Connect your AWS Bedrock environment to Capsule Security for complete visibility into your AI agents, flows, knowledge bases, guardrails, and runtime activity.
This integration uses an IAM role to sync into your Bedrock resources and capture runtime telemetry:
| Category | What Gets Captured |
|---|---|
| Agents | Bedrock Agents and AgentCore agents with configuration and metadata |
| Action Groups | Lambda functions and OpenAPI schemas attached to agents |
| Knowledge Bases | Vector stores, data sources, and chunking configurations |
| Guardrails | Content filters, denied topics, and PII handling policies |
| Flows | Prompt flows with node configurations and connections |
| Runtime Activity | Agent invocations, traces, tool calls, and session history |
Before you begin, ensure you have:
- An AWS account with Bedrock Agents or AgentCore deployed
- IAM permissions to deploy CloudFormation stacks (or
AdministratorAccess) - CloudTrail enabled in your account (for runtime activity capture)
- Access to the Capsule Security portal
Deploy the Capsule IAM role using the provided CloudFormation template.
- Log in to the Capsule Security portal
- Click Integrations in the left sidebar
- Find the AWS Bedrock card and click Set up Integration
- Click Open CloudFormation
- You'll be redirected to the AWS CloudFormation console
- Review the stack details:
- Stack name:
CapsuleSecurityBedrockIntegration(or customize) - Capabilities: Acknowledge IAM resource creation
- Stack name:
- Click Create stack
| Resource | Purpose |
|---|---|
| IAM Role | Cross-account role assumed by Capsule for read-only access |
| IAM Policy | Permissions scoped to Bedrock, CloudTrail, and CloudWatch |
| Trust Policy | Restricts assumption to Capsule's AWS account with external ID |
Once the stack completes, retrieve the IAM role ARN from the Outputs tab.
- Wait for the stack status to show CREATE_COMPLETE
- Click the Outputs tab
- Copy the value for RoleArn
Provide the Role ARN to Capsule to establish the connection.
- Return to the Capsule Security portal
- Paste the Role ARN into the input field
- Click Save
- Capsule validates the role and its ability to communite with your AWS Account
- First sync may take several minutes
- View synced agents in Inventory → Agents
- View runtime activity in Observability
| Entity Type | Category | Description |
|---|---|---|
| Agents | Model Agent | Agent configuration, foundation model, instructions |
| Agent Aliases | Version | Deployed versions and routing configuration |
| Action Groups | Tool | Lambda functions and API schemas |
| Knowledge Bases | Data Source | Vector stores with embedding models and data sources |
| Guardrails | Guardrail | Content filters, word blocklists, PII policies |
| Flows | Flow | Prompt flow definitions with node graphs |
| Prompts | Prompt | Managed prompts with versions |
| Entity Type | Category | Description |
|---|---|---|
| AgentCore Runtimes | Model Agent | Agent runtime configurations |
| Tools | Tool | Registered tools and function definitions |
| Memory | Memory | Session and long-term memory configurations |
| Identity | Identity | Workload identity configurations |
When CloudTrail and model invocation logging are enabled:
- Agent invocations — Input prompts and final responses
- Tool invocations — Action group calls with inputs and outputs
- Session history — Multi-turn conversation threads
For full runtime visibility, ensure model invocation logging is enabled.
- Open the Amazon Bedrock console
- Navigate to Settings → Model invocation logging
- Enable logging and configure your destination (S3 or CloudWatch)
- For AgentCore, ensure OpenTelemetry export is configured
To update the CloudFormation Stack, following these steps:
- Head over to CloudFormation / Stacks in your AWS Account
- Select our integration stack (named
CapsuleSecurityBedrockIntegrationby default) - Click Update stack → Create a change set
- Select Standard change set → Replace existing template
- Provide the CloudFormation Template URL (default:
https://capsule-security-us-east-1-public-demo.s3.us-east-1.amazonaws.com/cf-capsule-security-bedrock-integration.yaml) - Click upcoming Nexts, review the terms and agree to them
- This will create a ChangeSet, review the changes and click Execute change set
- Check the Events tab for specific error messages
- Verify you have permissions to create IAM roles
- Ensure the stack name doesn't already exist
- Confirm the stack status is CREATE_COMPLETE
- Verify you copied the full ARN from the Outputs tab
- Check that the role or its permission hasn't been modified or deleted
- Verify Bedrock agents exist in the connected AWS account
- Check the agent regions match your Capsule environment
- Allow several minutes for the initial sync to complete
- Confirm CloudTrail is enabled in your account
- Verify model invocation logging is enabled in Bedrock settings
- Check that agents have been invoked since the integration was connected
The integration supports all AWS regions where Bedrock is available. Each Capsule environment syncs from a specific AWS region based on your deployment.
For help with this integration, contact support.
For AWS Bedrock issues: