aws-cloudformation-bedrock
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseAWS CloudFormation Amazon Bedrock
AWS CloudFormation Amazon Bedrock
Overview
概述
Create production-ready AI infrastructure using AWS CloudFormation templates for Amazon Bedrock. This skill covers Bedrock agents, knowledge bases for RAG implementations, data source connectors, guardrails for content moderation, prompt management, workflow orchestration with flows, and inference profiles for optimized model access.
使用适用于Amazon Bedrock的AWS CloudFormation模板创建可用于生产环境的AI基础设施。本技能涵盖Bedrock Agent、用于RAG实现的知识库、数据源连接器、内容审核防护机制(Guardrails)、提示词管理、通过Flow编排工作流,以及用于优化模型访问的推理配置文件。
When to Use
适用场景
Use this skill when:
- Creating Bedrock agents with action groups and function definitions
- Implementing Retrieval-Augmented Generation (RAG) with knowledge bases
- Configuring data sources (S3, web crawl, custom connectors)
- Setting up vector store configurations (OpenSearch, Pinecone, pgvector)
- Creating content moderation guardrails
- Managing prompt templates and versions
- Orchestrating AI workflows with Bedrock Flows
- Configuring inference profiles for multi-model access
- Setting up application inference profiles for optimized model routing
- Organizing templates with Parameters, Outputs, Mappings, Conditions
- Implementing cross-stack references with export/import
在以下场景中使用本技能:
- 创建带动作组和函数定义的Bedrock Agent
- 通过知识库实现检索增强生成(RAG)
- 配置数据源(S3、网页爬取、自定义连接器)
- 配置向量存储(OpenSearch、Pinecone、pgvector)
- 创建内容审核防护机制
- 管理提示词模板和版本
- 通过Bedrock Flow编排AI工作流
- 配置推理配置文件以实现多模型访问
- 设置应用推理配置文件以优化模型路由
- 使用Parameters、Outputs、Mappings、Conditions组织模板
- 通过导出/导入实现跨栈引用
CloudFormation Template Structure
CloudFormation模板结构
Base Template with Standard Format
标准格式的基础模板
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Amazon Bedrock agent with knowledge base for RAG
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Agent Configuration
Parameters:
- AgentName
- AgentDescription
- FoundationModel
- Label:
default: Knowledge Base Settings
Parameters:
- KnowledgeBaseName
- VectorStoreType
- EmbeddingModel
- Label:
default: Deployment Settings
Parameters:
- Environment
- DeployStage
Parameters:
AgentName:
Type: String
Default: my-bedrock-agent
Description: Name of the Bedrock agent
AgentDescription:
Type: String
Default: Agent for customer support automation
Description: Description of the agent's purpose
FoundationModel:
Type: String
Default: anthropic.claude-v2:1
Description: Foundation model for the agent
AllowedValues:
- anthropic.claude-v2:1
- anthropic.claude-v3:5
- anthropic.claude-sonnet-4-20250514
- amazon.titan-text-express-v1
- meta.llama3-70b-instruct-v1:0
KnowledgeBaseName:
Type: String
Default: my-knowledge-base
Description: Name of the knowledge base
VectorStoreType:
Type: String
Default: OPENSEARCH_SERVERLESS
Description: Vector store type for knowledge base
AllowedValues:
- OPENSEARCH_SERVERLESS
- PINECONE
- PGVECTOR
- REDIS
EmbeddingModel:
Type: String
Default: amazon.titan-embed-text-v1
Description: Embedding model for vectorization
AllowedValues:
- amazon.titan-embed-text-v1
- amazon.titan-embed-text-v2:0
- cohere.embed-multilingual-v3:0
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Mappings:
EnvironmentConfig:
dev:
AgentVersion: DRAFT
IndexCapacity: 1
InferenceUnit: 1
staging:
AgentVersion: DRAFT
IndexCapacity: 5
InferenceUnit: 2
production:
AgentVersion: RELEASE
IndexCapacity: 10
InferenceUnit: 5
Conditions:
IsProduction: !Equals [!Ref Environment, production]
UseOpenSearch: !Equals [!Ref VectorStoreType, OPENSEARCH_SERVERLESS]
Transform:
- AWS::Serverless-2016-10-31
Resources:
# Bedrock Agent
BedrockAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Ref AgentName
Description: !Ref AgentDescription
FoundationModel: !Ref FoundationModel
IdleSessionTTLInSeconds: 1800
AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
AutoPrepare: true
# Agent Resource Role
AgentResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-bedrock-agent-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "${AWS::StackName}-bedrock-agent-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/${FoundationModel}"
Outputs:
AgentId:
Description: ID of the Bedrock agent
Value: !GetAtt BedrockAgent.AgentId
Export:
Name: !Sub "${AWS::StackName}-AgentId"
AgentAliasId:
Description: Alias ID of the Bedrock agent
Value: !GetAtt BedrockAgent.LatestAgentAliasId
Export:
Name: !Sub "${AWS::StackName}-AgentAliasId"
AgentArn:
Description: ARN of the Bedrock agent
Value: !GetAtt BedrockAgent.AgentArn
Export:
Name: !Sub "${AWS::StackName}-AgentArn"yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Amazon Bedrock agent with knowledge base for RAG
Metadata:
AWS::CloudFormation::Interface:
ParameterGroups:
- Label:
default: Agent Configuration
Parameters:
- AgentName
- AgentDescription
- FoundationModel
- Label:
default: Knowledge Base Settings
Parameters:
- KnowledgeBaseName
- VectorStoreType
- EmbeddingModel
- Label:
default: Deployment Settings
Parameters:
- Environment
- DeployStage
Parameters:
AgentName:
Type: String
Default: my-bedrock-agent
Description: Name of the Bedrock agent
AgentDescription:
Type: String
Default: Agent for customer support automation
Description: Description of the agent's purpose
FoundationModel:
Type: String
Default: anthropic.claude-v2:1
Description: Foundation model for the agent
AllowedValues:
- anthropic.claude-v2:1
- anthropic.claude-v3:5
- anthropic.claude-sonnet-4-20250514
- amazon.titan-text-express-v1
- meta.llama3-70b-instruct-v1:0
KnowledgeBaseName:
Type: String
Default: my-knowledge-base
Description: Name of the knowledge base
VectorStoreType:
Type: String
Default: OPENSEARCH_SERVERLESS
Description: Vector store type for knowledge base
AllowedValues:
- OPENSEARCH_SERVERLESS
- PINECONE
- PGVECTOR
- REDIS
EmbeddingModel:
Type: String
Default: amazon.titan-embed-text-v1
Description: Embedding model for vectorization
AllowedValues:
- amazon.titan-embed-text-v1
- amazon.titan-embed-text-v2:0
- cohere.embed-multilingual-v3:0
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Mappings:
EnvironmentConfig:
dev:
AgentVersion: DRAFT
IndexCapacity: 1
InferenceUnit: 1
staging:
AgentVersion: DRAFT
IndexCapacity: 5
InferenceUnit: 2
production:
AgentVersion: RELEASE
IndexCapacity: 10
InferenceUnit: 5
Conditions:
IsProduction: !Equals [!Ref Environment, production]
UseOpenSearch: !Equals [!Ref VectorStoreType, OPENSEARCH_SERVERLESS]
Transform:
- AWS::Serverless-2016-10-31
Resources:
# Bedrock Agent
BedrockAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Ref AgentName
Description: !Ref AgentDescription
FoundationModel: !Ref FoundationModel
IdleSessionTTLInSeconds: 1800
AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
AutoPrepare: true
# Agent Resource Role
AgentResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-bedrock-agent-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: !Sub "${AWS::StackName}-bedrock-agent-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/${FoundationModel}"
Outputs:
AgentId:
Description: ID of the Bedrock agent
Value: !GetAtt BedrockAgent.AgentId
Export:
Name: !Sub "${AWS::StackName}-AgentId"
AgentAliasId:
Description: Alias ID of the Bedrock agent
Value: !GetAtt BedrockAgent.LatestAgentAliasId
Export:
Name: !Sub "${AWS::StackName}-AgentAliasId"
AgentArn:
Description: ARN of the Bedrock agent
Value: !GetAtt BedrockAgent.AgentArn
Export:
Name: !Sub "${AWS::StackName}-AgentArn"Best Practices for Parameters
参数最佳实践
AWS-Specific Parameter Types
AWS特定参数类型
yaml
Parameters:
# AWS-specific types for validation
AgentId:
Type: AWS::Bedrock::Agent::Id
Description: Existing Bedrock agent ID
KnowledgeBaseId:
Type: AWS::Bedrock::KnowledgeBase::Id
Description: Existing knowledge base ID
GuardrailId:
Type: AWS::Bedrock::Guardrail::Id
Description: Existing guardrail ID
FoundationModelArn:
Type: AWS::Bedrock::FoundationModel::Arn
Description: ARN of foundation model
FoundationModelIdentifier:
Type: AWS::Bedrock::FoundationModel::Identifier
Description: Identifier of foundation model
S3BucketArn:
Type: AWS::S3::Bucket::Arn
Description: S3 bucket ARN for data sources
IAMRoleArn:
Type: AWS::IAM::Role::Arn
Description: IAM role for Bedrock operations
KMSKeyArn:
Type: AWS::KMS::Key::Arn
Description: KMS key for encryptionyaml
Parameters:
# AWS-specific types for validation
AgentId:
Type: AWS::Bedrock::Agent::Id
Description: Existing Bedrock agent ID
KnowledgeBaseId:
Type: AWS::Bedrock::KnowledgeBase::Id
Description: Existing knowledge base ID
GuardrailId:
Type: AWS::Bedrock::Guardrail::Id
Description: Existing guardrail ID
FoundationModelArn:
Type: AWS::Bedrock::FoundationModel::Arn
Description: ARN of foundation model
FoundationModelIdentifier:
Type: AWS::Bedrock::FoundationModel::Identifier
Description: Identifier of foundation model
S3BucketArn:
Type: AWS::S3::Bucket::Arn
Description: S3 bucket ARN for data sources
IAMRoleArn:
Type: AWS::IAM::Role::Arn
Description: IAM role for Bedrock operations
KMSKeyArn:
Type: AWS::KMS::Key::Arn
Description: KMS key for encryptionParameter Constraints
参数约束
yaml
Parameters:
AgentName:
Type: String
Default: my-agent
Description: Bedrock agent name
ConstraintDescription: Must be 1-100 characters, alphanumeric and underscores
MinLength: 1
MaxLength: 100
AllowedPattern: "[a-zA-Z0-9_]+"
KnowledgeBaseName:
Type: String
Default: my-kb
Description: Knowledge base name
ConstraintDescription: Must be 1-100 characters
MinLength: 1
MaxLength: 100
MaxTokens:
Type: Number
Default: 4096
Description: Maximum tokens for model response
MinValue: 1
MaxValue: 100000
ConstraintDescription: Must be between 1 and 100000
Temperature:
Type: Number
Default: 0.7
Description: Temperature for model generation
MinValue: 0
MaxValue: 1
ConstraintDescription: Must be between 0 and 1yaml
Parameters:
AgentName:
Type: String
Default: my-agent
Description: Bedrock agent name
ConstraintDescription: Must be 1-100 characters, alphanumeric and underscores
MinLength: 1
MaxLength: 100
AllowedPattern: "[a-zA-Z0-9_]+"
KnowledgeBaseName:
Type: String
Default: my-kb
Description: Knowledge base name
ConstraintDescription: Must be 1-100 characters
MinLength: 1
MaxLength: 100
MaxTokens:
Type: Number
Default: 4096
Description: Maximum tokens for model response
MinValue: 1
MaxValue: 100000
ConstraintDescription: Must be between 1 and 100000
Temperature:
Type: Number
Default: 0.7
Description: Temperature for model generation
MinValue: 0
MaxValue: 1
ConstraintDescription: Must be between 0 and 1SSM Parameter References for Model Identifiers
模型标识符的SSM参数引用
yaml
Parameters:
ClaudeModelIdentifier:
Type: AWS::SSM::Parameter::Value<String>
Default: /bedrock/models/claude-identifier
Description: Claude model identifier from SSM
EmbeddingModelIdentifier:
Type: AWS::SSM::Parameter::Value<String>
Default: /bedrock/models/embedding-identifier
Description: Embedding model identifier from SSMyaml
Parameters:
ClaudeModelIdentifier:
Type: AWS::SSM::Parameter::Value<String>
Default: /bedrock/models/claude-identifier
Description: Claude model identifier from SSM
EmbeddingModelIdentifier:
Type: AWS::SSM::Parameter::Value<String>
Default: /bedrock/models/embedding-identifier
Description: Embedding model identifier from SSMOutputs and Cross-Stack References
输出与跨栈引用
Export/Import Patterns
导出/导入模式
yaml
undefinedyaml
undefinedStack A - Bedrock Infrastructure Stack
Stack A - Bedrock基础设施栈
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock infrastructure stack with agents and knowledge bases
Resources:
Bedrock Agent
CustomerSupportAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-support-agent"
Description: Agent for customer support
FoundationModel: anthropic.claude-v3:5
AgentResourceRoleArn: !GetAtt AgentRole.Arn
AutoPrepare: true
Knowledge Base
SupportKnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-support-kb"
Description: Knowledge base for customer support
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
OpensearchServerlessConfiguration:
CollectionArn: !Ref OpenSearchCollectionArn
VectorIndexName: knowledge-base-index
FieldMapping:
VectorField: vector
TextField: text
MetadataField: metadata
RoleArn: !GetAtt KnowledgeBaseRole.Arn
Outputs:
AgentId:
Description: ID of the Bedrock agent
Value: !GetAtt CustomerSupportAgent.AgentId
Export:
Name: !Sub "${AWS::StackName}-AgentId"
AgentAliasId:
Description: Alias ID of the Bedrock agent
Value: !GetAtt CustomerSupportAgent.LatestAgentAliasId
Export:
Name: !Sub "${AWS::StackName}-AgentAliasId"
AgentArn:
Description: ARN of the Bedrock agent
Value: !GetAtt CustomerSupportAgent.AgentArn
Export:
Name: !Sub "${AWS::StackName}-AgentArn"
KnowledgeBaseId:
Description: ID of the knowledge base
Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseId
Export:
Name: !Sub "${AWS::StackName}-KnowledgeBaseId"
KnowledgeBaseArn:
Description: ARN of the knowledge base
Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseArn
Export:
Name: !Sub "${AWS::StackName}-KnowledgeBaseArn"
```yamlAWSTemplateFormatVersion: 2010-09-09
Description: Bedrock infrastructure stack with agents and knowledge bases
Resources:
Bedrock Agent
CustomerSupportAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-support-agent"
Description: Agent for customer support
FoundationModel: anthropic.claude-v3:5
AgentResourceRoleArn: !GetAtt AgentRole.Arn
AutoPrepare: true
知识库
SupportKnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-support-kb"
Description: Knowledge base for customer support
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
OpensearchServerlessConfiguration:
CollectionArn: !Ref OpenSearchCollectionArn
VectorIndexName: knowledge-base-index
FieldMapping:
VectorField: vector
TextField: text
MetadataField: metadata
RoleArn: !GetAtt KnowledgeBaseRole.Arn
Outputs:
AgentId:
Description: ID of the Bedrock agent
Value: !GetAtt CustomerSupportAgent.AgentId
Export:
Name: !Sub "${AWS::StackName}-AgentId"
AgentAliasId:
Description: Alias ID of the Bedrock agent
Value: !GetAtt CustomerSupportAgent.LatestAgentAliasId
Export:
Name: !Sub "${AWS::StackName}-AgentAliasId"
AgentArn:
Description: ARN of the Bedrock agent
Value: !GetAtt CustomerSupportAgent.AgentArn
Export:
Name: !Sub "${AWS::StackName}-AgentArn"
KnowledgeBaseId:
Description: ID of the knowledge base
Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseId
Export:
Name: !Sub "${AWS::StackName}-KnowledgeBaseId"
KnowledgeBaseArn:
Description: ARN of the knowledge base
Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseArn
Export:
Name: !Sub "${AWS::StackName}-KnowledgeBaseArn"
```yamlStack B - Application Stack (imports from Stack A)
Stack B - 应用栈(从Stack A导入资源)
AWSTemplateFormatVersion: 2010-09-09
Description: Application stack using Bedrock agent
Parameters:
BedrockStackName:
Type: String
Default: bedrock-infrastructure
Description: Name of the Bedrock infrastructure stack
Resources:
Lambda function that invokes Bedrock agent
AgentInvokerFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-agent-invoker"
Runtime: python3.11
Handler: handler.invoke_agent
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/agent-invoker.zip
Environment:
Variables:
AGENT_ID: !ImportValue
!Sub "${BedrockStackName}-AgentId"
AGENT_ALIAS_ID: !ImportValue
!Sub "${BedrockStackName}-AgentAliasId"
Role: !GetAtt LambdaExecutionRole.Arn
Lambda Execution Role with Bedrock permissions
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-lambda-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: BedrockAgentInvoke
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeAgent
Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*"
undefinedAWSTemplateFormatVersion: 2010-09-09
Description: Application stack using Bedrock agent
Parameters:
BedrockStackName:
Type: String
Default: bedrock-infrastructure
Description: Name of the Bedrock infrastructure stack
Resources:
调用Bedrock Agent的Lambda函数
AgentInvokerFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-agent-invoker"
Runtime: python3.11
Handler: handler.invoke_agent
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/agent-invoker.zip
Environment:
Variables:
AGENT_ID: !ImportValue
!Sub "${BedrockStackName}-AgentId"
AGENT_ALIAS_ID: !ImportValue
!Sub "${BedrockStackName}-AgentAliasId"
Role: !GetAtt LambdaExecutionRole.Arn
具备Bedrock权限的Lambda执行角色
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-lambda-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: BedrockAgentInvoke
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeAgent
Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*"
undefinedNested Stacks for Modularity
模块化嵌套栈
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Main stack with nested Bedrock stacks
Resources:
# Nested stack for agents
AgentsStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/bedrock-agents.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
AgentName: !Ref AgentName
FoundationModel: !Ref FoundationModel
# Nested stack for knowledge bases
KnowledgeBaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/bedrock-knowledge-base.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
KnowledgeBaseName: !Ref KnowledgeBaseName
VectorStoreType: !Ref VectorStoreType
# Nested stack for guardrails
GuardrailsStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/bedrock-guardrails.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
GuardrailName: !Ref GuardrailNameyaml
AWSTemplateFormatVersion: 2010-09-09
Description: 包含嵌套Bedrock栈的主栈
Resources:
# Agent嵌套栈
AgentsStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/bedrock-agents.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
AgentName: !Ref AgentName
FoundationModel: !Ref FoundationModel
# 知识库嵌套栈
KnowledgeBaseStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/bedrock-knowledge-base.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
KnowledgeBaseName: !Ref KnowledgeBaseName
VectorStoreType: !Ref VectorStoreType
# 防护机制嵌套栈
GuardrailsStack:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://s3.amazonaws.com/bucket/bedrock-guardrails.yaml
TimeoutInMinutes: 15
Parameters:
Environment: !Ref Environment
GuardrailName: !Ref GuardrailNameBedrock Agents with Action Groups
带动作组的Bedrock Agent
Agent with Lambda Action Group
带Lambda动作组的Agent
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with Lambda action group for API operations
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# Agent Resource Role
AgentResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-agent-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: BedrockAgentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: "*"
- Effect: Allow
Action:
- lambda:InvokeFunction
- lambda:InvokeAsync
Resource: !GetAtt ActionGroupFunction.Arn
# Lambda function for action group
ActionGroupFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-action-group"
Runtime: python3.11
Handler: handler.handler
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/action-group.zip
Role: !GetAtt LambdaExecutionRole.Arn
# Lambda Execution Role
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-lambda-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
# Bedrock Agent
ApiAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-api-agent"
Description: Agent for API operations
FoundationModel: anthropic.claude-v3:5
AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
AutoPrepare: true
# Action Group with Lambda function
ApiActionGroup:
Type: AWS::Bedrock::AgentActionGroup
Properties:
AgentId: !Ref ApiAgent
AgentVersion: DRAFT
ActionGroupName: ApiActionGroup
Description: Action group for API operations
ActionGroupExecutor:
Lambda: !Ref ActionGroupFunction
ApiSchema:
S3:
S3BucketName: !Ref ApiSchemaBucket
S3ObjectKey: api-schema.json
SkipModelsInExecution: false
# API Schema in S3
ApiSchemaBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::StackName}-api-schema-${AWS::AccountId}-${AWS::Region}"yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with Lambda action group for API operations
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# Agent资源角色
AgentResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-agent-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: BedrockAgentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: "*"
- Effect: Allow
Action:
- lambda:InvokeFunction
- lambda:InvokeAsync
Resource: !GetAtt ActionGroupFunction.Arn
# 动作组Lambda函数
ActionGroupFunction:
Type: AWS::Lambda::Function
Properties:
FunctionName: !Sub "${AWS::StackName}-action-group"
Runtime: python3.11
Handler: handler.handler
Code:
S3Bucket: !Ref CodeBucket
S3Key: lambda/action-group.zip
Role: !GetAtt LambdaExecutionRole.Arn
# Lambda执行角色
LambdaExecutionRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-lambda-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
# Bedrock Agent
ApiAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-api-agent"
Description: Agent for API operations
FoundationModel: anthropic.claude-v3:5
AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
AutoPrepare: true
# 带Lambda函数的动作组
ApiActionGroup:
Type: AWS::Bedrock::AgentActionGroup
Properties:
AgentId: !Ref ApiAgent
AgentVersion: DRAFT
ActionGroupName: ApiActionGroup
Description: Action group for API operations
ActionGroupExecutor:
Lambda: !Ref ActionGroupFunction
ApiSchema:
S3:
S3BucketName: !Ref ApiSchemaBucket
S3ObjectKey: api-schema.json
SkipModelsInExecution: false
# S3存储桶用于存放API Schema
ApiSchemaBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::StackName}-api-schema-${AWS::AccountId}-${AWS::Region}"Agent with Knowledge Base Integration
集成知识库的Agent
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with knowledge base for RAG
Parameters:
Environment:
Type: String
Default: dev
Resources:
# Agent Resource Role
AgentResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-agent-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AgentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: "*"
- Effect: Allow
Action:
- bedrock:Retrieve
- bedrock:RetrieveAndGenerate
Resource: !GetAtt KnowledgeBase.KnowledgeBaseArn
# OpenSearch Serverless Collection
OpenSearchCollection:
Type: AWS::OpenSearchServerless::Collection
Properties:
Name: !Sub "${AWS::StackName}-kb-collection"
Type: SEARCH
# OpenSearch Serverless Access Policy
AccessPolicy:
Type: AWS::OpenSearchServerless::AccessPolicy
Properties:
Name: !Sub "${AWS::StackName}-access-policy"
Policy: !Sub |
[
{
"Rules": [
{
"Resource": ["collection/${OpenSearchCollection.id}"],
"Permission": ["aoss:*"]
},
{
"Resource": ["index/collection/${OpenSearchCollection.id}/*"],
"Permission": ["aoss:*"]
}
],
"Principal": ["${AgentResourceRole.Arn}"]
}
]
Type: data
# Knowledge Base
KnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-kb"
Description: Knowledge base for document retrieval
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
OpensearchServerlessConfiguration:
CollectionArn: !GetAtt OpenSearchCollection.Arn
VectorIndexName: kb-index
FieldMapping:
VectorField: vector
TextField: text
MetadataField: metadata
RoleArn: !GetAtt AgentResourceRole.Arn
# Bedrock Agent with knowledge base
RAGAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-rag-agent"
Description: Agent with knowledge base for RAG
FoundationModel: anthropic.claude-v3:5
AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
AutoPrepare: true
KnowledgeBases:
- KnowledgeBaseId: !Ref KnowledgeBase
Description: Main knowledge base for document retrieval
# Data Source for Knowledge Base
KnowledgeBaseDataSource:
Type: AWS::Bedrock::DataSource
Properties:
KnowledgeBaseId: !Ref KnowledgeBase
DataSourceName: !Sub "${AWS::StackName}-datasource"
Description: S3 data source for documents
DataSourceConfiguration:
S3Configuration:
BucketArn: !Ref DocumentBucket
InclusionPrefixes:
- documents/
- pdfs/
VectorIngestionConfiguration:
ChunkingConfiguration:
ChunkingStrategy: FIXED_SIZE
FixedSizeChunking:
MaxTokens: 512
OverlapPercentage: 20
# Document Bucket
DocumentBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::StackName}-documents-${AWS::AccountId}-${AWS::Region}"yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with knowledge base for RAG
Parameters:
Environment:
Type: String
Default: dev
Resources:
# Agent资源角色
AgentResourceRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-agent-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: AgentPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: "*"
- Effect: Allow
Action:
- bedrock:Retrieve
- bedrock:RetrieveAndGenerate
Resource: !GetAtt KnowledgeBase.KnowledgeBaseArn
# OpenSearch Serverless集合
OpenSearchCollection:
Type: AWS::OpenSearchServerless::Collection
Properties:
Name: !Sub "${AWS::StackName}-kb-collection"
Type: SEARCH
# OpenSearch Serverless访问策略
AccessPolicy:
Type: AWS::OpenSearchServerless::AccessPolicy
Properties:
Name: !Sub "${AWS::StackName}-access-policy"
Policy: !Sub |
[
{
"Rules": [
{
"Resource": ["collection/${OpenSearchCollection.id}"],
"Permission": ["aoss:*"]
},
{
"Resource": ["index/collection/${OpenSearchCollection.id}/*"],
"Permission": ["aoss:*"]
}
],
"Principal": ["${AgentResourceRole.Arn}"]
}
]
Type: data
# 知识库
KnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-kb"
Description: Knowledge base for document retrieval
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
OpensearchServerlessConfiguration:
CollectionArn: !GetAtt OpenSearchCollection.Arn
VectorIndexName: kb-index
FieldMapping:
VectorField: vector
TextField: text
MetadataField: metadata
RoleArn: !GetAtt AgentResourceRole.Arn
# 集成知识库的Bedrock Agent
RAGAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-rag-agent"
Description: Agent with knowledge base for RAG
FoundationModel: anthropic.claude-v3:5
AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
AutoPrepare: true
KnowledgeBases:
- KnowledgeBaseId: !Ref KnowledgeBase
Description: Main knowledge base for document retrieval
# 知识库数据源
KnowledgeBaseDataSource:
Type: AWS::Bedrock::DataSource
Properties:
KnowledgeBaseId: !Ref KnowledgeBase
DataSourceName: !Sub "${AWS::StackName}-datasource"
Description: S3 data source for documents
DataSourceConfiguration:
S3Configuration:
BucketArn: !Ref DocumentBucket
InclusionPrefixes:
- documents/
- pdfs/
VectorIngestionConfiguration:
ChunkingConfiguration:
ChunkingStrategy: FIXED_SIZE
FixedSizeChunking:
MaxTokens: 512
OverlapPercentage: 20
# 文档存储桶
DocumentBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: !Sub "${AWS::StackName}-documents-${AWS::AccountId}-${AWS::Region}"Knowledge Bases and Vector Stores
知识库与向量存储
Knowledge Base with OpenSearch Serverless
基于OpenSearch Serverless的知识库
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with OpenSearch Serverless vector store
Resources:
# OpenSearch Serverless Collection
VectorCollection:
Type: AWS::OpenSearchServerless::Collection
Properties:
Name: !Sub "${AWS::StackName}-vector-collection"
Type: SEARCH
# Security Policy
SecurityPolicy:
Type: AWS::OpenSearchServerless::SecurityPolicy
Properties:
Name: !Sub "${AWS::StackName}-security-policy"
Policy: !Sub |
{
"Rules": [
{
"Resource": ["collection/${VectorCollection.id}"],
"ResourceType": "collection"
}
],
"Principal": ["*"]
}
Type: encryption
# Access Policy
AccessPolicy:
Type: AWS::OpenSearchServerless::AccessPolicy
Properties:
Name: !Sub "${AWS::StackName}-access-policy"
Policy: !Sub |
[
{
"Rules": [
{
"Resource": ["collection/${VectorCollection.id}"],
"Permission": ["aoss:*"]
}
],
"Principal": ["${KnowledgeBaseRole.Arn}"]
}
]
Type: data
# Knowledge Base Role
KnowledgeBaseRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-kb-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: KnowledgeBasePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- aoss:APIAccessAll
Resource: !GetAtt VectorCollection.Arn
- Effect: Allow
Action:
- s3:GetObject
Resource: !Sub "${DocumentBucket.Arn}/*"
# Knowledge Base
KnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-knowledge-base"
Description: Vector knowledge base with OpenSearch
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
OpensearchServerlessConfiguration:
CollectionArn: !GetAtt VectorCollection.Arn
VectorIndexName: knowledge-index
FieldMapping:
VectorField: vector
TextField: text
MetadataField: metadata
RoleArn: !GetAtt KnowledgeBaseRole.Arn
# Data Source
DataSource:
Type: AWS::Bedrock::DataSource
Properties:
KnowledgeBaseId: !Ref KnowledgeBase
DataSourceName: !Sub "${AWS::StackName}-s3-datasource"
DataSourceConfiguration:
S3Configuration:
BucketArn: !Ref DocumentBucket
VectorIngestionConfiguration:
ChunkingConfiguration:
ChunkingStrategy: FIXED_SIZE
FixedSizeChunking:
MaxTokens: 1000
OverlapPercentage: 10yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with OpenSearch Serverless vector store
Resources:
# OpenSearch Serverless集合
VectorCollection:
Type: AWS::OpenSearchServerless::Collection
Properties:
Name: !Sub "${AWS::StackName}-vector-collection"
Type: SEARCH
# 安全策略
SecurityPolicy:
Type: AWS::OpenSearchServerless::SecurityPolicy
Properties:
Name: !Sub "${AWS::StackName}-security-policy"
Policy: !Sub |
{
"Rules": [
{
"Resource": ["collection/${VectorCollection.id}"],
"ResourceType": "collection"
}
],
"Principal": ["*"]
}
Type: encryption
# 访问策略
AccessPolicy:
Type: AWS::OpenSearchServerless::AccessPolicy
Properties:
Name: !Sub "${AWS::StackName}-access-policy"
Policy: !Sub |
[
{
"Rules": [
{
"Resource": ["collection/${VectorCollection.id}"],
"Permission": ["aoss:*"]
}
],
"Principal": ["${KnowledgeBaseRole.Arn}"]
}
]
Type: data
# 知识库角色
KnowledgeBaseRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-kb-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: KnowledgeBasePolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- aoss:APIAccessAll
Resource: !GetAtt VectorCollection.Arn
- Effect: Allow
Action:
- s3:GetObject
Resource: !Sub "${DocumentBucket.Arn}/*"
# 知识库
KnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-knowledge-base"
Description: Vector knowledge base with OpenSearch
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
OpensearchServerlessConfiguration:
CollectionArn: !GetAtt VectorCollection.Arn
VectorIndexName: knowledge-index
FieldMapping:
VectorField: vector
TextField: text
MetadataField: metadata
RoleArn: !GetAtt KnowledgeBaseRole.Arn
# 数据源
DataSource:
Type: AWS::Bedrock::DataSource
Properties:
KnowledgeBaseId: !Ref KnowledgeBase
DataSourceName: !Sub "${AWS::StackName}-s3-datasource"
DataSourceConfiguration:
S3Configuration:
BucketArn: !Ref DocumentBucket
VectorIngestionConfiguration:
ChunkingConfiguration:
ChunkingStrategy: FIXED_SIZE
FixedSizeChunking:
MaxTokens: 1000
OverlapPercentage: 10Knowledge Base with Pinecone
基于Pinecone的知识库
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with Pinecone vector store
Parameters:
PineconeApiKey:
Type: String
Description: Pinecone API key (use Secrets Manager in production)
NoEcho: true
Resources:
# Knowledge Base Role
KnowledgeBaseRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-kb-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: SecretsManagerAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource: !Ref PineconeSecretArn
# Pinecone Connection Configuration
PineconeConnection:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${AWS::StackName}-pinecone-credentials"
SecretString: !Sub '{"PINECONE_API_KEY":"${PineconeApiKey}"}'
# Knowledge Base with Pinecone
KnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-pinecone-kb"
Description: Knowledge base with Pinecone vector store
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
PineconeConfiguration:
ConnectionString: !Ref PineconeConnectionString
CredentialsSecretArn: !Ref PineconeConnection
Namespace: !Ref PineconeNamespace
FieldMapping:
TextField: text
MetadataField: metadata
RoleArn: !GetAtt KnowledgeBaseRole.Arn
# Data Source
DataSource:
Type: AWS::Bedrock::DataSource
Properties:
KnowledgeBaseId: !Ref KnowledgeBase
DataSourceName: !Sub "${AWS::StackName}-pinecone-ds"
DataSourceConfiguration:
S3Configuration:
BucketArn: !Ref DocumentBucketyaml
AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with Pinecone vector store
Parameters:
PineconeApiKey:
Type: String
Description: Pinecone API key (use Secrets Manager in production)
NoEcho: true
Resources:
# 知识库角色
KnowledgeBaseRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-kb-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: SecretsManagerAccess
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- secretsmanager:GetSecretValue
Resource: !Ref PineconeSecretArn
# Pinecone连接配置
PineconeConnection:
Type: AWS::SecretsManager::Secret
Properties:
Name: !Sub "${AWS::StackName}-pinecone-credentials"
SecretString: !Sub '{"PINECONE_API_KEY":"${PineconeApiKey}"}'
# 基于Pinecone的知识库
KnowledgeBase:
Type: AWS::Bedrock::KnowledgeBase
Properties:
KnowledgeBaseName: !Sub "${AWS::StackName}-pinecone-kb"
Description: Knowledge base with Pinecone vector store
EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
VectorKnowledgeBaseConfiguration:
VectorStoreConfiguration:
PineconeConfiguration:
ConnectionString: !Ref PineconeConnectionString
CredentialsSecretArn: !Ref PineconeConnection
Namespace: !Ref PineconeNamespace
FieldMapping:
TextField: text
MetadataField: metadata
RoleArn: !GetAtt KnowledgeBaseRole.Arn
# 数据源
DataSource:
Type: AWS::Bedrock::DataSource
Properties:
KnowledgeBaseId: !Ref KnowledgeBase
DataSourceName: !Sub "${AWS::StackName}-pinecone-ds"
DataSourceConfiguration:
S3Configuration:
BucketArn: !Ref DocumentBucketGuardrails for Content Moderation
内容审核防护机制(Guardrails)
Guardrail with Multiple Filters
多过滤器防护机制
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock guardrail for content moderation
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# Guardrail
ContentGuardrail:
Type: AWS::Bedrock::Guardrail
Properties:
GuardrailName: !Sub "${AWS::StackName}-guardrail"
Description: Content moderation guardrail
# Topic Policy - Define denied topics
TopicPolicy:
Topics:
- Name: FinancialAdvice
Definition: Providing personalized financial investment advice
Examples:
- "What stocks should I buy?"
- "Should I invest in crypto?"
Type: DENIED
- Name: MedicalAdvice
Definition: Providing medical diagnosis or treatment recommendations
Examples:
- "What medication should I take?"
- "Do I have COVID?"
Type: DENIED
# Sensitive Information Policy
SensitiveInformationPolicy:
PiiEntities:
- Name: EMAIL
Action: MASK
- Name: PHONE_NUMBER
Action: MASK
- Name: SSN
Action: BLOCK
- Name: CREDIT_DEBIT_NUMBER
Action: BLOCK
Regexes:
- Name: CustomPattern
Pattern: "\\d{3}-\\d{2}-\\d{4}"
Action: MASK
# Word Policy - Custom blocked words
WordPolicy:
Words:
- Text: "spam"
- Text: "scam"
- Text: "fraud"
ManagedWordLists:
- Type: PROFANITY
# Content Policy
ContentPolicy:
Filters:
- Type: PROFANITY
InputStrength: LOW
OutputStrength: LOW
- Type: HATE
InputStrength: MEDIUM
OutputStrength: HIGH
- Type: SEXUAL
InputStrength: LOW
OutputStrength: MEDIUM
- Type: VIOLENCE
InputStrength: MEDIUM
OutputStrength: HIGH
# Contextual Grounding Policy
ContextualGroundingPolicy:
Filters:
- Type: GROUNDING
Threshold: 0.7
- Type: RELEVANCE
Threshold: 0.7
Outputs:
GuardrailId:
Description: ID of the guardrail
Value: !GetAtt ContentGuardrail.GuardrailId
Export:
Name: !Sub "${AWS::StackName}-GuardrailId"
GuardrailVersion:
Description: Version of the guardrail
Value: !GetAtt ContentGuardrail.GuardrailVersion
Export:
Name: !Sub "${AWS::StackName}-GuardrailVersion"
GuardrailArn:
Description: ARN of the guardrail
Value: !GetAtt ContentGuardrail.GuardrailArn
Export:
Name: !Sub "${AWS::StackName}-GuardrailArn"yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock guardrail for content moderation
Parameters:
Environment:
Type: String
Default: dev
AllowedValues:
- dev
- staging
- production
Resources:
# 防护机制
ContentGuardrail:
Type: AWS::Bedrock::Guardrail
Properties:
GuardrailName: !Sub "${AWS::StackName}-guardrail"
Description: Content moderation guardrail
# 主题策略 - 定义禁止的主题
TopicPolicy:
Topics:
- Name: FinancialAdvice
Definition: Providing personalized financial investment advice
Examples:
- "What stocks should I buy?"
- "Should I invest in crypto?"
Type: DENIED
- Name: MedicalAdvice
Definition: Providing medical diagnosis or treatment recommendations
Examples:
- "What medication should I take?"
- "Do I have COVID?"
Type: DENIED
# 敏感信息策略
SensitiveInformationPolicy:
PiiEntities:
- Name: EMAIL
Action: MASK
- Name: PHONE_NUMBER
Action: MASK
- Name: SSN
Action: BLOCK
- Name: CREDIT_DEBIT_NUMBER
Action: BLOCK
Regexes:
- Name: CustomPattern
Pattern: "\\d{3}-\\d{2}-\\d{4}"
Action: MASK
# 词汇策略 - 自定义屏蔽词汇
WordPolicy:
Words:
- Text: "spam"
- Text: "scam"
- Text: "fraud"
ManagedWordLists:
- Type: PROFANITY
# 内容策略
ContentPolicy:
Filters:
- Type: PROFANITY
InputStrength: LOW
OutputStrength: LOW
- Type: HATE
InputStrength: MEDIUM
OutputStrength: HIGH
- Type: SEXUAL
InputStrength: LOW
OutputStrength: MEDIUM
- Type: VIOLENCE
InputStrength: MEDIUM
OutputStrength: HIGH
# 上下文关联策略
ContextualGroundingPolicy:
Filters:
- Type: GROUNDING
Threshold: 0.7
- Type: RELEVANCE
Threshold: 0.7
Outputs:
GuardrailId:
Description: ID of the guardrail
Value: !GetAtt ContentGuardrail.GuardrailId
Export:
Name: !Sub "${AWS::StackName}-GuardrailId"
GuardrailVersion:
Description: Version of the guardrail
Value: !GetAtt ContentGuardrail.GuardrailVersion
Export:
Name: !Sub "${AWS::StackName}-GuardrailVersion"
GuardrailArn:
Description: ARN of the guardrail
Value: !GetAtt ContentGuardrail.GuardrailArn
Export:
Name: !Sub "${AWS::StackName}-GuardrailArn"Bedrock Flows for Workflow Orchestration
用于工作流编排的Bedrock Flow
Flow with Multiple Nodes
多节点Flow
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock Flow for AI workflow orchestration
Resources:
# Flow Role
FlowRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-flow-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: FlowPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: "*"
- Effect: Allow
Action:
- bedrock:Retrieve
Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:knowledge-base/*"
# Bedrock Flow
ProcessingFlow:
Type: AWS::Bedrock::Flow
Properties:
Name: !Sub "${AWS::StackName}-processing-flow"
Description: Flow for processing customer requests
ExecutionRoleArn: !GetAtt FlowRole.Arn
Definition:
StartAt: IntentClassifier
Nodes:
IntentClassifier:
Type: Classifier
Name: IntentClassifier
Description: Classifies the user intent
Configuration:
BedrockClassifierConfiguration:
BedrockFoundationModelConfiguration:
ModelId: anthropic.claude-v3:5
InferenceConfiguration:
Temperature: 0.0
InputConfiguration:
TextInput:
Name: user_input
OutputConfiguration:
StructuredOutput:
Name: intent
Description: Classified intent
JsonOutputSchema:
properties:
intent:
type: string
enum:
- product_inquiry
- order_status
- refund_request
- general_question
confidence:
type: number
Transitions:
Next:
ProductInquiry: product_inquiry
OrderStatus: order_status
RefundRequest: refund_request
GeneralQuestion: "*"
ProductInquiry:
Type: KnowledgeBase
Name: ProductInquiry
Description: Retrieves product information
Configuration:
KnowledgeBaseConfiguration:
KnowledgeBaseId: !Ref ProductKnowledgeBase
ModelId: anthropic.claude-v3:5
Transitions:
Next: ResponseGenerator
OrderStatus:
Type: LambdaFunction
Name: OrderStatus
Description: Checks order status
Configuration:
LambdaConfiguration:
LambdaArn: !GetAtt OrderStatusFunction.Arn
Transitions:
Next: ResponseGenerator
RefundRequest:
Type: LambdaFunction
Name: RefundRequest
Description: Processes refund requests
Configuration:
LambdaConfiguration:
LambdaArn: !GetAtt RefundFunction.Arn
Transitions:
Next: ResponseGenerator
GeneralQuestion:
Type: Model
Name: GeneralQuestion
Description: Answers general questions
Configuration:
BedrockModelConfiguration:
ModelId: anthropic.claude-v3:5
InferenceConfiguration:
Temperature: 0.7
MaxTokens: 1000
Transitions:
Next: ResponseGenerator
ResponseGenerator:
Type: Model
Name: ResponseGenerator
Description: Generates final response
Configuration:
BedrockModelConfiguration:
ModelId: anthropic.claude-v3:5
InferenceConfiguration:
Temperature: 0.7
MaxTokens: 2000
IsEnd: true
Outputs:
FlowId:
Description: ID of the flow
Value: !Ref ProcessingFlow
Export:
Name: !Sub "${AWS::StackName}-FlowId"
FlowArn:
Description: ARN of the flow
Value: !GetAtt ProcessingFlow.Arn
Export:
Name: !Sub "${AWS::StackName}-FlowArn"yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock Flow for AI workflow orchestration
Resources:
# Flow角色
FlowRole:
Type: AWS::IAM::Role
Properties:
RoleName: !Sub "${AWS::StackName}-flow-role"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: bedrock.amazonaws.com
Action: sts:AssumeRole
Policies:
- PolicyName: FlowPolicy
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream
Resource: "*"
- Effect: Allow
Action:
- bedrock:Retrieve
Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:knowledge-base/*"
# Bedrock Flow
ProcessingFlow:
Type: AWS::Bedrock::Flow
Properties:
Name: !Sub "${AWS::StackName}-processing-flow"
Description: Flow for processing customer requests
ExecutionRoleArn: !GetAtt FlowRole.Arn
Definition:
StartAt: IntentClassifier
Nodes:
IntentClassifier:
Type: Classifier
Name: IntentClassifier
Description: Classifies the user intent
Configuration:
BedrockClassifierConfiguration:
BedrockFoundationModelConfiguration:
ModelId: anthropic.claude-v3:5
InferenceConfiguration:
Temperature: 0.0
InputConfiguration:
TextInput:
Name: user_input
OutputConfiguration:
StructuredOutput:
Name: intent
Description: Classified intent
JsonOutputSchema:
properties:
intent:
type: string
enum:
- product_inquiry
- order_status
- refund_request
- general_question
confidence:
type: number
Transitions:
Next:
ProductInquiry: product_inquiry
OrderStatus: order_status
RefundRequest: refund_request
GeneralQuestion: "*"
ProductInquiry:
Type: KnowledgeBase
Name: ProductInquiry
Description: Retrieves product information
Configuration:
KnowledgeBaseConfiguration:
KnowledgeBaseId: !Ref ProductKnowledgeBase
ModelId: anthropic.claude-v3:5
Transitions:
Next: ResponseGenerator
OrderStatus:
Type: LambdaFunction
Name: OrderStatus
Description: Checks order status
Configuration:
LambdaConfiguration:
LambdaArn: !GetAtt OrderStatusFunction.Arn
Transitions:
Next: ResponseGenerator
RefundRequest:
Type: LambdaFunction
Name: RefundRequest
Description: Processes refund requests
Configuration:
LambdaConfiguration:
LambdaArn: !GetAtt RefundFunction.Arn
Transitions:
Next: ResponseGenerator
GeneralQuestion:
Type: Model
Name: GeneralQuestion
Description: Answers general questions
Configuration:
BedrockModelConfiguration:
ModelId: anthropic.claude-v3:5
InferenceConfiguration:
Temperature: 0.7
MaxTokens: 1000
Transitions:
Next: ResponseGenerator
ResponseGenerator:
Type: Model
Name: ResponseGenerator
Description: Generates final response
Configuration:
BedrockModelConfiguration:
ModelId: anthropic.claude-v3:5
InferenceConfiguration:
Temperature: 0.7
MaxTokens: 2000
IsEnd: true
Outputs:
FlowId:
Description: ID of the flow
Value: !Ref ProcessingFlow
Export:
Name: !Sub "${AWS::StackName}-FlowId"
FlowArn:
Description: ARN of the flow
Value: !GetAtt ProcessingFlow.Arn
Export:
Name: !Sub "${AWS::StackName}-FlowArn"Inference Profiles for Multi-Model Access
用于多模型访问的推理配置文件
Application Inference Profile
应用推理配置文件
yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Application inference profile for optimized model access
Parameters:
InferenceProfileName:
Type: String
Default: production-profile
Description: Name of the inference profile
Resources:
# Application Inference Profile
ProductionProfile:
Type: AWS::Bedrock::ApplicationInferenceProfile
Properties:
ApplicationInferenceProfileName: !Ref InferenceProfileName
Description: Production inference profile for multi-model access
ModelSource:
CopyFrom: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
InferenceConfiguration:
Text:
anthropic.claude-v3:5:
Temperature: 0.7
MaxTokens: 4096
TopP: 0.999
anthropic.claude-sonnet-4-20250514:
Temperature: 0.7
MaxTokens: 4096
Outputs:
InferenceProfileId:
Description: ID of the inference profile
Value: !Ref ProductionProfile
Export:
Name: !Sub "${AWS::StackName}-InferenceProfileId"
InferenceProfileArn:
Description: ARN of the inference profile
Value: !GetAtt ProductionProfile.Arn
Export:
Name: !Sub "${AWS::StackName}-InferenceProfileArn"yaml
AWSTemplateFormatVersion: 2010-09-09
Description: Application inference profile for optimized model access
Parameters:
InferenceProfileName:
Type: String
Default: production-profile
Description: Name of the inference profile
Resources:
# 应用推理配置文件
ProductionProfile:
Type: AWS::Bedrock::ApplicationInferenceProfile
Properties:
ApplicationInferenceProfileName: !Ref InferenceProfileName
Description: Production inference profile for multi-model access
ModelSource:
CopyFrom: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
InferenceConfiguration:
Text:
anthropic.claude-v3:5:
Temperature: 0.7
MaxTokens: 4096
TopP: 0.999
anthropic.claude-sonnet-4-20250514:
Temperature: 0.7
MaxTokens: 4096
Outputs:
InferenceProfileId:
Description: ID of the inference profile
Value: !Ref ProductionProfile
Export:
Name: !Sub "${AWS::StackName}-InferenceProfileId"
InferenceProfileArn:
Description: ARN of the inference profile
Value: !GetAtt ProductionProfile.Arn
Export:
Name: !Sub "${AWS::StackName}-InferenceProfileArn"Best Practices
最佳实践
Security
安全
- Use IAM roles with minimum necessary permissions for Bedrock operations
- Enable encryption for all knowledge base data and vectors
- Use guardrails for content moderation in production deployments
- Implement VPC endpoints for private Bedrock access
- Use AWS Secrets Manager for API keys and credentials
- Configure cross-account access carefully with proper IAM policies
- Audit Bedrock API calls with CloudTrail
- 为Bedrock操作使用权限最小化的IAM角色
- 为所有知识库数据和向量启用加密
- 在生产环境中使用防护机制进行内容审核
- 配置VPC终端节点以实现Bedrock的私有访问
- 使用AWS Secrets Manager存储API密钥和凭证
- 通过适当的IAM策略谨慎配置跨账户访问
- 使用CloudTrail审计Bedrock API调用
Performance
性能
- Choose appropriate embedding models based on use case
- Optimize chunking strategies for knowledge base ingestion
- Use inference profiles for consistent latency across models
- Monitor token usage and implement rate limiting
- Configure appropriate timeouts for long-running operations
- Use provisioned throughput for predictable workloads
- Cache frequently accessed knowledge base results
- 根据使用场景选择合适的嵌入模型
- 优化知识库数据摄入的分块策略
- 使用推理配置文件确保跨模型的延迟一致性
- 监控令牌使用情况并实现速率限制
- 为长时间运行的操作配置合适的超时时间
- 使用预置吞吐量以应对可预测的工作负载
- 缓存频繁访问的知识库结果
Monitoring
监控
- Enable CloudWatch metrics for Bedrock API calls
- Create alarms for throttled requests and errors
- Monitor knowledge base retrieval latency
- Track token usage and costs per model
- Implement logging for agent interactions
- Monitor guardrail violations and content moderation
- Use Bedrock model invocation logs for debugging
- 为Bedrock API调用启用CloudWatch指标
- 为限流请求和错误创建告警
- 监控知识库检索延迟
- 跟踪各模型的令牌使用情况和成本
- 为Agent交互实现日志记录
- 监控防护机制违规情况和内容审核
- 使用Bedrock模型调用日志进行调试
Cost Optimization
成本优化
- Use on-demand pricing for variable workloads
- Implement caching for frequent model invocations
- Choose appropriate model sizes for task requirements
- Use knowledge base retrieval filtering to reduce costs
- Implement batch processing for non-real-time workloads
- Monitor and optimize token consumption
- 针对可变工作负载使用按需定价
- 为频繁的模型调用实现缓存
- 根据任务需求选择合适的模型规模
- 使用知识库检索过滤来降低成本
- 针对非实时工作负载实现批处理
- 监控并优化令牌消耗
CloudFormation Stack Management Best Practices
CloudFormation栈管理最佳实践
Stack Policies
栈策略
yaml
Resources:
BedrockAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-agent"yaml
Resources:
BedrockAgent:
Type: AWS::Bedrock::Agent
Properties:
AgentName: !Sub "${AWS::StackName}-agent"Stack policy to protect Bedrock resources
保护Bedrock资源的栈策略
StackPolicy:
Type: AWS::CloudFormation::StackPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: ""
Action: "Update:"
Resource: ""
- Effect: Deny
Principal: ""
Action:
- Update:Delete
Resource:
- LogicalId: BedrockAgent
ResourceType: AWS::Bedrock::Agent
undefinedStackPolicy:
Type: AWS::CloudFormation::StackPolicy
Properties:
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: ""
Action: "Update:"
Resource: ""
- Effect: Deny
Principal: ""
Action:
- Update:Delete
Resource:
- LogicalId: BedrockAgent
ResourceType: AWS::Bedrock::Agent
undefinedDrift Detection
漂移检测
bash
undefinedbash
undefinedDetect drift on a stack
检测栈的漂移
aws cloudformation detect-drift --stack-name my-bedrock-stack
aws cloudformation detect-drift --stack-name my-bedrock-stack
Get resource drift status
获取资源漂移状态
aws cloudformation describe-stack-resource-drifts
--stack-name my-bedrock-stack
--stack-name my-bedrock-stack
undefinedaws cloudformation describe-stack-resource-drifts
--stack-name my-bedrock-stack
--stack-name my-bedrock-stack
undefinedRelated Resources
相关资源
Additional Files
附加文件
For complete details on resources and their properties, see:
- REFERENCE.md - Detailed reference guide for all Bedrock CloudFormation resources
- EXAMPLES.md - Complete production-ready examples
如需了解资源及其属性的完整详情,请查看:
- REFERENCE.md - 所有Bedrock CloudFormation资源的详细参考指南
- EXAMPLES.md - 完整的生产环境可用示例