Skip to main content

Overview

This guide covers configuring a Bedrock Agent in AWS, adding an Amazon Bedrock AI Provider in Elementum, connecting the agent in App Intelligence, and using it in automations. Bedrock Agents are configured per App; each App uses agents through a Bedrock AI Provider defined at the organization level. You will:
  • Add an Amazon Bedrock AI Provider in Organization Settings
  • Create a Bedrock Agent and agent alias in AWS
  • Connect the agent via App Intelligence using the Agent Alias ARN
  • Use the agent in automations and optional testing in Intelligence
Time required: About 20–30 minutes, depending on your existing AWS setup

Prerequisites

Before beginning, ensure you have the following in place.

Elementum Requirements

  • App access: Access to the App where you want to use Bedrock Agents
  • Organization permissions: Ability to add or edit AI Providers in Organization Settings

AWS Requirements

Your AWS environment must have:
  • AWS Account: Active AWS account with Bedrock access
  • Region: Bedrock available in your target region (e.g., us-east-1, us-east-2, us-west-2)
  • Bedrock Access: Amazon Bedrock service enabled for your account
  • Foundation Model Access: Access granted to at least one foundation model (Claude, Titan, etc.)
  • IAM Permissions: Ability to create IAM users and policies
Model access: You need access to the foundation models your agent will use. In the Amazon Bedrock console, confirm model access for your account and region; approval timing depends on AWS.

IAM Credentials

You’ll need AWS credentials that can invoke Bedrock Agents:
  • Access Key ID: AWS access key for programmatic access
  • Secret Access Key: Corresponding secret key
  • IAM Policy: Permission to invoke Bedrock agents (bedrock:InvokeAgent)

Step 1: Configure AWS Bedrock Agent

Before connecting to Elementum, you need a Bedrock Agent configured in AWS.

Create a Bedrock Agent in AWS

1

Access Amazon Bedrock

  1. Sign in to the AWS Management Console
  2. Navigate to Amazon Bedrock service
  3. Select Agents from the left navigation
2

Create New Agent

Click Create agent and configure:
  • Agent name: Provide a descriptive name (e.g., “Customer Support Agent”)
  • Description: Describe the agent’s purpose
  • Agent resource role: Create a new role or select an existing one with Bedrock permissions
3

Configure Agent Instructions

Provide clear instructions that define the agent’s behavior:
You are a helpful customer support assistant. You help users with 
their questions about orders, returns, and product information.
Always be polite and professional.
Clear, specific instructions lead to better agent performance. Include examples of expected behavior and any constraints.
4

Select Foundation Model

Choose the foundation model to power your agent
Model availability depends on your region and account access. Request model access in the Bedrock console if needed.
5

Configure Optional Features

Optionally enhance your agent with:Knowledge Bases:
  • Attach Amazon Bedrock knowledge bases using supported data sources (for example, Amazon S3)
  • The agent can retrieve and cite that content when answering
Action Groups:
  • Define custom actions via Lambda functions
  • Enable the agent to perform specific tasks
Guardrails:
  • Implement content filtering
  • Define topic restrictions
6

Save and Prepare

Click Create to save the agent configuration.The agent will be created in Draft status.

Create an agent alias

Elementum invokes agents with an Agent Alias ARN, not the base agent ARN.
  1. In the Bedrock console, open the agent and open the Aliases tab.
  2. Click Create alias. Set an alias name and description, and choose Create a new version and associate it to this alias so the alias points at a prepared version.
  3. After creation, copy the Agent Alias ARN. Format: arn:aws:bedrock:{region}:{account-id}:agent-alias/{agent-id}/{alias-id}
Example: 
arn:aws:bedrock:us-east-2:123456789012:agent-alias/ABCD1234EF/GHIJ5678KL

Test Agent in AWS Console

Before connecting to Elementum, verify your agent works correctly:
  1. In the Bedrock console, open your agent
  2. Use the Test panel on the right side
  3. Send test messages to verify behavior
  4. Confirm responses match your expectations

Step 2: Create IAM Credentials

Create IAM credentials that Elementum will use to invoke your Bedrock Agent.

Create IAM User

1

Navigate to IAM

In the AWS Console, go to IAMUsersCreate user
2

Configure User

  • User name: Choose a descriptive name (e.g., “elementum-bedrock-invoker”)
  • Do not enable console access (programmatic access only)
3

Attach Permissions

Create and attach a policy with minimal required permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "bedrock:InvokeAgent",
      "Resource": "*"
    }
  ]
}
Least Privilege: For production, restrict the Resource to specific agent ARNs:
"Resource": "arn:aws:bedrock:us-east-2:123456789012:agent-alias/*"
4

Create Access Keys

After creating the user:
  1. Open the user details
  2. Go to Security credentials tab
  3. Click Create access key
  4. Choose a use case that matches programmatic access from outside AWS (for example, application running outside AWS), then complete the prompts
  5. Copy and securely store the Access Key ID and Secret Access Key
Store Credentials Securely: The secret access key is only shown once. Store it in a secure password manager until you configure it in Elementum.

Required IAM Permissions Summary

PermissionDescription
bedrock:InvokeAgentRequired to invoke the agent and receive responses
If your agent uses knowledge bases or action groups, the agent’s own IAM role (not the invoker role) needs additional permissions for those resources.

Step 3: Create Bedrock AI Provider in Elementum

Configure Elementum to call AWS with the credentials from Step 2.

Add the provider

  1. Go to Organization Settings and open the Providers tab (same place you configure other AI Providers).
  2. Click + Provider and select Amazon Bedrock.
  3. Enter a Provider name, the Region where the agent is deployed (for example us-east-2), Access Key ID, and Secret Access Key.
  4. Use Test Connection to confirm the credentials, then Save.
The provider is then available when you connect agents in App Intelligence. Tips
  • The provider Region must match the region in your Agent Alias ARN and where the agent runs.
  • Use separate providers for different AWS accounts or regions if needed.

Step 4: Connect Agent in App Intelligence

With the provider configured, connect your Bedrock Agent to an App.

Open App Intelligence

  1. Open the App where you want to use Bedrock Agents.
  2. In the App menu, click Intelligence.

Connect the Bedrock agent

1

Add Agent

On the Intelligence page, click + Connect (or the control your workspace uses to connect a managed agent).
2

Select Bedrock

Choose Bedrock as the agent source.
3

Select Provider

Choose your Amazon Bedrock AI Provider. Only providers with working credentials appear.
4

Enter Agent Alias ARN

Paste the Agent Alias ARN from Create an agent alias. Do not use the base agent ARN.
5

Configure Agent Settings

Agent Name: Optionally customize the display name in ElementumDescription: Add notes about how this agent will be used in your App
6

Save Configuration

Click Save to connect the external agentThe agent will now appear in your App’s Intelligence configuration

Step 5: Test the Integration

Verify the agent connection works correctly.

Test in Elementum

1

Open Agent

In App Intelligence, click on the connected Bedrock agent
2

Start Chat

Click Chat to open the interactive testing panel
3

Send Test Messages

Send messages to confirm:
  • The agent responds successfully
  • Responses are appropriate and match expectations
  • Latency is acceptable for your use case
4

Verify Behavior

Test various scenarios relevant to your use case:
  • Standard queries
  • Edge cases
  • Knowledge base retrieval (if configured)
  • Action group execution (if configured)

Expected Behavior

TestExpected Result
Simple greetingAgent responds appropriately
Domain-specific questionAgent uses knowledge base (if configured)
Action requestAgent executes action group (if configured)
Out-of-scope questionAgent handles gracefully per instructions

Step 6: Integrate with Automations

Use your Bedrock Agent in App automations for production workflows.

Using Agents in Automation Actions

In the automation builder, the action type is Run Agent Task. For full field-level detail, see Run Agent Task in the automation actions reference.
1

Navigate to Automation

In your App, open the automation where you want to use the agent.
2

Add Run Agent Task

Add a new action or edit an existing one, then choose Run Agent Task.
3

Select Bedrock Agent

Under AI Agent (or equivalent), choose the external Bedrock Agent you connected in Intelligence.It may appear as External or Managed, depending on your workspace.
4

Configure the task and outputs

Task definition: Describe what the agent should do and how success is judged. Use value references for record fields, prior action outputs, or static text where supported.Output type: Choose Text or Structured. For structured output, define fields so later automation steps can map results to records or variables.Configure any error or follow-up behavior your automation requires after the task completes.
5

Set Execution Options

Timeout: Set a maximum execution time that fits your agent and knowledge sources (the editor may suggest a default)Retry Policy: Configure retry behavior for transient failuresError Handling: Define failure behavior
  • Continue with default values
  • Halt automation and alert
  • Escalate to human review

Example automation (conceptual)

The following illustrates how steps might flow; exact builder labels can vary by release. 
Workflow: Customer Inquiry Processing
Trigger: New inquiry record created
Automations:
  1. Gather Context:
     - Collect customer information
     - Retrieve previous interactions
  
  2. Run Agent Task – Analysis:
     Type: Run Agent Task
     Agent: Customer Support Agent (Bedrock / Managed)
     Inputs:
       - customer_inquiry: {record.description}
       - customer_history: {customer.interaction_history}
     Outputs:
       - response: record.suggested_response
       - category: record.inquiry_category
       - sentiment: record.customer_sentiment
  
  3. Route Based on Category:
     - High priority → Immediate escalation
     - Standard → Queue for review
     - FAQ → Auto-respond with suggestion

Understanding the Architecture

How Bedrock Agent Invocation Works

When Elementum invokes a Bedrock Agent:

AWS Bedrock APIs Used

Elementum invokes Bedrock Agents using the InvokeAgent operation on Amazon Bedrock’s agent runtime API (not the generic model InvokeModel API). InvokeAgent Sends a prompt to the agent and returns the agent’s response (including optional tool and knowledge-base steps on the AWS side). Key Parameters:
  • agentAliasId: The alias ID of the agent
  • agentId: The unique identifier of the agent
  • sessionId: Session identifier for conversation continuity
  • inputText: The message to send to the agent
Documentation: Amazon Bedrock InvokeAgent API

Security Model

AspectImplementation
AuthenticationIAM Access Key/Secret Key via Bedrock AI Provider
AuthorizationIAM policies control which agents can be invoked
Data in TransitTLS encryption for all API calls
AuditAWS CloudTrail logs all Bedrock API calls
IsolationApp-level configuration with provider-based access

Monitoring and Maintenance

Monitoring Agent Performance

In Elementum
  • Use automation history and related logs to review invocations, response times, success and failure rates, and error messages.
In AWS
  • Use CloudWatch and Cost Explorer (as applicable) for Bedrock API volume, latency, errors, and token or usage-related metrics.

Maintenance Tasks

Weekly:
  • Review automation logs for agent errors
  • Monitor response times and latency
  • Check for timeout patterns
Monthly:
  • Review agent usage and costs
  • Audit IAM permissions
  • Test agent behavior after any updates
Quarterly:
  • Rotate IAM access keys
  • Review and optimize agent instructions
  • Evaluate new foundation models

Troubleshooting

Common Issues

Error: “Access Denied” or “Not authorized to perform bedrock:InvokeAgent”Possible Causes:
  • IAM user missing bedrock:InvokeAgent permission
  • Policy not attached to user
  • Resource restrictions in policy don’t match agent ARN
Solutions:
  1. Verify IAM policy includes bedrock:InvokeAgent and is attached to the IAM user whose keys are on the Bedrock AI Provider
  2. Ensure the policy Resource matches your agent alias ARNs or uses a permitted pattern (see Step 2: Create IAM credentials)
  3. Confirm the access keys in Elementum belong to that user
Error: “Invalid ARN format” or “Resource not found”Possible Causes:
  • Using agent ARN instead of agent alias ARN
  • Typo in the ARN
  • Wrong region in ARN
Solutions:
  1. Ensure you’re using the Agent Alias ARN, not the base Agent ARN
  2. Verify the format: arn:aws:bedrock:{region}:{account}:agent-alias/{agent-id}/{alias-id}
  3. Copy the ARN directly from the AWS console
  4. Check region matches your provider configuration
Correct Format:
arn:aws:bedrock:us-east-2:123456789012:agent-alias/ABCD1234EF/GHIJ5678KL
Incorrect (base agent ARN):
arn:aws:bedrock:us-east-2:123456789012:agent/ABCD1234EF
Error: “Could not connect to endpoint” or timeout errorsPossible Causes:
  • Provider configured for different region than agent
  • Agent not available in specified region
Solutions:
  1. Verify the region in your Bedrock AI Provider matches where the agent is deployed
  2. Check the region in the Agent Alias ARN
  3. Confirm Bedrock is available in your target region
  4. Update provider configuration if needed
Error: “Agent execution timed out”Possible Causes:
  • Timeout set too low for agent complexity
  • Agent accessing slow knowledge bases
  • Large response generation
  • Network latency
Solutions:
  1. Increase timeout in automation configuration
  2. Optimize agent instructions for faster responses
  3. Review knowledge base configuration for performance
  4. Consider breaking complex tasks into multiple calls
Error: “Alias has no associated version” or unexpected behaviorPossible Causes:
  • Alias created without linking to a version
  • Agent in draft state without prepared version
Solutions:
  1. In Bedrock console, verify the alias has an associated version
  2. Create a new alias and select “Create a new version and associate it”
  3. Ensure the agent is not in draft state

Debugging Tips

  1. Test in AWS First: Always verify agent works in the Bedrock console before troubleshooting Elementum integration
  2. Check CloudTrail: Review AWS CloudTrail logs for detailed API call information
  3. Verify Credentials: Test IAM credentials independently using AWS CLI
  4. Review Provider Status: Check the Bedrock AI Provider status in Elementum

Best Practices

  • Apply least privilege; scope bedrock:InvokeAgent to specific agent alias ARNs when practical.
  • Rotate access keys on a schedule your organization defines (for example, every 90 days).
  • Use different IAM users or keys per environment (development vs production).
  • Use Bedrock Guardrails and clear instruction scope where appropriate.
  • Review agent behavior and access periodically.
Clear, concise agent instructions usually produce faster, more predictable responses. Prefer explicit scope, examples, and constraints over long generic prompts.
Pick a foundation model that balances latency, cost, and quality for your task. Available models depend on your AWS region and account.
Track response times in automations and in AWS where you have metrics. Set automation timeouts high enough for knowledge-base retrieval and tool use, without masking real failures.
Where the same or similar agent inputs occur often, consider caching or deduplicating at the automation level so you do not pay latency and usage for identical work.
Use AWS Cost Explorer (and related billing views) to monitor token-related usage and Bedrock charges tied to your agents.
Prefer smaller or faster models for straightforward classification or short replies when quality requirements allow; reserve larger models for harder reasoning.
For automations that invoke agents at high volume, add throttling or batching so you stay within quotas and avoid unnecessary parallel cost spikes.
Review knowledge base size, refresh cadence, and retrieval settings so you are not indexing or retrieving more content than the agent needs.

Example Use Cases

Scenario: Automatically triage and respond to IT support tickets.Implementation:
  1. Create a Bedrock Agent with an IT knowledge base (documentation, FAQs).
  2. Configure action groups for ticket operations.
  3. Connect the agent in the IT Support App Intelligence.
  4. Set up automation: New ticket → Agent analysis → Auto-categorize and suggest resolution.
Outcomes:
  • Faster first response times
  • Consistent ticket categorization
  • Reduced L1 support workload
Scenario: Generate personalized customer communications.Implementation:
  1. Create a Bedrock Agent with communication templates and brand guidelines.
  2. Configure guardrails for appropriate content.
  3. Connect the agent in the CRM App.
  4. Automation: Communication request → Agent drafts message → Human review → Send.
Outcomes:
  • Consistent brand voice
  • Personalized content at scale
  • Faster communication turnaround

Next Steps

Agent Orchestration Center

View and manage all agents across your organization

Agent Architecture

Understand the technical architecture of Native and Managed agents

Automation System

Learn how to build automations with agents

AWS Bedrock Docs

Reference AWS’s official Bedrock Agents documentation