aws-cloudformation-bedrock

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

AWS CloudFormation Amazon Bedrock

Overview

概述

Create production-ready AI infrastructure using AWS CloudFormation templates for Amazon Bedrock. This skill covers Bedrock agents, knowledge bases for RAG implementations, data source connectors, guardrails for content moderation, prompt management, workflow orchestration with flows, and inference profiles for optimized model access.

使用适用于Amazon Bedrock的AWS CloudFormation模板创建可用于生产环境的AI基础设施。本技能涵盖Bedrock Agent、用于RAG实现的知识库、数据源连接器、内容审核防护机制（Guardrails）、提示词管理、通过Flow编排工作流，以及用于优化模型访问的推理配置文件。

When to Use

适用场景

Use this skill when:

Creating Bedrock agents with action groups and function definitions
Implementing Retrieval-Augmented Generation (RAG) with knowledge bases
Configuring data sources (S3, web crawl, custom connectors)
Setting up vector store configurations (OpenSearch, Pinecone, pgvector)
Creating content moderation guardrails
Managing prompt templates and versions
Orchestrating AI workflows with Bedrock Flows
Configuring inference profiles for multi-model access
Setting up application inference profiles for optimized model routing
Organizing templates with Parameters, Outputs, Mappings, Conditions
Implementing cross-stack references with export/import

在以下场景中使用本技能：

创建带动作组和函数定义的Bedrock Agent
通过知识库实现检索增强生成（RAG）
配置数据源（S3、网页爬取、自定义连接器）
配置向量存储（OpenSearch、Pinecone、pgvector）
创建内容审核防护机制
管理提示词模板和版本
通过Bedrock Flow编排AI工作流
配置推理配置文件以实现多模型访问
设置应用推理配置文件以优化模型路由
使用Parameters、Outputs、Mappings、Conditions组织模板
通过导出/导入实现跨栈引用

CloudFormation Template Structure

CloudFormation模板结构

Base Template with Standard Format

标准格式的基础模板

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Amazon Bedrock agent with knowledge base for RAG

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Agent Configuration
        Parameters:
          - AgentName
          - AgentDescription
          - FoundationModel
      - Label:
          default: Knowledge Base Settings
        Parameters:
          - KnowledgeBaseName
          - VectorStoreType
          - EmbeddingModel
      - Label:
          default: Deployment Settings
        Parameters:
          - Environment
          - DeployStage

Parameters:
  AgentName:
    Type: String
    Default: my-bedrock-agent
    Description: Name of the Bedrock agent

  AgentDescription:
    Type: String
    Default: Agent for customer support automation
    Description: Description of the agent's purpose

  FoundationModel:
    Type: String
    Default: anthropic.claude-v2:1
    Description: Foundation model for the agent
    AllowedValues:
      - anthropic.claude-v2:1
      - anthropic.claude-v3:5
      - anthropic.claude-sonnet-4-20250514
      - amazon.titan-text-express-v1
      - meta.llama3-70b-instruct-v1:0

  KnowledgeBaseName:
    Type: String
    Default: my-knowledge-base
    Description: Name of the knowledge base

  VectorStoreType:
    Type: String
    Default: OPENSEARCH_SERVERLESS
    Description: Vector store type for knowledge base
    AllowedValues:
      - OPENSEARCH_SERVERLESS
      - PINECONE
      - PGVECTOR
      - REDIS

  EmbeddingModel:
    Type: String
    Default: amazon.titan-embed-text-v1
    Description: Embedding model for vectorization
    AllowedValues:
      - amazon.titan-embed-text-v1
      - amazon.titan-embed-text-v2:0
      - cohere.embed-multilingual-v3:0

  Environment:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - production

Mappings:
  EnvironmentConfig:
    dev:
      AgentVersion: DRAFT
      IndexCapacity: 1
      InferenceUnit: 1
    staging:
      AgentVersion: DRAFT
      IndexCapacity: 5
      InferenceUnit: 2
    production:
      AgentVersion: RELEASE
      IndexCapacity: 10
      InferenceUnit: 5

Conditions:
  IsProduction: !Equals [!Ref Environment, production]
  UseOpenSearch: !Equals [!Ref VectorStoreType, OPENSEARCH_SERVERLESS]

Transform:
  - AWS::Serverless-2016-10-31

Resources:
  # Bedrock Agent
  BedrockAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Ref AgentName
      Description: !Ref AgentDescription
      FoundationModel: !Ref FoundationModel
      IdleSessionTTLInSeconds: 1800
      AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
      AutoPrepare: true

  # Agent Resource Role
  AgentResourceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-bedrock-agent-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: !Sub "${AWS::StackName}-bedrock-agent-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/${FoundationModel}"

Outputs:
  AgentId:
    Description: ID of the Bedrock agent
    Value: !GetAtt BedrockAgent.AgentId
    Export:
      Name: !Sub "${AWS::StackName}-AgentId"

  AgentAliasId:
    Description: Alias ID of the Bedrock agent
    Value: !GetAtt BedrockAgent.LatestAgentAliasId
    Export:
      Name: !Sub "${AWS::StackName}-AgentAliasId"

  AgentArn:
    Description: ARN of the Bedrock agent
    Value: !GetAtt BedrockAgent.AgentArn
    Export:
      Name: !Sub "${AWS::StackName}-AgentArn"

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Amazon Bedrock agent with knowledge base for RAG

Metadata:
  AWS::CloudFormation::Interface:
    ParameterGroups:
      - Label:
          default: Agent Configuration
        Parameters:
          - AgentName
          - AgentDescription
          - FoundationModel
      - Label:
          default: Knowledge Base Settings
        Parameters:
          - KnowledgeBaseName
          - VectorStoreType
          - EmbeddingModel
      - Label:
          default: Deployment Settings
        Parameters:
          - Environment
          - DeployStage

Parameters:
  AgentName:
    Type: String
    Default: my-bedrock-agent
    Description: Name of the Bedrock agent

  AgentDescription:
    Type: String
    Default: Agent for customer support automation
    Description: Description of the agent's purpose

  FoundationModel:
    Type: String
    Default: anthropic.claude-v2:1
    Description: Foundation model for the agent
    AllowedValues:
      - anthropic.claude-v2:1
      - anthropic.claude-v3:5
      - anthropic.claude-sonnet-4-20250514
      - amazon.titan-text-express-v1
      - meta.llama3-70b-instruct-v1:0

  KnowledgeBaseName:
    Type: String
    Default: my-knowledge-base
    Description: Name of the knowledge base

  VectorStoreType:
    Type: String
    Default: OPENSEARCH_SERVERLESS
    Description: Vector store type for knowledge base
    AllowedValues:
      - OPENSEARCH_SERVERLESS
      - PINECONE
      - PGVECTOR
      - REDIS

  EmbeddingModel:
    Type: String
    Default: amazon.titan-embed-text-v1
    Description: Embedding model for vectorization
    AllowedValues:
      - amazon.titan-embed-text-v1
      - amazon.titan-embed-text-v2:0
      - cohere.embed-multilingual-v3:0

  Environment:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - production

Mappings:
  EnvironmentConfig:
    dev:
      AgentVersion: DRAFT
      IndexCapacity: 1
      InferenceUnit: 1
    staging:
      AgentVersion: DRAFT
      IndexCapacity: 5
      InferenceUnit: 2
    production:
      AgentVersion: RELEASE
      IndexCapacity: 10
      InferenceUnit: 5

Conditions:
  IsProduction: !Equals [!Ref Environment, production]
  UseOpenSearch: !Equals [!Ref VectorStoreType, OPENSEARCH_SERVERLESS]

Transform:
  - AWS::Serverless-2016-10-31

Resources:
  # Bedrock Agent
  BedrockAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Ref AgentName
      Description: !Ref AgentDescription
      FoundationModel: !Ref FoundationModel
      IdleSessionTTLInSeconds: 1800
      AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
      AutoPrepare: true

  # Agent Resource Role
  AgentResourceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-bedrock-agent-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: !Sub "${AWS::StackName}-bedrock-agent-policy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/${FoundationModel}"

Outputs:
  AgentId:
    Description: ID of the Bedrock agent
    Value: !GetAtt BedrockAgent.AgentId
    Export:
      Name: !Sub "${AWS::StackName}-AgentId"

  AgentAliasId:
    Description: Alias ID of the Bedrock agent
    Value: !GetAtt BedrockAgent.LatestAgentAliasId
    Export:
      Name: !Sub "${AWS::StackName}-AgentAliasId"

  AgentArn:
    Description: ARN of the Bedrock agent
    Value: !GetAtt BedrockAgent.AgentArn
    Export:
      Name: !Sub "${AWS::StackName}-AgentArn"

Best Practices for Parameters

参数最佳实践

AWS-Specific Parameter Types

AWS特定参数类型

yaml

Parameters:
  # AWS-specific types for validation
  AgentId:
    Type: AWS::Bedrock::Agent::Id
    Description: Existing Bedrock agent ID

  KnowledgeBaseId:
    Type: AWS::Bedrock::KnowledgeBase::Id
    Description: Existing knowledge base ID

  GuardrailId:
    Type: AWS::Bedrock::Guardrail::Id
    Description: Existing guardrail ID

  FoundationModelArn:
    Type: AWS::Bedrock::FoundationModel::Arn
    Description: ARN of foundation model

  FoundationModelIdentifier:
    Type: AWS::Bedrock::FoundationModel::Identifier
    Description: Identifier of foundation model

  S3BucketArn:
    Type: AWS::S3::Bucket::Arn
    Description: S3 bucket ARN for data sources

  IAMRoleArn:
    Type: AWS::IAM::Role::Arn
    Description: IAM role for Bedrock operations

  KMSKeyArn:
    Type: AWS::KMS::Key::Arn
    Description: KMS key for encryption

yaml

Parameters:
  # AWS-specific types for validation
  AgentId:
    Type: AWS::Bedrock::Agent::Id
    Description: Existing Bedrock agent ID

  KnowledgeBaseId:
    Type: AWS::Bedrock::KnowledgeBase::Id
    Description: Existing knowledge base ID

  GuardrailId:
    Type: AWS::Bedrock::Guardrail::Id
    Description: Existing guardrail ID

  FoundationModelArn:
    Type: AWS::Bedrock::FoundationModel::Arn
    Description: ARN of foundation model

  FoundationModelIdentifier:
    Type: AWS::Bedrock::FoundationModel::Identifier
    Description: Identifier of foundation model

  S3BucketArn:
    Type: AWS::S3::Bucket::Arn
    Description: S3 bucket ARN for data sources

  IAMRoleArn:
    Type: AWS::IAM::Role::Arn
    Description: IAM role for Bedrock operations

  KMSKeyArn:
    Type: AWS::KMS::Key::Arn
    Description: KMS key for encryption

Parameter Constraints

参数约束

yaml

Parameters:
  AgentName:
    Type: String
    Default: my-agent
    Description: Bedrock agent name
    ConstraintDescription: Must be 1-100 characters, alphanumeric and underscores
    MinLength: 1
    MaxLength: 100
    AllowedPattern: "[a-zA-Z0-9_]+"

  KnowledgeBaseName:
    Type: String
    Default: my-kb
    Description: Knowledge base name
    ConstraintDescription: Must be 1-100 characters
    MinLength: 1
    MaxLength: 100

  MaxTokens:
    Type: Number
    Default: 4096
    Description: Maximum tokens for model response
    MinValue: 1
    MaxValue: 100000
    ConstraintDescription: Must be between 1 and 100000

  Temperature:
    Type: Number
    Default: 0.7
    Description: Temperature for model generation
    MinValue: 0
    MaxValue: 1
    ConstraintDescription: Must be between 0 and 1

yaml

Parameters:
  AgentName:
    Type: String
    Default: my-agent
    Description: Bedrock agent name
    ConstraintDescription: Must be 1-100 characters, alphanumeric and underscores
    MinLength: 1
    MaxLength: 100
    AllowedPattern: "[a-zA-Z0-9_]+"

  KnowledgeBaseName:
    Type: String
    Default: my-kb
    Description: Knowledge base name
    ConstraintDescription: Must be 1-100 characters
    MinLength: 1
    MaxLength: 100

  MaxTokens:
    Type: Number
    Default: 4096
    Description: Maximum tokens for model response
    MinValue: 1
    MaxValue: 100000
    ConstraintDescription: Must be between 1 and 100000

  Temperature:
    Type: Number
    Default: 0.7
    Description: Temperature for model generation
    MinValue: 0
    MaxValue: 1
    ConstraintDescription: Must be between 0 and 1

SSM Parameter References for Model Identifiers

模型标识符的SSM参数引用

yaml

Parameters:
  ClaudeModelIdentifier:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /bedrock/models/claude-identifier
    Description: Claude model identifier from SSM

  EmbeddingModelIdentifier:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /bedrock/models/embedding-identifier
    Description: Embedding model identifier from SSM

yaml

Parameters:
  ClaudeModelIdentifier:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /bedrock/models/claude-identifier
    Description: Claude model identifier from SSM

  EmbeddingModelIdentifier:
    Type: AWS::SSM::Parameter::Value<String>
    Default: /bedrock/models/embedding-identifier
    Description: Embedding model identifier from SSM

Outputs and Cross-Stack References

输出与跨栈引用

Export/Import Patterns

导出/导入模式

yaml

undefined

yaml

undefined

Stack A - Bedrock Infrastructure Stack

Stack A - Bedrock基础设施栈

AWSTemplateFormatVersion: 2010-09-09 Description: Bedrock infrastructure stack with agents and knowledge bases

Resources:

Bedrock Agent

CustomerSupportAgent: Type: AWS::Bedrock::Agent Properties: AgentName: !Sub "${AWS::StackName}-support-agent" Description: Agent for customer support FoundationModel: anthropic.claude-v3:5 AgentResourceRoleArn: !GetAtt AgentRole.Arn AutoPrepare: true

Knowledge Base

SupportKnowledgeBase: Type: AWS::Bedrock::KnowledgeBase Properties: KnowledgeBaseName: !Sub "${AWS::StackName}-support-kb" Description: Knowledge base for customer support EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1" VectorKnowledgeBaseConfiguration: VectorStoreConfiguration: OpensearchServerlessConfiguration: CollectionArn: !Ref OpenSearchCollectionArn VectorIndexName: knowledge-base-index FieldMapping: VectorField: vector TextField: text MetadataField: metadata RoleArn: !GetAtt KnowledgeBaseRole.Arn

Outputs: AgentId: Description: ID of the Bedrock agent Value: !GetAtt CustomerSupportAgent.AgentId Export: Name: !Sub "${AWS::StackName}-AgentId"

AgentAliasId: Description: Alias ID of the Bedrock agent Value: !GetAtt CustomerSupportAgent.LatestAgentAliasId Export: Name: !Sub "${AWS::StackName}-AgentAliasId"

AgentArn: Description: ARN of the Bedrock agent Value: !GetAtt CustomerSupportAgent.AgentArn Export: Name: !Sub "${AWS::StackName}-AgentArn"

KnowledgeBaseId: Description: ID of the knowledge base Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseId Export: Name: !Sub "${AWS::StackName}-KnowledgeBaseId"

KnowledgeBaseArn: Description: ARN of the knowledge base Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseArn Export: Name: !Sub "${AWS::StackName}-KnowledgeBaseArn"


```yaml

AWSTemplateFormatVersion: 2010-09-09 Description: Bedrock infrastructure stack with agents and knowledge bases

Resources:

Bedrock Agent

知识库

Outputs: AgentId: Description: ID of the Bedrock agent Value: !GetAtt CustomerSupportAgent.AgentId Export: Name: !Sub "${AWS::StackName}-AgentId"

AgentAliasId: Description: Alias ID of the Bedrock agent Value: !GetAtt CustomerSupportAgent.LatestAgentAliasId Export: Name: !Sub "${AWS::StackName}-AgentAliasId"

AgentArn: Description: ARN of the Bedrock agent Value: !GetAtt CustomerSupportAgent.AgentArn Export: Name: !Sub "${AWS::StackName}-AgentArn"

KnowledgeBaseId: Description: ID of the knowledge base Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseId Export: Name: !Sub "${AWS::StackName}-KnowledgeBaseId"

KnowledgeBaseArn: Description: ARN of the knowledge base Value: !GetAtt SupportKnowledgeBase.KnowledgeBaseArn Export: Name: !Sub "${AWS::StackName}-KnowledgeBaseArn"


```yaml

Stack B - Application Stack (imports from Stack A)

Stack B - 应用栈（从Stack A导入资源）

AWSTemplateFormatVersion: 2010-09-09 Description: Application stack using Bedrock agent

Parameters: BedrockStackName: Type: String Default: bedrock-infrastructure Description: Name of the Bedrock infrastructure stack

Resources:

Lambda function that invokes Bedrock agent

AgentInvokerFunction: Type: AWS::Lambda::Function Properties: FunctionName: !Sub "${AWS::StackName}-agent-invoker" Runtime: python3.11 Handler: handler.invoke_agent Code: S3Bucket: !Ref CodeBucket S3Key: lambda/agent-invoker.zip Environment: Variables: AGENT_ID: !ImportValue !Sub "${BedrockStackName}-AgentId" AGENT_ALIAS_ID: !ImportValue !Sub "${BedrockStackName}-AgentAliasId" Role: !GetAtt LambdaExecutionRole.Arn

Lambda Execution Role with Bedrock permissions

LambdaExecutionRole: Type: AWS::IAM::Role Properties: RoleName: !Sub "${AWS::StackName}-lambda-role" AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole Policies: - PolicyName: BedrockAgentInvoke PolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Action: - bedrock:InvokeAgent Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*"

undefined

AWSTemplateFormatVersion: 2010-09-09 Description: Application stack using Bedrock agent

Parameters: BedrockStackName: Type: String Default: bedrock-infrastructure Description: Name of the Bedrock infrastructure stack

Resources:

调用Bedrock Agent的Lambda函数

具备Bedrock权限的Lambda执行角色

undefined

Nested Stacks for Modularity

模块化嵌套栈

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Main stack with nested Bedrock stacks

Resources:
  # Nested stack for agents
  AgentsStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/bucket/bedrock-agents.yaml
      TimeoutInMinutes: 15
      Parameters:
        Environment: !Ref Environment
        AgentName: !Ref AgentName
        FoundationModel: !Ref FoundationModel

  # Nested stack for knowledge bases
  KnowledgeBaseStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/bucket/bedrock-knowledge-base.yaml
      TimeoutInMinutes: 15
      Parameters:
        Environment: !Ref Environment
        KnowledgeBaseName: !Ref KnowledgeBaseName
        VectorStoreType: !Ref VectorStoreType

  # Nested stack for guardrails
  GuardrailsStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/bucket/bedrock-guardrails.yaml
      TimeoutInMinutes: 15
      Parameters:
        Environment: !Ref Environment
        GuardrailName: !Ref GuardrailName

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: 包含嵌套Bedrock栈的主栈

Resources:
  # Agent嵌套栈
  AgentsStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/bucket/bedrock-agents.yaml
      TimeoutInMinutes: 15
      Parameters:
        Environment: !Ref Environment
        AgentName: !Ref AgentName
        FoundationModel: !Ref FoundationModel

  # 知识库嵌套栈
  KnowledgeBaseStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/bucket/bedrock-knowledge-base.yaml
      TimeoutInMinutes: 15
      Parameters:
        Environment: !Ref Environment
        KnowledgeBaseName: !Ref KnowledgeBaseName
        VectorStoreType: !Ref VectorStoreType

  # 防护机制嵌套栈
  GuardrailsStack:
    Type: AWS::CloudFormation::Stack
    Properties:
      TemplateURL: https://s3.amazonaws.com/bucket/bedrock-guardrails.yaml
      TimeoutInMinutes: 15
      Parameters:
        Environment: !Ref Environment
        GuardrailName: !Ref GuardrailName

Bedrock Agents with Action Groups

带动作组的Bedrock Agent

Agent with Lambda Action Group

带Lambda动作组的Agent

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with Lambda action group for API operations

Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - production

Resources:
  # Agent Resource Role
  AgentResourceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-agent-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: BedrockAgentPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: "*"
              - Effect: Allow
                Action:
                  - lambda:InvokeFunction
                  - lambda:InvokeAsync
                Resource: !GetAtt ActionGroupFunction.Arn

  # Lambda function for action group
  ActionGroupFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub "${AWS::StackName}-action-group"
      Runtime: python3.11
      Handler: handler.handler
      Code:
        S3Bucket: !Ref CodeBucket
        S3Key: lambda/action-group.zip
      Role: !GetAtt LambdaExecutionRole.Arn

  # Lambda Execution Role
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-lambda-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  # Bedrock Agent
  ApiAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Sub "${AWS::StackName}-api-agent"
      Description: Agent for API operations
      FoundationModel: anthropic.claude-v3:5
      AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
      AutoPrepare: true

  # Action Group with Lambda function
  ApiActionGroup:
    Type: AWS::Bedrock::AgentActionGroup
    Properties:
      AgentId: !Ref ApiAgent
      AgentVersion: DRAFT
      ActionGroupName: ApiActionGroup
      Description: Action group for API operations
      ActionGroupExecutor:
        Lambda: !Ref ActionGroupFunction
      ApiSchema:
        S3:
          S3BucketName: !Ref ApiSchemaBucket
          S3ObjectKey: api-schema.json
      SkipModelsInExecution: false

  # API Schema in S3
  ApiSchemaBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-api-schema-${AWS::AccountId}-${AWS::Region}"

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with Lambda action group for API operations

Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - production

Resources:
  # Agent资源角色
  AgentResourceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-agent-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: BedrockAgentPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: "*"
              - Effect: Allow
                Action:
                  - lambda:InvokeFunction
                  - lambda:InvokeAsync
                Resource: !GetAtt ActionGroupFunction.Arn

  # 动作组Lambda函数
  ActionGroupFunction:
    Type: AWS::Lambda::Function
    Properties:
      FunctionName: !Sub "${AWS::StackName}-action-group"
      Runtime: python3.11
      Handler: handler.handler
      Code:
        S3Bucket: !Ref CodeBucket
        S3Key: lambda/action-group.zip
      Role: !GetAtt LambdaExecutionRole.Arn

  # Lambda执行角色
  LambdaExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-lambda-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

  # Bedrock Agent
  ApiAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Sub "${AWS::StackName}-api-agent"
      Description: Agent for API operations
      FoundationModel: anthropic.claude-v3:5
      AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
      AutoPrepare: true

  # 带Lambda函数的动作组
  ApiActionGroup:
    Type: AWS::Bedrock::AgentActionGroup
    Properties:
      AgentId: !Ref ApiAgent
      AgentVersion: DRAFT
      ActionGroupName: ApiActionGroup
      Description: Action group for API operations
      ActionGroupExecutor:
        Lambda: !Ref ActionGroupFunction
      ApiSchema:
        S3:
          S3BucketName: !Ref ApiSchemaBucket
          S3ObjectKey: api-schema.json
      SkipModelsInExecution: false

  # S3存储桶用于存放API Schema
  ApiSchemaBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-api-schema-${AWS::AccountId}-${AWS::Region}"

Agent with Knowledge Base Integration

集成知识库的Agent

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with knowledge base for RAG

Parameters:
  Environment:
    Type: String
    Default: dev

Resources:
  # Agent Resource Role
  AgentResourceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-agent-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AgentPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: "*"
              - Effect: Allow
                Action:
                  - bedrock:Retrieve
                  - bedrock:RetrieveAndGenerate
                Resource: !GetAtt KnowledgeBase.KnowledgeBaseArn

  # OpenSearch Serverless Collection
  OpenSearchCollection:
    Type: AWS::OpenSearchServerless::Collection
    Properties:
      Name: !Sub "${AWS::StackName}-kb-collection"
      Type: SEARCH

  # OpenSearch Serverless Access Policy
  AccessPolicy:
    Type: AWS::OpenSearchServerless::AccessPolicy
    Properties:
      Name: !Sub "${AWS::StackName}-access-policy"
      Policy: !Sub |
        [
          {
            "Rules": [
              {
                "Resource": ["collection/${OpenSearchCollection.id}"],
                "Permission": ["aoss:*"]
              },
              {
                "Resource": ["index/collection/${OpenSearchCollection.id}/*"],
                "Permission": ["aoss:*"]
              }
            ],
            "Principal": ["${AgentResourceRole.Arn}"]
          }
        ]
      Type: data

  # Knowledge Base
  KnowledgeBase:
    Type: AWS::Bedrock::KnowledgeBase
    Properties:
      KnowledgeBaseName: !Sub "${AWS::StackName}-kb"
      Description: Knowledge base for document retrieval
      EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
      VectorKnowledgeBaseConfiguration:
        VectorStoreConfiguration:
          OpensearchServerlessConfiguration:
            CollectionArn: !GetAtt OpenSearchCollection.Arn
            VectorIndexName: kb-index
            FieldMapping:
              VectorField: vector
              TextField: text
              MetadataField: metadata
      RoleArn: !GetAtt AgentResourceRole.Arn

  # Bedrock Agent with knowledge base
  RAGAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Sub "${AWS::StackName}-rag-agent"
      Description: Agent with knowledge base for RAG
      FoundationModel: anthropic.claude-v3:5
      AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
      AutoPrepare: true
      KnowledgeBases:
        - KnowledgeBaseId: !Ref KnowledgeBase
          Description: Main knowledge base for document retrieval

  # Data Source for Knowledge Base
  KnowledgeBaseDataSource:
    Type: AWS::Bedrock::DataSource
    Properties:
      KnowledgeBaseId: !Ref KnowledgeBase
      DataSourceName: !Sub "${AWS::StackName}-datasource"
      Description: S3 data source for documents
      DataSourceConfiguration:
        S3Configuration:
          BucketArn: !Ref DocumentBucket
          InclusionPrefixes:
            - documents/
            - pdfs/
      VectorIngestionConfiguration:
        ChunkingConfiguration:
          ChunkingStrategy: FIXED_SIZE
          FixedSizeChunking:
            MaxTokens: 512
            OverlapPercentage: 20

  # Document Bucket
  DocumentBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-documents-${AWS::AccountId}-${AWS::Region}"

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock agent with knowledge base for RAG

Parameters:
  Environment:
    Type: String
    Default: dev

Resources:
  # Agent资源角色
  AgentResourceRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-agent-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: AgentPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: "*"
              - Effect: Allow
                Action:
                  - bedrock:Retrieve
                  - bedrock:RetrieveAndGenerate
                Resource: !GetAtt KnowledgeBase.KnowledgeBaseArn

  # OpenSearch Serverless集合
  OpenSearchCollection:
    Type: AWS::OpenSearchServerless::Collection
    Properties:
      Name: !Sub "${AWS::StackName}-kb-collection"
      Type: SEARCH

  # OpenSearch Serverless访问策略
  AccessPolicy:
    Type: AWS::OpenSearchServerless::AccessPolicy
    Properties:
      Name: !Sub "${AWS::StackName}-access-policy"
      Policy: !Sub |
        [
          {
            "Rules": [
              {
                "Resource": ["collection/${OpenSearchCollection.id}"],
                "Permission": ["aoss:*"]
              },
              {
                "Resource": ["index/collection/${OpenSearchCollection.id}/*"],
                "Permission": ["aoss:*"]
              }
            ],
            "Principal": ["${AgentResourceRole.Arn}"]
          }
        ]
      Type: data

  # 知识库
  KnowledgeBase:
    Type: AWS::Bedrock::KnowledgeBase
    Properties:
      KnowledgeBaseName: !Sub "${AWS::StackName}-kb"
      Description: Knowledge base for document retrieval
      EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
      VectorKnowledgeBaseConfiguration:
        VectorStoreConfiguration:
          OpensearchServerlessConfiguration:
            CollectionArn: !GetAtt OpenSearchCollection.Arn
            VectorIndexName: kb-index
            FieldMapping:
              VectorField: vector
              TextField: text
              MetadataField: metadata
      RoleArn: !GetAtt AgentResourceRole.Arn

  # 集成知识库的Bedrock Agent
  RAGAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Sub "${AWS::StackName}-rag-agent"
      Description: Agent with knowledge base for RAG
      FoundationModel: anthropic.claude-v3:5
      AgentResourceRoleArn: !GetAtt AgentResourceRole.Arn
      AutoPrepare: true
      KnowledgeBases:
        - KnowledgeBaseId: !Ref KnowledgeBase
          Description: Main knowledge base for document retrieval

  # 知识库数据源
  KnowledgeBaseDataSource:
    Type: AWS::Bedrock::DataSource
    Properties:
      KnowledgeBaseId: !Ref KnowledgeBase
      DataSourceName: !Sub "${AWS::StackName}-datasource"
      Description: S3 data source for documents
      DataSourceConfiguration:
        S3Configuration:
          BucketArn: !Ref DocumentBucket
          InclusionPrefixes:
            - documents/
            - pdfs/
      VectorIngestionConfiguration:
        ChunkingConfiguration:
          ChunkingStrategy: FIXED_SIZE
          FixedSizeChunking:
            MaxTokens: 512
            OverlapPercentage: 20

  # 文档存储桶
  DocumentBucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: !Sub "${AWS::StackName}-documents-${AWS::AccountId}-${AWS::Region}"

Knowledge Bases and Vector Stores

知识库与向量存储

Knowledge Base with OpenSearch Serverless

基于OpenSearch Serverless的知识库

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with OpenSearch Serverless vector store

Resources:
  # OpenSearch Serverless Collection
  VectorCollection:
    Type: AWS::OpenSearchServerless::Collection
    Properties:
      Name: !Sub "${AWS::StackName}-vector-collection"
      Type: SEARCH

  # Security Policy
  SecurityPolicy:
    Type: AWS::OpenSearchServerless::SecurityPolicy
    Properties:
      Name: !Sub "${AWS::StackName}-security-policy"
      Policy: !Sub |
        {
          "Rules": [
            {
              "Resource": ["collection/${VectorCollection.id}"],
              "ResourceType": "collection"
            }
          ],
          "Principal": ["*"]
        }
      Type: encryption

  # Access Policy
  AccessPolicy:
    Type: AWS::OpenSearchServerless::AccessPolicy
    Properties:
      Name: !Sub "${AWS::StackName}-access-policy"
      Policy: !Sub |
        [
          {
            "Rules": [
              {
                "Resource": ["collection/${VectorCollection.id}"],
                "Permission": ["aoss:*"]
              }
            ],
            "Principal": ["${KnowledgeBaseRole.Arn}"]
          }
        ]
      Type: data

  # Knowledge Base Role
  KnowledgeBaseRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-kb-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: KnowledgeBasePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - aoss:APIAccessAll
                Resource: !GetAtt VectorCollection.Arn
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource: !Sub "${DocumentBucket.Arn}/*"

  # Knowledge Base
  KnowledgeBase:
    Type: AWS::Bedrock::KnowledgeBase
    Properties:
      KnowledgeBaseName: !Sub "${AWS::StackName}-knowledge-base"
      Description: Vector knowledge base with OpenSearch
      EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
      VectorKnowledgeBaseConfiguration:
        VectorStoreConfiguration:
          OpensearchServerlessConfiguration:
            CollectionArn: !GetAtt VectorCollection.Arn
            VectorIndexName: knowledge-index
            FieldMapping:
              VectorField: vector
              TextField: text
              MetadataField: metadata
      RoleArn: !GetAtt KnowledgeBaseRole.Arn

  # Data Source
  DataSource:
    Type: AWS::Bedrock::DataSource
    Properties:
      KnowledgeBaseId: !Ref KnowledgeBase
      DataSourceName: !Sub "${AWS::StackName}-s3-datasource"
      DataSourceConfiguration:
        S3Configuration:
          BucketArn: !Ref DocumentBucket
      VectorIngestionConfiguration:
        ChunkingConfiguration:
          ChunkingStrategy: FIXED_SIZE
          FixedSizeChunking:
            MaxTokens: 1000
            OverlapPercentage: 10

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with OpenSearch Serverless vector store

Resources:
  # OpenSearch Serverless集合
  VectorCollection:
    Type: AWS::OpenSearchServerless::Collection
    Properties:
      Name: !Sub "${AWS::StackName}-vector-collection"
      Type: SEARCH

  # 安全策略
  SecurityPolicy:
    Type: AWS::OpenSearchServerless::SecurityPolicy
    Properties:
      Name: !Sub "${AWS::StackName}-security-policy"
      Policy: !Sub |
        {
          "Rules": [
            {
              "Resource": ["collection/${VectorCollection.id}"],
              "ResourceType": "collection"
            }
          ],
          "Principal": ["*"]
        }
      Type: encryption

  # 访问策略
  AccessPolicy:
    Type: AWS::OpenSearchServerless::AccessPolicy
    Properties:
      Name: !Sub "${AWS::StackName}-access-policy"
      Policy: !Sub |
        [
          {
            "Rules": [
              {
                "Resource": ["collection/${VectorCollection.id}"],
                "Permission": ["aoss:*"]
              }
            ],
            "Principal": ["${KnowledgeBaseRole.Arn}"]
          }
        ]
      Type: data

  # 知识库角色
  KnowledgeBaseRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-kb-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: KnowledgeBasePolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - aoss:APIAccessAll
                Resource: !GetAtt VectorCollection.Arn
              - Effect: Allow
                Action:
                  - s3:GetObject
                Resource: !Sub "${DocumentBucket.Arn}/*"

  # 知识库
  KnowledgeBase:
    Type: AWS::Bedrock::KnowledgeBase
    Properties:
      KnowledgeBaseName: !Sub "${AWS::StackName}-knowledge-base"
      Description: Vector knowledge base with OpenSearch
      EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
      VectorKnowledgeBaseConfiguration:
        VectorStoreConfiguration:
          OpensearchServerlessConfiguration:
            CollectionArn: !GetAtt VectorCollection.Arn
            VectorIndexName: knowledge-index
            FieldMapping:
              VectorField: vector
              TextField: text
              MetadataField: metadata
      RoleArn: !GetAtt KnowledgeBaseRole.Arn

  # 数据源
  DataSource:
    Type: AWS::Bedrock::DataSource
    Properties:
      KnowledgeBaseId: !Ref KnowledgeBase
      DataSourceName: !Sub "${AWS::StackName}-s3-datasource"
      DataSourceConfiguration:
        S3Configuration:
          BucketArn: !Ref DocumentBucket
      VectorIngestionConfiguration:
        ChunkingConfiguration:
          ChunkingStrategy: FIXED_SIZE
          FixedSizeChunking:
            MaxTokens: 1000
            OverlapPercentage: 10

Knowledge Base with Pinecone

基于Pinecone的知识库

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with Pinecone vector store

Parameters:
  PineconeApiKey:
    Type: String
    Description: Pinecone API key (use Secrets Manager in production)
    NoEcho: true

Resources:
  # Knowledge Base Role
  KnowledgeBaseRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-kb-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: SecretsManagerAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                Resource: !Ref PineconeSecretArn

  # Pinecone Connection Configuration
  PineconeConnection:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub "${AWS::StackName}-pinecone-credentials"
      SecretString: !Sub '{"PINECONE_API_KEY":"${PineconeApiKey}"}'

  # Knowledge Base with Pinecone
  KnowledgeBase:
    Type: AWS::Bedrock::KnowledgeBase
    Properties:
      KnowledgeBaseName: !Sub "${AWS::StackName}-pinecone-kb"
      Description: Knowledge base with Pinecone vector store
      EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
      VectorKnowledgeBaseConfiguration:
        VectorStoreConfiguration:
          PineconeConfiguration:
            ConnectionString: !Ref PineconeConnectionString
            CredentialsSecretArn: !Ref PineconeConnection
            Namespace: !Ref PineconeNamespace
            FieldMapping:
              TextField: text
              MetadataField: metadata
      RoleArn: !GetAtt KnowledgeBaseRole.Arn

  # Data Source
  DataSource:
    Type: AWS::Bedrock::DataSource
    Properties:
      KnowledgeBaseId: !Ref KnowledgeBase
      DataSourceName: !Sub "${AWS::StackName}-pinecone-ds"
      DataSourceConfiguration:
        S3Configuration:
          BucketArn: !Ref DocumentBucket

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Knowledge base with Pinecone vector store

Parameters:
  PineconeApiKey:
    Type: String
    Description: Pinecone API key (use Secrets Manager in production)
    NoEcho: true

Resources:
  # 知识库角色
  KnowledgeBaseRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-kb-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: SecretsManagerAccess
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - secretsmanager:GetSecretValue
                Resource: !Ref PineconeSecretArn

  # Pinecone连接配置
  PineconeConnection:
    Type: AWS::SecretsManager::Secret
    Properties:
      Name: !Sub "${AWS::StackName}-pinecone-credentials"
      SecretString: !Sub '{"PINECONE_API_KEY":"${PineconeApiKey}"}'

  # 基于Pinecone的知识库
  KnowledgeBase:
    Type: AWS::Bedrock::KnowledgeBase
    Properties:
      KnowledgeBaseName: !Sub "${AWS::StackName}-pinecone-kb"
      Description: Knowledge base with Pinecone vector store
      EmbeddingModelArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:foundation-model/amazon.titan-embed-text-v1"
      VectorKnowledgeBaseConfiguration:
        VectorStoreConfiguration:
          PineconeConfiguration:
            ConnectionString: !Ref PineconeConnectionString
            CredentialsSecretArn: !Ref PineconeConnection
            Namespace: !Ref PineconeNamespace
            FieldMapping:
              TextField: text
              MetadataField: metadata
      RoleArn: !GetAtt KnowledgeBaseRole.Arn

  # 数据源
  DataSource:
    Type: AWS::Bedrock::DataSource
    Properties:
      KnowledgeBaseId: !Ref KnowledgeBase
      DataSourceName: !Sub "${AWS::StackName}-pinecone-ds"
      DataSourceConfiguration:
        S3Configuration:
          BucketArn: !Ref DocumentBucket

Guardrails for Content Moderation

内容审核防护机制（Guardrails）

Guardrail with Multiple Filters

多过滤器防护机制

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock guardrail for content moderation

Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - production

Resources:
  # Guardrail
  ContentGuardrail:
    Type: AWS::Bedrock::Guardrail
    Properties:
      GuardrailName: !Sub "${AWS::StackName}-guardrail"
      Description: Content moderation guardrail
      # Topic Policy - Define denied topics
      TopicPolicy:
        Topics:
          - Name: FinancialAdvice
            Definition: Providing personalized financial investment advice
            Examples:
              - "What stocks should I buy?"
              - "Should I invest in crypto?"
            Type: DENIED
          - Name: MedicalAdvice
            Definition: Providing medical diagnosis or treatment recommendations
            Examples:
              - "What medication should I take?"
              - "Do I have COVID?"
            Type: DENIED
      # Sensitive Information Policy
      SensitiveInformationPolicy:
        PiiEntities:
          - Name: EMAIL
            Action: MASK
          - Name: PHONE_NUMBER
            Action: MASK
          - Name: SSN
            Action: BLOCK
          - Name: CREDIT_DEBIT_NUMBER
            Action: BLOCK
        Regexes:
          - Name: CustomPattern
            Pattern: "\\d{3}-\\d{2}-\\d{4}"
            Action: MASK
      # Word Policy - Custom blocked words
      WordPolicy:
        Words:
          - Text: "spam"
          - Text: "scam"
          - Text: "fraud"
        ManagedWordLists:
          - Type: PROFANITY
      # Content Policy
      ContentPolicy:
        Filters:
          - Type: PROFANITY
            InputStrength: LOW
            OutputStrength: LOW
          - Type: HATE
            InputStrength: MEDIUM
            OutputStrength: HIGH
          - Type: SEXUAL
            InputStrength: LOW
            OutputStrength: MEDIUM
          - Type: VIOLENCE
            InputStrength: MEDIUM
            OutputStrength: HIGH
      # Contextual Grounding Policy
      ContextualGroundingPolicy:
        Filters:
          - Type: GROUNDING
            Threshold: 0.7
          - Type: RELEVANCE
            Threshold: 0.7

Outputs:
  GuardrailId:
    Description: ID of the guardrail
    Value: !GetAtt ContentGuardrail.GuardrailId
    Export:
      Name: !Sub "${AWS::StackName}-GuardrailId"

  GuardrailVersion:
    Description: Version of the guardrail
    Value: !GetAtt ContentGuardrail.GuardrailVersion
    Export:
      Name: !Sub "${AWS::StackName}-GuardrailVersion"

  GuardrailArn:
    Description: ARN of the guardrail
    Value: !GetAtt ContentGuardrail.GuardrailArn
    Export:
      Name: !Sub "${AWS::StackName}-GuardrailArn"

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock guardrail for content moderation

Parameters:
  Environment:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - staging
      - production

Resources:
  # 防护机制
  ContentGuardrail:
    Type: AWS::Bedrock::Guardrail
    Properties:
      GuardrailName: !Sub "${AWS::StackName}-guardrail"
      Description: Content moderation guardrail
      # 主题策略 - 定义禁止的主题
      TopicPolicy:
        Topics:
          - Name: FinancialAdvice
            Definition: Providing personalized financial investment advice
            Examples:
              - "What stocks should I buy?"
              - "Should I invest in crypto?"
            Type: DENIED
          - Name: MedicalAdvice
            Definition: Providing medical diagnosis or treatment recommendations
            Examples:
              - "What medication should I take?"
              - "Do I have COVID?"
            Type: DENIED
      # 敏感信息策略
      SensitiveInformationPolicy:
        PiiEntities:
          - Name: EMAIL
            Action: MASK
          - Name: PHONE_NUMBER
            Action: MASK
          - Name: SSN
            Action: BLOCK
          - Name: CREDIT_DEBIT_NUMBER
            Action: BLOCK
        Regexes:
          - Name: CustomPattern
            Pattern: "\\d{3}-\\d{2}-\\d{4}"
            Action: MASK
      # 词汇策略 - 自定义屏蔽词汇
      WordPolicy:
        Words:
          - Text: "spam"
          - Text: "scam"
          - Text: "fraud"
        ManagedWordLists:
          - Type: PROFANITY
      # 内容策略
      ContentPolicy:
        Filters:
          - Type: PROFANITY
            InputStrength: LOW
            OutputStrength: LOW
          - Type: HATE
            InputStrength: MEDIUM
            OutputStrength: HIGH
          - Type: SEXUAL
            InputStrength: LOW
            OutputStrength: MEDIUM
          - Type: VIOLENCE
            InputStrength: MEDIUM
            OutputStrength: HIGH
      # 上下文关联策略
      ContextualGroundingPolicy:
        Filters:
          - Type: GROUNDING
            Threshold: 0.7
          - Type: RELEVANCE
            Threshold: 0.7

Outputs:
  GuardrailId:
    Description: ID of the guardrail
    Value: !GetAtt ContentGuardrail.GuardrailId
    Export:
      Name: !Sub "${AWS::StackName}-GuardrailId"

  GuardrailVersion:
    Description: Version of the guardrail
    Value: !GetAtt ContentGuardrail.GuardrailVersion
    Export:
      Name: !Sub "${AWS::StackName}-GuardrailVersion"

  GuardrailArn:
    Description: ARN of the guardrail
    Value: !GetAtt ContentGuardrail.GuardrailArn
    Export:
      Name: !Sub "${AWS::StackName}-GuardrailArn"

Bedrock Flows for Workflow Orchestration

用于工作流编排的Bedrock Flow

Flow with Multiple Nodes

多节点Flow

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock Flow for AI workflow orchestration

Resources:
  # Flow Role
  FlowRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-flow-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: FlowPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: "*"
              - Effect: Allow
                Action:
                  - bedrock:Retrieve
                Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:knowledge-base/*"

  # Bedrock Flow
  ProcessingFlow:
    Type: AWS::Bedrock::Flow
    Properties:
      Name: !Sub "${AWS::StackName}-processing-flow"
      Description: Flow for processing customer requests
      ExecutionRoleArn: !GetAtt FlowRole.Arn
      Definition:
        StartAt: IntentClassifier
        Nodes:
          IntentClassifier:
            Type: Classifier
            Name: IntentClassifier
            Description: Classifies the user intent
            Configuration:
              BedrockClassifierConfiguration:
                BedrockFoundationModelConfiguration:
                  ModelId: anthropic.claude-v3:5
                  InferenceConfiguration:
                    Temperature: 0.0
                InputConfiguration:
                  TextInput:
                    Name: user_input
                OutputConfiguration:
                  StructuredOutput:
                    Name: intent
                    Description: Classified intent
                    JsonOutputSchema:
                      properties:
                        intent:
                          type: string
                          enum:
                            - product_inquiry
                            - order_status
                            - refund_request
                            - general_question
                        confidence:
                          type: number
            Transitions:
              Next:
                ProductInquiry: product_inquiry
                OrderStatus: order_status
                RefundRequest: refund_request
                GeneralQuestion: "*"
          ProductInquiry:
            Type: KnowledgeBase
            Name: ProductInquiry
            Description: Retrieves product information
            Configuration:
              KnowledgeBaseConfiguration:
                KnowledgeBaseId: !Ref ProductKnowledgeBase
                ModelId: anthropic.claude-v3:5
            Transitions:
              Next: ResponseGenerator
          OrderStatus:
            Type: LambdaFunction
            Name: OrderStatus
            Description: Checks order status
            Configuration:
              LambdaConfiguration:
                LambdaArn: !GetAtt OrderStatusFunction.Arn
            Transitions:
              Next: ResponseGenerator
          RefundRequest:
            Type: LambdaFunction
            Name: RefundRequest
            Description: Processes refund requests
            Configuration:
              LambdaConfiguration:
                LambdaArn: !GetAtt RefundFunction.Arn
            Transitions:
              Next: ResponseGenerator
          GeneralQuestion:
            Type: Model
            Name: GeneralQuestion
            Description: Answers general questions
            Configuration:
              BedrockModelConfiguration:
                ModelId: anthropic.claude-v3:5
                InferenceConfiguration:
                  Temperature: 0.7
                  MaxTokens: 1000
            Transitions:
              Next: ResponseGenerator
          ResponseGenerator:
            Type: Model
            Name: ResponseGenerator
            Description: Generates final response
            Configuration:
              BedrockModelConfiguration:
                ModelId: anthropic.claude-v3:5
                InferenceConfiguration:
                  Temperature: 0.7
                  MaxTokens: 2000
            IsEnd: true

Outputs:
  FlowId:
    Description: ID of the flow
    Value: !Ref ProcessingFlow
    Export:
      Name: !Sub "${AWS::StackName}-FlowId"

  FlowArn:
    Description: ARN of the flow
    Value: !GetAtt ProcessingFlow.Arn
    Export:
      Name: !Sub "${AWS::StackName}-FlowArn"

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Bedrock Flow for AI workflow orchestration

Resources:
  # Flow角色
  FlowRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub "${AWS::StackName}-flow-role"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Service: bedrock.amazonaws.com
            Action: sts:AssumeRole
      Policies:
        - PolicyName: FlowPolicy
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - bedrock:InvokeModel
                  - bedrock:InvokeModelWithResponseStream
                Resource: "*"
              - Effect: Allow
                Action:
                  - bedrock:Retrieve
                Resource: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:knowledge-base/*"

  # Bedrock Flow
  ProcessingFlow:
    Type: AWS::Bedrock::Flow
    Properties:
      Name: !Sub "${AWS::StackName}-processing-flow"
      Description: Flow for processing customer requests
      ExecutionRoleArn: !GetAtt FlowRole.Arn
      Definition:
        StartAt: IntentClassifier
        Nodes:
          IntentClassifier:
            Type: Classifier
            Name: IntentClassifier
            Description: Classifies the user intent
            Configuration:
              BedrockClassifierConfiguration:
                BedrockFoundationModelConfiguration:
                  ModelId: anthropic.claude-v3:5
                  InferenceConfiguration:
                    Temperature: 0.0
                InputConfiguration:
                  TextInput:
                    Name: user_input
                OutputConfiguration:
                  StructuredOutput:
                    Name: intent
                    Description: Classified intent
                    JsonOutputSchema:
                      properties:
                        intent:
                          type: string
                          enum:
                            - product_inquiry
                            - order_status
                            - refund_request
                            - general_question
                        confidence:
                          type: number
            Transitions:
              Next:
                ProductInquiry: product_inquiry
                OrderStatus: order_status
                RefundRequest: refund_request
                GeneralQuestion: "*"
          ProductInquiry:
            Type: KnowledgeBase
            Name: ProductInquiry
            Description: Retrieves product information
            Configuration:
              KnowledgeBaseConfiguration:
                KnowledgeBaseId: !Ref ProductKnowledgeBase
                ModelId: anthropic.claude-v3:5
            Transitions:
              Next: ResponseGenerator
          OrderStatus:
            Type: LambdaFunction
            Name: OrderStatus
            Description: Checks order status
            Configuration:
              LambdaConfiguration:
                LambdaArn: !GetAtt OrderStatusFunction.Arn
            Transitions:
              Next: ResponseGenerator
          RefundRequest:
            Type: LambdaFunction
            Name: RefundRequest
            Description: Processes refund requests
            Configuration:
              LambdaConfiguration:
                LambdaArn: !GetAtt RefundFunction.Arn
            Transitions:
              Next: ResponseGenerator
          GeneralQuestion:
            Type: Model
            Name: GeneralQuestion
            Description: Answers general questions
            Configuration:
              BedrockModelConfiguration:
                ModelId: anthropic.claude-v3:5
                InferenceConfiguration:
                  Temperature: 0.7
                  MaxTokens: 1000
            Transitions:
              Next: ResponseGenerator
          ResponseGenerator:
            Type: Model
            Name: ResponseGenerator
            Description: Generates final response
            Configuration:
              BedrockModelConfiguration:
                ModelId: anthropic.claude-v3:5
                InferenceConfiguration:
                  Temperature: 0.7
                  MaxTokens: 2000
            IsEnd: true

Outputs:
  FlowId:
    Description: ID of the flow
    Value: !Ref ProcessingFlow
    Export:
      Name: !Sub "${AWS::StackName}-FlowId"

  FlowArn:
    Description: ARN of the flow
    Value: !GetAtt ProcessingFlow.Arn
    Export:
      Name: !Sub "${AWS::StackName}-FlowArn"

Inference Profiles for Multi-Model Access

用于多模型访问的推理配置文件

Application Inference Profile

应用推理配置文件

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Application inference profile for optimized model access

Parameters:
  InferenceProfileName:
    Type: String
    Default: production-profile
    Description: Name of the inference profile

Resources:
  # Application Inference Profile
  ProductionProfile:
    Type: AWS::Bedrock::ApplicationInferenceProfile
    Properties:
      ApplicationInferenceProfileName: !Ref InferenceProfileName
      Description: Production inference profile for multi-model access
      ModelSource:
        CopyFrom: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
      InferenceConfiguration:
        Text:
          anthropic.claude-v3:5:
            Temperature: 0.7
            MaxTokens: 4096
            TopP: 0.999
          anthropic.claude-sonnet-4-20250514:
            Temperature: 0.7
            MaxTokens: 4096

Outputs:
  InferenceProfileId:
    Description: ID of the inference profile
    Value: !Ref ProductionProfile
    Export:
      Name: !Sub "${AWS::StackName}-InferenceProfileId"

  InferenceProfileArn:
    Description: ARN of the inference profile
    Value: !GetAtt ProductionProfile.Arn
    Export:
      Name: !Sub "${AWS::StackName}-InferenceProfileArn"

yaml

AWSTemplateFormatVersion: 2010-09-09
Description: Application inference profile for optimized model access

Parameters:
  InferenceProfileName:
    Type: String
    Default: production-profile
    Description: Name of the inference profile

Resources:
  # 应用推理配置文件
  ProductionProfile:
    Type: AWS::Bedrock::ApplicationInferenceProfile
    Properties:
      ApplicationInferenceProfileName: !Ref InferenceProfileName
      Description: Production inference profile for multi-model access
      ModelSource:
        CopyFrom: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:application-inference-profile/*"
      InferenceConfiguration:
        Text:
          anthropic.claude-v3:5:
            Temperature: 0.7
            MaxTokens: 4096
            TopP: 0.999
          anthropic.claude-sonnet-4-20250514:
            Temperature: 0.7
            MaxTokens: 4096

Outputs:
  InferenceProfileId:
    Description: ID of the inference profile
    Value: !Ref ProductionProfile
    Export:
      Name: !Sub "${AWS::StackName}-InferenceProfileId"

  InferenceProfileArn:
    Description: ARN of the inference profile
    Value: !GetAtt ProductionProfile.Arn
    Export:
      Name: !Sub "${AWS::StackName}-InferenceProfileArn"

Best Practices

最佳实践

Security

安全

Use IAM roles with minimum necessary permissions for Bedrock operations
Enable encryption for all knowledge base data and vectors
Use guardrails for content moderation in production deployments
Implement VPC endpoints for private Bedrock access
Use AWS Secrets Manager for API keys and credentials
Configure cross-account access carefully with proper IAM policies
Audit Bedrock API calls with CloudTrail

为Bedrock操作使用权限最小化的IAM角色
为所有知识库数据和向量启用加密
在生产环境中使用防护机制进行内容审核
配置VPC终端节点以实现Bedrock的私有访问
使用AWS Secrets Manager存储API密钥和凭证
通过适当的IAM策略谨慎配置跨账户访问
使用CloudTrail审计Bedrock API调用

Performance

性能

Choose appropriate embedding models based on use case
Optimize chunking strategies for knowledge base ingestion
Use inference profiles for consistent latency across models
Monitor token usage and implement rate limiting
Configure appropriate timeouts for long-running operations
Use provisioned throughput for predictable workloads
Cache frequently accessed knowledge base results

根据使用场景选择合适的嵌入模型
优化知识库数据摄入的分块策略
使用推理配置文件确保跨模型的延迟一致性
监控令牌使用情况并实现速率限制
为长时间运行的操作配置合适的超时时间
使用预置吞吐量以应对可预测的工作负载
缓存频繁访问的知识库结果

Monitoring

监控

Enable CloudWatch metrics for Bedrock API calls
Create alarms for throttled requests and errors
Monitor knowledge base retrieval latency
Track token usage and costs per model
Implement logging for agent interactions
Monitor guardrail violations and content moderation
Use Bedrock model invocation logs for debugging

为Bedrock API调用启用CloudWatch指标
为限流请求和错误创建告警
监控知识库检索延迟
跟踪各模型的令牌使用情况和成本
为Agent交互实现日志记录
监控防护机制违规情况和内容审核
使用Bedrock模型调用日志进行调试

Cost Optimization

成本优化

Use on-demand pricing for variable workloads
Implement caching for frequent model invocations
Choose appropriate model sizes for task requirements
Use knowledge base retrieval filtering to reduce costs
Implement batch processing for non-real-time workloads
Monitor and optimize token consumption

针对可变工作负载使用按需定价
为频繁的模型调用实现缓存
根据任务需求选择合适的模型规模
使用知识库检索过滤来降低成本
针对非实时工作负载实现批处理
监控并优化令牌消耗

CloudFormation Stack Management Best Practices

CloudFormation栈管理最佳实践

Stack Policies

栈策略

yaml

Resources:
  BedrockAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Sub "${AWS::StackName}-agent"

yaml

Resources:
  BedrockAgent:
    Type: AWS::Bedrock::Agent
    Properties:
      AgentName: !Sub "${AWS::StackName}-agent"

Stack policy to protect Bedrock resources

保护Bedrock资源的栈策略

StackPolicy: Type: AWS::CloudFormation::StackPolicy Properties: PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: "" Action: "Update:" Resource: "" - Effect: Deny Principal: "" Action: - Update:Delete Resource: - LogicalId: BedrockAgent ResourceType: AWS::Bedrock::Agent

undefined

undefined

Drift Detection

漂移检测

bash

undefined

bash

undefined

Detect drift on a stack

检测栈的漂移

aws cloudformation detect-drift --stack-name my-bedrock-stack

Get resource drift status

获取资源漂移状态

aws cloudformation describe-stack-resource-drifts
--stack-name my-bedrock-stack

undefined

aws cloudformation describe-stack-resource-drifts
--stack-name my-bedrock-stack

undefined

Related Resources

Additional Files

附加文件

For complete details on resources and their properties, see:

REFERENCE.md - Detailed reference guide for all Bedrock CloudFormation resources
EXAMPLES.md - Complete production-ready examples

如需了解资源及其属性的完整详情，请查看：

REFERENCE.md - 所有Bedrock CloudFormation资源的详细参考指南
EXAMPLES.md - 完整的生产环境可用示例