# AWS Bedrock Integration

Connect your AWS Bedrock environment to Capsule Security for complete visibility into your AI agents, flows, knowledge bases, guardrails, and runtime activity.

## Overview

This integration uses an IAM role to sync into your Bedrock resources and capture runtime telemetry:

| Category | What Gets Captured |
|  --- | --- |
| **Agents** | Bedrock Agents and AgentCore agents with configuration and metadata |
| **Action Groups** | Lambda functions and OpenAPI schemas attached to agents |
| **Knowledge Bases** | Vector stores, data sources, and chunking configurations |
| **Guardrails** | Content filters, denied topics, and PII handling policies |
| **Flows** | Prompt flows with node configurations and connections |
| **Runtime Activity** | Agent invocations, traces, tool calls, and session history |


## Prerequisites

Before you begin, ensure you have:

- An **AWS account** with Bedrock Agents or AgentCore deployed
- **IAM permissions** to deploy CloudFormation stacks (or `AdministratorAccess`)
- **CloudTrail** enabled in your account (for runtime activity capture)
- Access to the **Capsule Security** portal


## Step 1: Launch the CloudFormation Stack

Deploy the Capsule IAM role using the provided CloudFormation template.

### Steps

1. Log in to the **Capsule Security** portal
2. Click **Integrations** in the left sidebar
3. Find the **AWS Bedrock** card and click **Set up Integration**
4. Click **Open CloudFormation**


img
1. You'll be redirected to the AWS CloudFormation console
2. Review the stack details:
  - **Stack name**: `CapsuleSecurityBedrockIntegration` (or customize)
  - **Capabilities**: Acknowledge IAM resource creation
3. Click **Create stack**


### What gets deployed

| Resource | Purpose |
|  --- | --- |
| IAM Role | Cross-account role assumed by Capsule for read-only access |
| IAM Policy | Permissions scoped to Bedrock, CloudTrail, and CloudWatch |
| Trust Policy | Restricts assumption to Capsule's AWS account with external ID |


## Step 2: Copy the Role ARN

Once the stack completes, retrieve the IAM role ARN from the Outputs tab.

### Steps

1. Wait for the stack status to show **CREATE_COMPLETE**
2. Click the **Outputs** tab
3. Copy the value for **RoleArn**


img
## Step 3: Complete the Integration in Capsule

Provide the Role ARN to Capsule to establish the connection.

### Steps

1. Return to the **Capsule Security** portal
2. Paste the **Role ARN** into the input field
3. Click **Save**
4. Capsule validates the role and its ability to communite with your AWS Account


### After setup

- First sync may take several minutes
- View synced agents in **Inventory → Agents**
- View runtime activity in **Observability**


## What Gets Captured

### Bedrock Agents

| Entity Type | Category | Description |
|  --- | --- | --- |
| **Agents** | Model Agent | Agent configuration, foundation model, instructions |
| **Agent Aliases** | Version | Deployed versions and routing configuration |
| **Action Groups** | Tool | Lambda functions and API schemas |
| **Knowledge Bases** | Data Source | Vector stores with embedding models and data sources |
| **Guardrails** | Guardrail | Content filters, word blocklists, PII policies |
| **Flows** | Flow | Prompt flow definitions with node graphs |
| **Prompts** | Prompt | Managed prompts with versions |


### Bedrock AgentCore

| Entity Type | Category | Description |
|  --- | --- | --- |
| **AgentCore Runtimes** | Model Agent | Agent runtime configurations |
| **Tools** | Tool | Registered tools and function definitions |
| **Memory** | Memory | Session and long-term memory configurations |
| **Identity** | Identity | Workload identity configurations |


### Runtime Activity

When CloudTrail and model invocation logging are enabled:

- **Agent invocations** — Input prompts and final responses
- **Tool invocations** — Action group calls with inputs and outputs
- **Session history** — Multi-turn conversation threads


## Enabling Runtime Observability

For full runtime visibility, ensure model invocation logging is enabled.

### Steps

1. Open the **Amazon Bedrock** console
2. Navigate to **Settings → Model invocation logging**
3. Enable logging and configure your destination (S3 or CloudWatch)
4. For AgentCore, ensure OpenTelemetry export is configured


## Updating the CloudFormation Stack

To update the CloudFormation Stack, following these steps:

1. Head over to **CloudFormation / Stacks** in your AWS Account
2. Select our integration stack (named `CapsuleSecurityBedrockIntegration` by default)
3. Click **Update stack → Create a change set**
4. Select **Standard change set → Replace existing template**
5. Provide the CloudFormation Template URL (default: `https://capsule-security-us-east-1-public-demo.s3.us-east-1.amazonaws.com/cf-capsule-security-bedrock-integration.yaml`)
6. Click upcoming **Next**s, review the terms and agree to them
7. This will create a ChangeSet, review the changes and click **Execute change set**


## Troubleshooting

### Stack creation failed

- Check the **Events** tab for specific error messages
- Verify you have permissions to create IAM roles
- Ensure the stack name doesn't already exist


### Role validation failed in Capsule

- Confirm the stack status is CREATE_COMPLETE
- Verify you copied the full ARN from the Outputs tab
- Check that the role or its permission hasn't been modified or deleted


### No agents appearing

- Verify Bedrock agents exist in the connected AWS account
- Check the agent regions match your Capsule environment
- Allow several minutes for the initial sync to complete


### No runtime activity appearing

- Confirm CloudTrail is enabled in your account
- Verify model invocation logging is enabled in Bedrock settings
- Check that agents have been invoked since the integration was connected


## Supported Regions

The integration supports all AWS regions where Bedrock is available. Each Capsule environment syncs from a specific AWS region based on your deployment.

## Support

For help with this integration, contact support.

For AWS Bedrock issues:

- [Amazon Bedrock Documentation](https://docs.aws.amazon.com/bedrock/)
- [Bedrock Agents User Guide](https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html)
- [AWS Support](https://aws.amazon.com/support/)