amazon.com/cli/
# On Linux:
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

Install Node.js

# On Mac:
brew install node

# On Windows/Linux: Download from https://nodejs.org/

Configure AWS Credentials
You need to tell AWS who you are:
```
aws configure
```
It will ask for:
- AWS Access Key ID: Get from AWS Console → IAM → Users → Your User → Security credentials
- AWS Secret Access Key: Same place as above
- Default region: Use us-east-1 (or your preferred region)
- Default output format: Just press Enter
Test AWS Access
```
aws sts get-caller-identity
```

Verify your AWS identity

aws sts get-caller-identity

Expected Output

{
    "UserId": "AIDACKXXXXXXXXXXXXXXXXX",
    "Account": "123456789***",
    "Arn": "arn:aws:iam::123456789012:user/your-username"
}

✅ Should show your account ID - You're ready! ❌ Shows error - Fix your credentials first

Download the Solution

# Clone the repository
git clone https://github.com/akto-api-security/akto_aws_bedrock_discovery.git

# Navigate to the solution directory
cd akto_aws_bedrock_discovery

# Make scripts executable
chmod +x simple-deploy.sh test-solution.sh

Prepare Your Information

Before running the deployment, gather this information:

S3 Bucket Name: A unique bucket name for storing Bedrock logs
- Example: my-company-bedrock-logs-2024
- Must be globally unique across all AWS accounts
AKTO Data Ingestion URL: Your AKTO endpoint
- Format: https://your-akto-instance.com/api/ingestData
- Replace your-akto-instance.com with your actual AKTO domain/IP
AKTO API Key: Authentication key for your AKTO instance
- Obtain from your AKTO dashboard
- Example: ak_live_xxxxxxxxxxxxxxxxxxxx

Run the Deployment

Execute the deployment script:

./simple-deploy.sh

The script will prompt you for the required information:

🚀 AKTO Bedrock Monitor - Simple Manual Deployment
=================================================

📊 Deployment Information:
   AWS Account ID: 123456789***
   AWS Region: us-east-1

S3 Bucket Configuration:
  - S3 bucket name is REQUIRED for Bedrock logging
  - The bucket should already exist and be accessible
  - Lambda will configure Bedrock to log to this bucket

Enter S3 bucket name (required): my-company-bedrock-logs-2024
✅ Using S3 bucket: my-company-bedrock-logs-2024

AKTO Data Ingestion Configuration:
  - Data ingestion service URL is REQUIRED
  - API key is REQUIRED for authentication

Enter AKTO Data Ingestion URL (e.g., https://your-akto-instance.com/api/ingestData): https://my-akto.company.com/api/ingestData
✅ Using Data Ingestion URL: https://my-akto.company.com/api/ingestData

Enter AKTO API Key: ak_live_xxxxxxxxxxxxxxxxxxxx
✅ Using API Key: ak_live_...

Wait for Deployment

The script will automatically:

Create IAM Role: Set up permissions for Lambda
Deploy Lambda Function: Upload and configure the processing function
Set Up EventBridge: Schedule processing every 5 minutes
Configure Environment: Set all required variables

Expected Output:

📦 Building Lambda package...
✅ Lambda package created

🔧 Creating IAM role...
✅ IAM role created and configured

🔧 Creating Lambda function...
✅ Lambda function created/updated

🔧 Creating EventBridge schedule...
✅ EventBridge schedule created

🎉 Deployment completed successfully!

📋 What was created:
   • Lambda Function: akto-bedrock-log-processor-123456789012
   • IAM Role: akto-bedrock-processor-role-123456789012
   • EventBridge Rule: akto-bedrock-schedule-123456789012 (runs every 5 minutes)
   • Using existing S3 Bucket: my-company-bedrock-logs-2024

🔍 Next steps:
1. Generate some AWS Bedrock conversations
2. Monitor Lambda logs: aws logs tail /aws/lambda/akto-bedrock-log-processor-123456789*** --follow
3. Test manually: aws lambda invoke --function-name akto-bedrock-log-processor-123456789*** --payload '{}' response.json

🎯 The system will automatically process Bedrock logs every 5 minutes!

Verify the Deployment

Run the verification script:

./test-solution.sh

This will check:

✅ Lambda function exists and is accessible
✅ S3 bucket is properly configured
✅ CloudWatch logs are working
✅ EventBridge schedule is active

Create S3 Bucket (If Needed)

If you don't have an S3 bucket, create one:

# Replace 'my-company-bedrock-logs-2024' with your bucket name
aws s3 mb s3://my-company-bedrock-logs-2024

# Set bucket policy for Bedrock access (optional - Lambda will handle this)
aws s3api put-bucket-versioning \
    --bucket my-company-bedrock-logs-2024 \
    --versioning-configuration Status=Enabled

Test with Bedrock

Generate a test conversation:

# Example Bedrock API call
aws bedrock-runtime invoke-model \
    --model-id anthropic.claude-3-haiku-20240307-v1:0 \
    --body '{"messages":[{"role":"user","content":[{"type":"text","text":"Hello, this is a test message for AKTO monitoring."}]}],"max_tokens":50,"anthropic_version":"bedrock-2023-05-31"}' \
    --content-type application/json \
    test-output.json

Monitor the System

Check Lambda Logs:

aws logs tail /aws/lambda/akto-bedrock-log-processor-YOUR_ACCOUNT_ID --follow

Check S3 for Bedrock Logs:

aws s3 ls s3://your-bucket-name/bedrock-logs/ --recursive

Manual Lambda Test:

aws lambda invoke \
    --function-name akto-bedrock-log-processor-YOUR_ACCOUNT_ID \
    --payload '{}' \
    response.json

Troubleshooting Common Issues

1. Permission Denied Errors

# Check your AWS credentials
aws sts get-caller-identity

# Ensure you have sufficient IAM permissions
aws iam list-attached-user-policies --user-name YOUR_USERNAME

2. S3 Bucket Already Exists

# Choose a different bucket name or check if you own it
aws s3 ls s3://your-bucket-name

3. Lambda Function Not Processing

# Check Lambda logs for errors
aws logs describe-log-groups --log-group-name-prefix "/aws/lambda/akto-bedrock"

# View recent logs
aws logs tail /aws/lambda/akto-bedrock-log-processor-YOUR_ACCOUNT_ID --follow

4. AKTO Connection Issues

# Test connectivity to your AKTO instance
curl -X POST "https://your-akto-instance.com/api/ingestData" \
     -H "Content-Type: application/json" \
     -H "X-API-KEY: your-api-key" \
     -d '{"test": "connection"}'

Important Notes

Bedrock Logging Configuration: The Lambda function automatically enables Bedrock model invocation logging on first run if not enabled
Processing Schedule: Logs are processed every 5 minutes via EventBridge
Data Format: Conversations are formatted in AKTO StandardMessage format with security tags
Security: All data remains in your AWS account; no external access required

What Happens Next

Once deployed, the system will:

Auto-Configure Bedrock: Enable model invocation logging to your S3 bucket
Process Conversations: Extract and format conversation data every 5 minutes
Send to AKTO: Forward processed data to your AKTO instance for analysis
Monitor Security: AKTO will analyze conversations for potential threats

Support

For issues or questions:

Check CloudWatch Logs: Monitor Lambda execution logs
Review S3 Configuration: Ensure bucket exists and is accessible
Verify AKTO Connectivity: Test endpoint and API key

PreviousAI Agent Security NextHugging Face

Last updated 18 days ago

hashtagOverview

hashtagSystem Architecture

hashtagWhat You'll Achieve

hashtagPrerequisites

hashtag1. AWS Account Requirements

hashtag2. AKTO Instance Requirements

hashtagStep-by-Step Setup

hashtagInstall AWS CLI if not installed

hashtagDownload the Solution

hashtagPrepare Your Information

hashtagRun the Deployment

hashtagWait for Deployment

hashtagVerify the Deployment

hashtagCreate S3 Bucket (If Needed)

hashtagTest with Bedrock

hashtagMonitor the System

hashtagTroubleshooting Common Issues

hashtag1. Permission Denied Errors

hashtag2. S3 Bucket Already Exists

hashtag3. Lambda Function Not Processing

hashtag4. AKTO Connection Issues

hashtagImportant Notes

hashtagWhat Happens Next

hashtagSupport