Agentic DevOps Assistant
Stop building simple chatbots. Learn to build an AI Agent that can reason, use tools, and actually audit your AWS infrastructure. This guide teaches you how to connect a large language model to your cloud environment securely.
The "Brain & Hands" Architecture
The Brain
Amazon Bedrock manages the logic and decides which tools to call.
The Hands
AWS Lambda runs Python code to interact with S3, EC2, and more.
The Guard
IAM Policies ensure the Agent can only "see" what you allow.
1 Security First: IAM Policy
The Agent needs a "Least Privilege" policy.
It should audit, but not
destroy. You can also add other services to the policy with read-only permissions to get overall
response from the Agent.
(This is a crucial step. Never give your Agent more permissions than it
needs.)
For now, we will just give it permission to list S3 buckets and check their encryption status.
This way, even if the Agent goes rogue, it can't do any harm. Just copy and paste this JSON into
your IAM policy editor.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
}
]
}2 Building the "Hands" (AWS Lambda)
This Python function is the engine that actually talks to your AWS resources. It receives a command from the AI and returns the security status of your buckets. Just copy and paste it into your Lambda function.
import json
import boto3
s3 = boto3.client('s3')
def lambda_handler(event, context):
# 'function' comes from the Bedrock Agent's request
action = event.get('function')
if action == 'check_s3_security':
try:
buckets = s3.list_buckets()['Buckets']
report = []
for b in buckets:
name = b['Name']
try:
# Check if encryption exists
s3.get_bucket_encryption(Bucket=name)
status = "✅ Encrypted"
except:
status = "❌ NOT ENCRYPTED"
report.append({"bucket": name, "status": status})
# Bedrock expects this exact response format
response_body = {"TEXT": json.dumps(report)}
except Exception as e:
response_body = {"TEXT": f"Error: {str(e)}"}
return {
"messageVersion": "1.0",
"response": {
"actionGroup": event.get('actionGroup'),
"function": action,
"functionResponse": {"responseBody": response_body}
}
}3 Configuring the "Brain" (Amazon Bedrock)
The Agent uses a model (like Claude 3.5) to decide when to call your tools. Follow these exact steps in the Bedrock console:
A. Agent Instructions
B. Connecting the Lambda Permission
Run this in your terminal so Bedrock has permission to trigger your Lambda:
aws lambda add-permission \
--function-name DevOpsAuditTool \
--statement-id AllowBedrock \
--action "lambda:InvokeFunction" \
--principal bedrock.amazonaws.com4. Common Hurdles (Crucial)
1. Access Denied (403)
Go to Model Access in Bedrock. You must explicitly "Request Access" to Claude or Nova models even if you are an Admin.
2. Agent Not Found
Don't forget to click the blue Prepare button every time you change your Lambda code or Agent instructions.
3. Supervisor Mode
Ensure "Multi-agent collaboration" is set to Disabled unless you have other agents added as collaborators.
What does it cost to run?
One of the biggest myths is that AI is expensive. For a personal or community project, running this Agent typically costs less than a cup of coffee per month. Here is the 2026 breakdown:
| Service | Estimated Price | Why so cheap? |
|---|---|---|
| Amazon Bedrock (Nova Lite) | ~$0.50 | Nova models are optimized for high-speed, low-cost
reasoning.
(You can also choose any other models like Claude 3.5 Sonnet for best experience. But make sure to check their pricing.) |
| Bedrock Agent Transitions | ~$0.04 | AWS charges a tiny fraction ($0.035) per 1,000 steps. |
| AWS Lambda | FREE | The first 1 million requests every month are covered by the Free Tier. |
| Total Monthly Bill | ~$0.54 | "The price of one Vada Pav." |
FinOps Tip for the Community
While testing, stick to Amazon Nova Lite or Micro. If you switch the "Brain" to Claude 3.5 Sonnet, your costs will rise to roughly $2-$5 per month because the model is more advanced and requires more compute power.
