Agentic AI Workflows on AWS ‐ Implementation Guide - magicplatforms/new-machine-workflows GitHub Wiki
- Legacy .NET Application Modernization Crew
- Autonomous FinOps Cost-Optimization Assistant
- Multi-Agent Data-Ops Insight Hub
- AWS Security Audit Crew
- Conversational Code-Generation Studio
- Cross-Framework Protocol Bridge
- Data-Product RAG Pipeline
- Tool-Integration Governance Pipeline
sequenceDiagram
autonumber
participant User as 👤 User/System
participant EB as 🔔 EventBridge
participant DA as 🔍 Discovery Agent
participant PA as 📋 Planner Agent
participant TA as 🔄 Transformer Agent
participant QA as ✅ QA Agent
participant DevOps as 🚀 DevOps Agent
participant AWS as ☁️ AWS Services
participant Memory as 💾 Memory Store
rect rgb(230, 255, 230)
Note over User,EB: INITIALIZATION PHASE
User->>EB: Code push or manual modernization request
EB->>DA: Trigger modernization workflow
end
rect rgb(255, 230, 230)
Note over DA,AWS: DISCOVERY PHASE
DA->>AWS: Scan repository structure
AWS-->>DA: Return codebase metadata
DA->>DA: Build dependency graph
DA->>PA: Send fingerprint & dependency analysis
end
rect rgb(230, 230, 255)
Note over PA,AWS: PLANNING PHASE
PA->>AWS: Request Claude on Bedrock
AWS-->>PA: AI reasoning capabilities
PA->>PA: Analyze dependency graph
PA->>PA: Generate per-project upgrade plan
PA->>TA: Send modernization blueprint
end
rect rgb(255, 255, 230)
Note over TA,AWS: TRANSFORMATION PHASE
TA->>TA: Execute Strands Agent Loop
loop For each project file
TA->>AWS: Invoke Lambda for transformation
AWS-->>TA: Return converted files
end
TA->>TA: Add Dockerfiles & configs
TA->>DevOps: Push transformed branch
end
rect rgb(255, 230, 255)
Note over DevOps,AWS: BUILD & DEPLOY PHASE
DevOps->>AWS: Trigger CodeBuild pipeline
AWS-->>DevOps: Build status & artifacts
DevOps->>QA: Request quality validation
end
rect rgb(230, 255, 255)
Note over QA,AWS: TESTING PHASE
QA->>AWS: Run CodeCatalyst test suite
AWS-->>QA: Test results & coverage
alt Tests Failed
QA->>PA: Request fixes
PA->>TA: Generate patches
else Tests Passed
QA->>DevOps: Approve for deployment
end
end
rect rgb(240, 240, 240)
Note over DevOps,Memory: DEPLOYMENT & LEARNING PHASE
DevOps->>AWS: Push to ECR
DevOps->>AWS: Create ECS-Fargate task definitions
AWS-->>DevOps: Deployment confirmation
DevOps->>Memory: Store artifacts & traces
Memory->>Memory: Update DynamoDB for next iteration
end
| Step | Component | Description |
|---|---|---|
| 1 | Trigger | Code push to repository or manual modernization request initiates the workflow via EventBridge rule |
| 2 | Repository Scan | Discovery Agent analyzes the legacy .NET codebase, identifying all projects, dependencies, and technical debt |
| 3 | Modernization Plan | Planner Agent uses Claude on Bedrock to reason over the dependency graph and create detailed upgrade strategies |
| 4 | Code Transformation | Transformer Agent executes iterative transformations using Strands Agent Loop and MCP tools via Lambda |
| 5 | Automated Build | DevOps Agent triggers CodeBuild pipeline on the transformed branch to validate compilation |
| 6 | Static & Unit Tests | QA Agent runs comprehensive test suites through CodeCatalyst, feeding results back for fixes |
| 7 | Container Image Publish | DevOps Agent builds Docker images, pushes to ECR, and creates ECS-Fargate task definitions |
| 8 | Post-mortem Memory | All artifacts and execution traces are stored in DynamoDB for continuous learning |
- Framework Selection: Choose the right framework (Strands, Bedrock Agents, LangGraph, CrewAI, AutoGen) based on workflow complexity and team expertise
- Protocol Adoption: Implement MCP for cross-framework communication to ensure interoperability
- Guardrail Layers: Apply proactive controls at provisioning, preventive SCPs at runtime, and detective rules for monitoring
- Comprehensive Instrumentation: Use LangFuse, CloudWatch, Bedrock trace, or custom OpenTelemetry pipelines for observability
- Continuous Iteration: Store all traces and conversations to enable prompt tuning, memory additions, and model swapping
- Implement least-privilege IAM policies for all agents
- Use AWS KMS for encryption at rest and in transit
- Enable CloudTrail logging for all agent actions
- Regular security audits using the AWS Security Audit Crew workflow
- Implement rate limiting and cost controls for AI model usage
- Use AWS Lambda for serverless agent execution
- Implement caching strategies with Redis/ElastiCache
- Design for horizontal scaling with ECS Fargate
- Use EventBridge for event-driven architectures
- Implement circuit breakers for external dependencies
- [Legacy .NET Application Modernization Crew](#1-legacy-net-application-modernization-crew)
- [Autonomous FinOps Cost-Optimization Assistant](#2-autonomous-finops-cost-optimization-assistant)
- [Multi-Agent Data-Ops Insight Hub](#3-multi-agent-data-ops-insight-hub)
- [AWS Security Audit Crew](#4-aws-security-audit-crew)
- [Conversational Code-Generation Studio](#5-conversational-code-generation-studio)
- [Cross-Framework Protocol Bridge](#6-cross-framework-protocol-bridge)
- [Data-Product RAG Pipeline](#7-data-product-rag-pipeline)
- [Tool-Integration Governance Pipeline](#8-tool-integration-governance-pipeline)
sequenceDiagram
autonumber
participant User as 👤 User/System
participant EB as 🔔 EventBridge
participant DA as 🔍 Discovery Agent
participant PA as 📋 Planner Agent
participant TA as 🔄 Transformer Agent
participant QA as ✅ QA Agent
participant DevOps as 🚀 DevOps Agent
participant AWS as ☁️ AWS Services
participant Memory as 💾 Memory Store
rect rgb(230, 255, 230)
Note over User,EB: INITIALIZATION PHASE
User->>EB: Code push or manual modernization request
EB->>DA: Trigger modernization workflow
end
rect rgb(255, 230, 230)
Note over DA,AWS: DISCOVERY PHASE
DA->>AWS: Scan repository structure
AWS-->>DA: Return codebase metadata
DA->>DA: Build dependency graph
DA->>PA: Send fingerprint & dependency analysis
end
rect rgb(230, 230, 255)
Note over PA,AWS: PLANNING PHASE
PA->>AWS: Request Claude on Bedrock
AWS-->>PA: AI reasoning capabilities
PA->>PA: Analyze dependency graph
PA->>PA: Generate per-project upgrade plan
PA->>TA: Send modernization blueprint
end
rect rgb(255, 255, 230)
Note over TA,AWS: TRANSFORMATION PHASE
TA->>TA: Execute Strands Agent Loop
loop For each project file
TA->>AWS: Invoke Lambda for transformation
AWS-->>TA: Return converted files
end
TA->>TA: Add Dockerfiles & configs
TA->>DevOps: Push transformed branch
end
rect rgb(255, 230, 255)
Note over DevOps,AWS: BUILD & DEPLOY PHASE
DevOps->>AWS: Trigger CodeBuild pipeline
AWS-->>DevOps: Build status & artifacts
DevOps->>QA: Request quality validation
end
rect rgb(230, 255, 255)
Note over QA,AWS: TESTING PHASE
QA->>AWS: Run CodeCatalyst test suite
AWS-->>QA: Test results & coverage
alt Tests Failed
QA->>PA: Request fixes
PA->>TA: Generate patches
else Tests Passed
QA->>DevOps: Approve for deployment
end
end
rect rgb(240, 240, 240)
Note over DevOps,Memory: DEPLOYMENT & LEARNING PHASE
DevOps->>AWS: Push to ECR
DevOps->>AWS: Create ECS-Fargate task definitions
AWS-->>DevOps: Deployment confirmation
DevOps->>Memory: Store artifacts & traces
Memory->>Memory: Update DynamoDB for next iteration
end
| Step | Component | Description |
|---|---|---|
| 1 | Trigger | Code push to repository or manual modernization request initiates the workflow via EventBridge rule |
| 2 | Repository Scan | Discovery Agent analyzes the legacy .NET codebase, identifying all projects, dependencies, and technical debt |
| 3 | Modernization Plan | Planner Agent uses Claude on Bedrock to reason over the dependency graph and create detailed upgrade strategies |
| 4 | Code Transformation | Transformer Agent executes iterative transformations using Strands Agent Loop and MCP tools via Lambda |
| 5 | Automated Build | DevOps Agent triggers CodeBuild pipeline on the transformed branch to validate compilation |
| 6 | Static & Unit Tests | QA Agent runs comprehensive test suites through CodeCatalyst, feeding results back for fixes |
| 7 | Container Image Publish | DevOps Agent builds Docker images, pushes to ECR, and creates ECS-Fargate task definitions |
| 8 | Post-mortem Memory | All artifacts and execution traces are stored in DynamoDB for continuous learning |
sequenceDiagram
autonumber
participant User as 👤 User
participant UI as 🖥️ Web UI
participant Supervisor as 👔 FinOps Supervisor
participant Fetcher as 💰 Spend Fetcher
participant Detector as 🔍 Anomaly Detector
participant Writer as ✍️ Recommendation Writer
participant Analyst as 👨💼 Human Analyst
participant AWS as ☁️ AWS Services
participant Audit as 📊 Audit System
rect rgb(230, 255, 230)
Note over User,Supervisor: QUERY INITIATION
User->>UI: "How can I cut S3 spend in EU-West?"
UI->>Supervisor: Forward query with context
end
rect rgb(255, 230, 230)
Note over Supervisor,AWS: INTENT ROUTING
Supervisor->>Supervisor: Analyze query intent
Supervisor->>Supervisor: Select tool chain (Cost Explorer API)
Supervisor->>Fetcher: Delegate data retrieval task
end
rect rgb(230, 230, 255)
Note over Fetcher,AWS: DATA COLLECTION
Fetcher->>AWS: Bedrock Action Group → Lambda
AWS->>AWS: Call Cost Explorer API
AWS-->>Fetcher: Return spending data
Fetcher->>Supervisor: Provide structured cost data
end
rect rgb(255, 255, 230)
Note over Detector,AWS: PATTERN ANALYSIS
Supervisor->>Detector: Request anomaly analysis
Detector->>AWS: Query Knowledge Base (S3 + OpenSearch)
AWS-->>Detector: Historical patterns & benchmarks
Detector->>Detector: Identify cost anomalies
Detector->>Supervisor: Report findings
end
rect rgb(255, 230, 255)
Note over Writer,Supervisor: RECOMMENDATION GENERATION
Supervisor->>Writer: Request optimization plan
Writer->>Writer: Generate human-readable recommendations
Writer->>Writer: Calculate potential savings
Writer->>Writer: Add account citations
Writer->>Supervisor: Draft recommendation document
end
rect rgb(230, 255, 255)
Note over Analyst,Supervisor: HUMAN REVIEW (OPTIONAL)
alt Human Review Required
Supervisor->>Analyst: Present recommendations
Analyst->>Analyst: Review & modify
Analyst->>Supervisor: Approve/Request changes
else Auto-approved
Supervisor->>Supervisor: Apply auto-approval rules
end
end
rect rgb(240, 240, 240)
Note over Supervisor,Audit: ACTION & AUDIT
Supervisor->>AWS: Create Jira tickets via Action Group
AWS-->>Supervisor: Ticket IDs
Supervisor->>Audit: Store trace in Bedrock
Audit->>Audit: Version and archive decision chain
Supervisor->>UI: Return recommendations to user
UI->>User: Display optimization plan
end
| Step | Component | Description |
|---|---|---|
| 1 | User Prompt | User submits cost optimization query through web interface with specific parameters |
| 2 | Intent Routing | Supervisor agent analyzes intent and selects appropriate AWS Cost Explorer tools |
| 3 | Secure Data Pull | Spend Fetcher uses Bedrock Action Groups with Lambda to securely retrieve cost data |
| 4 | Pattern Mining | Anomaly Detector queries historical patterns from Knowledge Base to identify unusual spending |
| 5 | Draft Recommendation | Recommendation Writer produces actionable, human-readable optimization plans with savings estimates |
| 6 | Human-in-the-Loop | Optional analyst review for high-impact recommendations or complex scenarios |
| 7 | Ticket Creation | Approved actions automatically create tracked Jira issues for implementation |
| 8 | Trace & Version | Complete decision chain stored in Bedrock for audit compliance and continuous improvement |
sequenceDiagram
autonumber
participant Timer as ⏰ Timer
participant Sensor as 📡 Sensor Agent
participant VectorLoad as 📦 VectorLoad Agent
participant RCA as 🔬 Root Cause Agent
participant Summary as 📝 Summary Agent
participant Engineer as 👷 Engineer
participant Escalation as 🚨 Escalation System
participant AWS as ☁️ AWS Services
participant Monitor as 📊 Monitoring
rect rgb(230, 255, 230)
Note over Timer,AWS: CONTINUOUS MONITORING
loop Every 5 minutes
Timer->>Sensor: Trigger pipeline check
Sensor->>AWS: Poll Glue/EMR metrics
AWS-->>Sensor: Return pipeline status
end
end
rect rgb(255, 230, 230)
Note over Sensor,VectorLoad: DATA INGESTION
Sensor->>VectorLoad: Send new log data
VectorLoad->>VectorLoad: Chunk log entries
VectorLoad->>AWS: Store in PGVector DB
AWS-->>VectorLoad: Confirmation
end
rect rgb(230, 230, 255)
Note over Sensor,RCA: ANOMALY DETECTION
alt Anomaly Detected
Sensor->>RCA: Send anomaly event
RCA->>AWS: Query vector DB for similar issues
AWS-->>RCA: Historical patterns
RCA->>RCA: LLM correlation analysis
RCA->>RCA: Identify root cause
end
end
rect rgb(255, 255, 230)
Note over RCA,Summary: INSIGHT GENERATION
RCA->>Summary: Send analysis results
Summary->>Summary: Generate Slack-ready synopsis
Summary->>Summary: Format key findings
Summary->>Engineer: Post to Slack channel
end
rect rgb(255, 230, 255)
Note over Engineer,Monitor: FEEDBACK LOOP
Engineer->>Engineer: React with emoji
Engineer->>Monitor: Feedback signal
Monitor->>Monitor: Store in LangGraph memory
Monitor->>Monitor: Update reinforcement metrics
end
rect rgb(230, 255, 255)
Note over Summary,Escalation: ESCALATION MANAGEMENT
alt MTTR Target Breached
Summary->>Escalation: Trigger escalation
Escalation->>AWS: Create PagerDuty incident
AWS-->>Escalation: Incident ID
Escalation->>Engineer: Page on-call engineer
end
end
rect rgb(240, 240, 240)
Note over Monitor,AWS: OBSERVABILITY
Monitor->>Monitor: Track token usage
Monitor->>Monitor: Measure latency
Monitor->>AWS: Push to LangSmith/LangFuse
AWS-->>Monitor: Dashboard updates
end
| Step | Component | Description |
|---|---|---|
| 1 | Pipeline Monitoring | Sensor Agent polls data pipeline metrics from Glue and EMR every 5 minutes |
| 2 | Log Vectorization | VectorLoad Agent chunks and ingests run logs into PGVector for semantic search |
| 3 | Anomaly Analysis | Root Cause Agent receives anomaly events and correlates with historical data using LLM |
| 4 | Summary Generation | Summary Agent creates concise, actionable Slack messages for engineering team |
| 5 | Feedback Collection | Engineer reactions stored as reinforcement signals in LangGraph memory |
| 6 | Automated Escalation | PagerDuty incidents created automatically when MTTR targets are breached |
| 7 | Meta-tool Management | LangGraph workflow manages retries and implements exponential back-off strategies |
| 8 | Performance Tracking | LangSmith/LangFuse monitors token usage, latency, and system performance metrics |
sequenceDiagram
autonumber
participant Trigger as ⏰ EventBridge
participant Lead as 👮 Lead Auditor
participant IAM as 🔐 IAM Reviewer
participant Network as 🌐 Network Scanner
participant Guard as 🛡️ GuardDuty Synthesizer
participant Remediation as 🔧 Remediation Bot
participant Human as 👤 Security Lead
participant AWS as ☁️ AWS Services
participant Report as 📄 Report System
rect rgb(230, 255, 230)
Note over Trigger,Lead: AUDIT INITIATION
Trigger->>Lead: Daily schedule trigger
Lead->>Lead: Receive "Audit prod accounts" directive
Lead->>Lead: Create audit plan
end
rect rgb(255, 230, 230)
Note over Lead,Guard: TASK DELEGATION
Lead->>Lead: CrewAI role-based planning
par Parallel Execution
Lead->>IAM: Assign IAM audit task
and
Lead->>Network: Assign network audit task
and
Lead->>Guard: Assign GuardDuty review
end
end
rect rgb(230, 230, 255)
Note over IAM,AWS: IAM SECURITY SCAN
IAM->>AWS: Run Access Analyzer
AWS-->>IAM: Permission findings
IAM->>IAM: Flag wide permissions
IAM->>Lead: Submit IAM evidence
end
rect rgb(255, 255, 230)
Note over Network,AWS: NETWORK AUDIT
Network->>AWS: Audit Security Groups
Network->>AWS: Analyze VPC Flow Logs
AWS-->>Network: Network vulnerabilities
Network->>Lead: Submit network findings
end
rect rgb(255, 230, 255)
Note over Guard,AWS: THREAT SYNTHESIS
Guard->>AWS: Query GuardDuty findings
AWS-->>Guard: Latest security events
Guard->>Guard: Merge JSON evidence
Guard->>Guard: Prioritize by severity
Guard->>Lead: Submit threat analysis
end
rect rgb(230, 255, 255)
Note over Lead,Report: REPORT GENERATION
Lead->>Lead: Aggregate all findings
Lead->>Report: Generate markdown report
Report->>AWS: Link CloudWatch metrics
Report->>Remediation: Trigger auto-remediation
end
rect rgb(240, 240, 240)
Note over Remediation,Human: REMEDIATION & APPROVAL
Remediation->>Remediation: Draft SCP changes
Remediation->>AWS: Create PRs for perimeter repo
AWS-->>Human: Notification of pending changes
Human->>Human: Review changes
alt Approved
Human->>AWS: Merge PR
else Needs Changes
Human->>Remediation: Comment on PR
Remediation->>Remediation: Update patches
end
end
rect rgb(250, 250, 250)
Note over Trigger,AWS: CONTINUOUS LOOP
Note right of Trigger: Repeats every 24 hours via EventBridge
end
| Step | Component | Description |
|---|---|---|
| 1 | Kick-off | Lead Auditor triggered by EventBridge on 24-hour schedule for production audit |
| 2 | Task Delegation | CrewAI role-based planner assigns specialized scanning tasks to each agent |
| 3 | Parallel Evidence Gathering | Specialist agents use MCP tools with STS-assumed roles for secure access |
| 4 | Findings Aggregation | GuardDuty Synthesizer merges JSON evidence from all security sources |
| 5 | Draft Report | Lead Auditor produces comprehensive markdown report with CloudWatch metric links |
| 6 | Auto-patch Generation | Remediation Bot creates pull requests for Service Control Policy updates |
| 7 | Human Approval | Security lead reviews and merges changes or requests modifications |
| 8 | Continuous Loop | Process repeats every 24 hours via EventBridge scheduling |
sequenceDiagram
autonumber
participant PO as 👤 Product Owner
participant Architect as 🏗️ Architect Agent
participant Coder as 💻 Coder Agent
participant Runner as 🏃 Runner Agent
participant Debugger as 🐛 Debugger Agent
participant Doc as 📚 Doc Agent
participant AWS as ☁️ AWS Services
participant Memory as 🧠 Memory Store
rect rgb(230, 255, 230)
Note over PO,Architect: REQUIREMENTS GATHERING
PO->>Architect: Describe feature requirements
Architect->>PO: Clarifying questions
PO->>Architect: Provide specifications
end
rect rgb(255, 230, 230)
Note over Architect,AWS: ARCHITECTURE DESIGN
Architect->>Architect: Design module skeleton
Architect->>Architect: Create UML diagrams in PlantUML
Architect->>AWS: Store design artifacts
Architect->>Coder: Send architecture blueprint
end
rect rgb(230, 230, 255)
Note over Coder,Architect: CODE GENERATION
Coder->>Coder: Generate initial code
loop AutoGen Async Chat
Coder->>Architect: Technical questions
Architect->>Coder: Architecture guidance
Coder->>Coder: Refine implementation
end
Coder->>Runner: Submit code for testing
end
rect rgb(255, 255, 230)
Note over Runner,AWS: TEST EXECUTION
Runner->>AWS: Deploy to Lambda/Firecracker
AWS-->>Runner: Sandbox environment ready
Runner->>Runner: Execute unit tests
Runner->>Runner: Collect test results
end
rect rgb(255, 230, 255)
Note over Runner,Debugger: DEBUGGING LOOP
alt Tests Failed
Runner->>Debugger: Send failure details
Debugger->>Debugger: Analyze errors
Debugger->>Coder: Request patches
Coder->>Coder: Fix issues
Coder->>Runner: Resubmit code
else Tests Passed
Runner->>Doc: Trigger documentation
end
end
rect rgb(230, 255, 255)
Note over Doc,AWS: DOCUMENTATION
Doc->>Doc: Extract code comments
Doc->>Doc: Generate API documentation
Doc->>Doc: Create usage examples
Doc->>AWS: Store documentation
end
rect rgb(240, 240, 240)
Note over Coder,Memory: DEPLOYMENT & LEARNING
Coder->>AWS: Push to CodeCommit
AWS-->>Coder: Merge confirmation
Memory->>AWS: Store all chat logs in S3
Memory->>Memory: Prepare data for LLM fine-tuning
end
| Step | Component | Description |
|---|---|---|
| 1 | User Story Intake | Product Owner describes feature requirements in natural language |
| 2 | Architecture Design | Architect Agent creates module skeleton and UML diagrams in PlantUML |
| 3 | Code Generation | Coder Agent generates implementation with AutoGen async chat for clarifications |
| 4 | Test Execution | Runner Agent executes unit tests in Lambda/Firecracker sandboxes |
| 5 | Debug Iteration | Debugger Agent patches failing tests in collaboration with Coder Agent |
| 6 | Documentation Creation | Doc Agent produces comprehensive API documentation from code comments |
| 7 | Code Merge | Upon green tests, code is pushed to CodeCommit repository |
| 8 | Retrospective Memory | All conversations stored in S3 for future LLM fine-tuning |
sequenceDiagram
autonumber
participant User as 👤 User
participant Strands as 🔗 Strands Agent
participant MCP as 🌉 MCP Protocol
participant LangChain as ⛓️ LangChain Agent
participant OAuth as 🔒 OAuth Provider
participant Cache as 💾 Redis Cache
participant AWS as ☁️ AWS Services
participant Audit as 📊 CloudTrail
rect rgb(230, 255, 230)
Note over User,Strands: QUERY INITIATION
User->>Strands: Submit query
Strands->>Strands: Process in Lambda
Strands->>Strands: Identify capability gap
end
rect rgb(255, 230, 230)
Note over Strands,MCP: CAPABILITY DISCOVERY
Strands->>Strands: Need Data-Insight capability
Strands->>MCP: Request external agent connection
MCP->>MCP: Resolve LangChain endpoint
end
rect rgb(230, 230, 255)
Note over MCP,OAuth: AUTHENTICATION
MCP->>OAuth: Request OAuth 2.0 token
OAuth->>OAuth: Validate scopes
OAuth-->>MCP: Return access token
MCP->>MCP: Establish secure channel
end
rect rgb(255, 255, 230)
Note over MCP,LangChain: INTER-AGENT COMMUNICATION
MCP->>LangChain: Open HTTP stream session
LangChain->>LangChain: Process request
LangChain->>LangChain: Infer answer
LangChain->>MCP: Return structured response
end
rect rgb(255, 230, 255)
Note over Strands,User: RESPONSE SYNTHESIS
MCP-->>Strands: Deliver external insights
Strands->>Strands: Merge with local context
Strands->>User: Provide unified response
end
rect rgb(230, 255, 255)
Note over MCP,Audit: LOGGING & AUDIT
MCP->>Audit: Log request to CloudTrail
Audit->>AWS: Store in organization trail
MCP->>Cache: Cache response in Redis
end
rect rgb(240, 240, 240)
Note over Cache,Strands: PERFORMANCE OPTIMIZATION
Note right of Cache: Future requests check cache first for low-latency responses
end
| Step | Component | Description |
|---|---|---|
| 1 | User Query | User submits query to Strands agent running in AWS Lambda |
| 2 | Capability Recognition | Strands identifies need for specialized Data-Insight capability from external agent |
| 3 | Protocol Bridge | MCP Inter-Agent protocol opens streamable HTTP session to LangChain stack |
| 4 | External Processing | LangChain agent processes request and returns structured MCP message |
| 5 | Context Merge | Strands agent combines external response with its own context |
| 6 | Security Layer | OAuth 2.0 scopes protect both sides of the communication |
| 7 | Audit Trail | All requests logged in central CloudTrail organization trail |
| 8 | Response Caching | Results cached in Redis for future low-latency responses |
sequenceDiagram
autonumber
participant User as 👤 User
participant Router as 🚦 Query Router
participant Retriever as 🔍 Retriever
participant Grounding as ⚓ Grounding Agent
participant Generator as ✨ LLM Generator
participant Compliance as ✅ Compliance Checker
participant AWS as ☁️ AWS Services
participant Metrics as 📊 CloudWatch
rect rgb(230, 255, 230)
Note over User,Router: QUERY RECEPTION
User->>Router: "Summarize competitive landscape for product X"
Router->>Router: Classify query domain
Router->>Router: Select appropriate vector store
end
rect rgb(255, 230, 230)
Note over Router,AWS: DOCUMENT RETRIEVAL
Router->>Retriever: Forward classified query
Retriever->>AWS: Query Bedrock Knowledge Base
AWS-->>Retriever: Return top-k documents
Retriever->>Grounding: Send retrieved documents
end
rect rgb(230, 230, 255)
Note over Grounding,Retriever: SOURCE VALIDATION
Grounding->>Grounding: Validate source authenticity
Grounding->>Grounding: Check for hallucinations
alt Invalid Sources
Grounding->>Grounding: Drop unreliable docs
end
Grounding->>Generator: Pass validated sources
end
rect rgb(255, 255, 230)
Note over Generator,Generator: CONTENT GENERATION
Generator->>Generator: Craft comprehensive brief
Generator->>Generator: Add source citations
Generator->>Generator: Structure with headers
Generator->>Compliance: Submit for review
end
rect rgb(255, 230, 255)
Note over Compliance,AWS: COMPLIANCE CHECK
Compliance->>AWS: Run RCAC validation
AWS-->>Compliance: Access control results
Compliance->>AWS: PII redaction Lambda
AWS-->>Compliance: Sanitized content
Compliance->>Compliance: Final approval
end
rect rgb(230, 255, 255)
Note over Compliance,User: DELIVERY
Compliance->>AWS: Generate signed PDF
AWS->>AWS: Create S3 presigned URL
AWS-->>User: Deliver secure link
User->>User: Access document
end
rect rgb(240, 240, 240)
Note over Metrics,AWS: PERFORMANCE TRACKING
Metrics->>AWS: Push response SLOs
AWS->>AWS: CloudWatch Evidently
AWS-->>Metrics: Dashboard updates
end
| Step | Component | Description |
|---|---|---|
| 1 | Prompt Reception | Query Router receives and classifies user request for competitive analysis |
| 2 | Domain Routing | Router selects appropriate vector store based on query classification |
| 3 | Document Retrieval | Retriever queries Bedrock Knowledge Base or OpenSearch for top-k relevant documents |
| 4 | Source Grounding | Grounding Agent validates sources and removes potential hallucinations |
| 5 | Brief Generation | LLM Generator creates comprehensive brief with proper source citations |
| 6 | Compliance Review | Compliance Checker runs RCAC and PII redaction via Lambda functions |
| 7 | Secure Delivery | System generates signed PDF with S3 presigned URL for secure access |
| 8 | Metrics Collection | Response-level SLOs pushed to CloudWatch Evidently for monitoring |
sequenceDiagram
autonumber
participant Dev as 👨💻 Developer
participant Catalog as 📚 Service Catalog
participant Scanner as 🔍 Compliance Scanner
participant ControlTower as 🏗️ Control Tower
participant Canary as 🐤 Synthetic Canary
participant SecHub as 🛡️ Security Hub
participant Lambda as ⚡ Lambda Function
participant RAM as 🔄 Resource Access Manager
participant Config as ⚙️ AWS Config
rect rgb(230, 255, 230)
Note over Dev,Catalog: TOOL SUBMISSION
Dev->>Catalog: Submit MCP-tool manifest
Catalog->>Scanner: Forward for validation
end
rect rgb(255, 230, 230)
Note over Scanner,Scanner: STATIC COMPLIANCE
Scanner->>Scanner: Check OAuth scopes
Scanner->>Scanner: Validate permissions
alt Wild-card Detected
Scanner->>Dev: Deny submission
Dev->>Dev: Fix permissions
else Compliant
Scanner->>ControlTower: Approve for sandbox
end
end
rect rgb(230, 230, 255)
Note over ControlTower,ControlTower: SANDBOX DEPLOYMENT
ControlTower->>ControlTower: Spin up test account
ControlTower->>ControlTower: Deploy tool in isolation
ControlTower->>Canary: Trigger runtime tests
end
rect rgb(255, 255, 230)
Note over Canary,SecHub: RUNTIME TESTING
Canary->>Canary: Call tool endpoints
Canary->>Canary: Verify authentication
Canary->>Canary: Test error handling
alt Tests Pass
Canary->>SecHub: Create suppress flag
else Tests Fail
Canary->>SecHub: High-severity alert
SecHub->>Dev: Notify failure
end
end
rect rgb(255, 230, 255)
Note over SecHub,Lambda: SCP UPDATE
SecHub->>Lambda: Trigger approval workflow
Lambda->>Lambda: Update allowed-tools SCP
Lambda->>Lambda: Add tool ARN to whitelist
Lambda->>RAM: Request cross-account share
end
rect rgb(230, 255, 255)
Note over RAM,RAM: PRODUCTION SHARE
RAM->>RAM: Configure sharing rules
RAM->>RAM: Share with production OUs
RAM->>Dev: Confirm deployment
end
rect rgb(240, 240, 240)
Note over Config,Config: DRIFT DETECTION
loop Weekly
Config->>Config: Run conformance pack
Config->>Config: Check compliance status
alt Drift Detected
Config->>SecHub: Create finding
end
end
end
| Step | Component | Description |
|---|---|---|
| 1 | Tool Submission | Developer submits MCP-tool manifest to Service Catalog for registration |
| 2 | Static Compliance Scan | Proactive control checks OAuth scopes and denies wild-card permissions |
| 3 | Auto Deployment | Control Tower Account Factory creates isolated sandbox for testing |
| 4 | Runtime Test Suite | Synthetic Canary validates authentication, endpoints, and error handling |
| 5 | Security Hub Finding | Test results create suppress flag for passed tests or high-severity alerts for failures |
| 6 | Automatic SCP Update | Lambda function adds approved tool ARN to allowed-tools Service Control Policy |
| 7 | Cross-account Share | Resource Access Manager shares tool with production organizational units |
| 8 | Periodic Drift-detection | AWS Config conformance pack checks compliance weekly and flags violations |
- Framework Selection: Choose the right framework (Strands, Bedrock Agents, LangGraph, CrewAI, AutoGen) based on workflow complexity and team expertise
- Protocol Adoption: Implement MCP for cross-framework communication to ensure interoperability
- Guardrail Layers: Apply proactive controls at provisioning, preventive SCPs at runtime, and detective rules for monitoring
- Comprehensive Instrumentation: Use LangFuse, CloudWatch, Bedrock trace, or custom OpenTelemetry pipelines for observability
- Continuous Iteration: Store all traces and conversations to enable prompt tuning, memory additions, and model swapping
- Implement least-privilege IAM policies for all agents
- Use AWS KMS for encryption at rest and in transit
- Enable CloudTrail logging for all agent actions
- Regular security audits using the AWS Security Audit Crew workflow
- Implement rate limiting and cost controls for AI model usage
- Use AWS Lambda for serverless agent execution
- Implement caching strategies with Redis/ElastiCache
- Design for horizontal scaling with ECS Fargate
- Use EventBridge for event-driven architectures
- Implement circuit breakers for external dependencies