Skip to main content

Overview

This guide walks you through the complete process of integrating AWS Bedrock Agents into your Elementum Apps. By connecting Bedrock Agents, you enable AI-powered automation that leverages Amazon’s foundation models, knowledge bases, and action groups while integrating seamlessly with your AWS infrastructure. Bedrock Agents are configured at the App level through the Intelligence settings, allowing each App to connect to external agents available through its Bedrock AI Provider. What You’ll Accomplish:
  • Configure an AWS Bedrock AI Provider in Elementum
  • Create and configure a Bedrock Agent in AWS
  • Connect external Bedrock Agents to your Elementum App
  • Integrate external agents into App automations
  • Understand the technical architecture and APIs
Time Required: 20-30 minutes, depending on your existing AWS configuration

Prerequisites

Before beginning this setup, ensure you have the following in place:

1. Elementum Requirements

App Access

Access to the App where you want to integrate Bedrock Agents

Admin Permissions

Permission to configure AI Providers in Organization Settings

2. AWS Requirements

Your AWS environment must have:
  • AWS Account: Active AWS account with Bedrock access
  • Region: Bedrock available in your target region (e.g., us-east-1, us-east-2, us-west-2)
  • Bedrock Access: Amazon Bedrock service enabled for your account
  • Foundation Model Access: Access granted to at least one foundation model (Claude, Titan, etc.)
  • IAM Permissions: Ability to create IAM users and policies
Model Access Required: Before creating Bedrock Agents, you must request and receive access to foundation models in the Amazon Bedrock console. This may take a few minutes to process.

3. IAM Credentials

You’ll need AWS credentials that can invoke Bedrock Agents:
  • Access Key ID: AWS access key for programmatic access
  • Secret Access Key: Corresponding secret key
  • IAM Policy: Permission to invoke Bedrock agents (bedrock:InvokeAgent)

Step 1: Configure AWS Bedrock Agent

Before connecting to Elementum, you need a Bedrock Agent configured in AWS.

Create a Bedrock Agent in AWS

1

Access Amazon Bedrock

  1. Sign in to the AWS Management Console
  2. Navigate to Amazon Bedrock service
  3. Select Agents from the left navigation
2

Create New Agent

Click Create agent and configure:
  • Agent name: Provide a descriptive name (e.g., “Customer Support Agent”)
  • Description: Describe the agent’s purpose
  • Agent resource role: Create a new role or select an existing one with Bedrock permissions
3

Configure Agent Instructions

Provide clear instructions that define the agent’s behavior:
You are a helpful customer support assistant. You help users with 
their questions about orders, returns, and product information.
Always be polite and professional.
Clear, specific instructions lead to better agent performance. Include examples of expected behavior and any constraints.
4

Select Foundation Model

Choose the foundation model to power your agent
Model availability depends on your region and account access. Request model access in the Bedrock console if needed.
5

Configure Optional Features

Optionally enhance your agent with:Knowledge Bases:
  • Connect to S3 buckets containing documents
  • Agent can retrieve and reference this information
Action Groups:
  • Define custom actions via Lambda functions
  • Enable the agent to perform specific tasks
Guardrails:
  • Implement content filtering
  • Define topic restrictions
6

Save and Prepare

Click Create to save the agent configuration.The agent will be created in Draft status.

Create an Agent Alias

Required Step: Elementum requires an Agent Alias ARN to invoke your agent. You cannot use the base agent ARN.
1

Open Agent Configuration

In the Bedrock console, open your newly created agent
2

Navigate to Aliases

Select the Aliases tab in the agent configuration
3

Create Alias

Click Create alias and configure:
  • Alias name: Provide a name (e.g., “production”, “v1”)
  • Description: Describe this version
  • Select Create a new version and associate it to this alias
4

Copy the Agent Alias ARN

After creation, copy the Agent Alias ARN. It will look like:
arn:aws:bedrock:us-east-2:123456789012:agent-alias/ABCD1234EF/GHIJ5678KL
The Agent Alias ARN format is: arn:aws:bedrock:{region}:{account-id}:agent-alias/{agent-id}/{alias-id}

Test Agent in AWS Console

Before connecting to Elementum, verify your agent works correctly:
  1. In the Bedrock console, open your agent
  2. Use the Test panel on the right side
  3. Send test messages to verify behavior
  4. Confirm responses match your expectations

Step 2: Create IAM Credentials

Create IAM credentials that Elementum will use to invoke your Bedrock Agent.

Create IAM User

1

Navigate to IAM

In the AWS Console, go to IAMUsersCreate user
2

Configure User

  • User name: Choose a descriptive name (e.g., “elementum-bedrock-invoker”)
  • Do not enable console access (programmatic access only)
3

Attach Permissions

Create and attach a policy with minimal required permissions:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "bedrock:InvokeAgent",
      "Resource": "*"
    }
  ]
}
Least Privilege: For production, restrict the Resource to specific agent ARNs:
"Resource": "arn:aws:bedrock:us-east-2:123456789012:agent-alias/*"
4

Create Access Keys

After creating the user:
  1. Open the user details
  2. Go to Security credentials tab
  3. Click Create access key
  4. Select Third-party service as the use case
  5. Copy and securely store the Access Key ID and Secret Access Key
Store Credentials Securely: The secret access key is only shown once. Store it in a secure password manager until you configure it in Elementum.

Required IAM Permissions Summary

PermissionDescription
bedrock:InvokeAgentRequired to invoke the agent and receive responses
If your agent uses knowledge bases or action groups, the agent’s own IAM role (not the invoker role) needs additional permissions for those resources.

Step 3: Create Bedrock AI Provider in Elementum

Now configure Elementum to connect to AWS Bedrock.

Add AI Provider

1

Navigate to AI Providers

Go to Organization SettingsIntegrationsAI Providers
2

Add New Provider

Click ”+ Add Provider” and select Amazon Bedrock
3

Configure Provider

Enter the following details:Provider Name: A descriptive name (e.g., “AWS Bedrock - Production”)Region: The AWS region where your agent is deployed (e.g., us-east-2)Access Key ID: The access key from Step 2Secret Access Key: The secret key from Step 2
4

Test Connection

Click Test Connection to verify credentials work correctlyIf successful, you’ll see a confirmation message
5

Save Provider

Click Save to create the providerThe provider will now be available for use in App Intelligence

Provider Configuration Tips

Region Matching

Ensure the provider region matches where your Bedrock Agent is deployed

Multiple Providers

Create separate providers for different regions or AWS accounts

Step 4: Connect Agent in App Intelligence

With the provider configured, connect your Bedrock Agent to an App.

Access Intelligence Settings

1

Navigate to Your App

Go to the App where you want to integrate Bedrock Agents
2

Open App Admin

Click on App Admin in the navigation
3

Select Intelligence

Click on Intelligence in the App Admin menu

Add External Agent

1

Add Agent

Click the ”+ Connect” button at the top of the Intelligence page
2

Select Bedrock

In the agent source selection, choose Bedrock
3

Select Provider

Choose your configured Bedrock AI Provider from the dropdownOnly providers with valid credentials will appear
4

Enter Agent Alias ARN

Paste the Agent Alias ARN from Step 1Example format:
arn:aws:bedrock:us-east-2:123456789012:agent-alias/ABCD1234EF/GHIJ5678KL
Use Alias ARN: You must use the Agent Alias ARN, not the base Agent ARN. The alias ARN includes both the agent ID and alias ID.
5

Configure Agent Settings

Agent Name: Optionally customize the display name in ElementumDescription: Add notes about how this agent will be used in your App
6

Save Configuration

Click Save to connect the external agentThe agent will now appear in your App’s Intelligence configuration

Step 5: Test the Integration

Verify the agent connection works correctly.

Test in Elementum

1

Open Agent

In App Intelligence, click on the connected Bedrock agent
2

Start Chat

Click Chat to open the interactive testing panel
3

Send Test Messages

Send messages to confirm:
  • The agent responds successfully
  • Responses are appropriate and match expectations
  • Latency is acceptable for your use case
4

Verify Behavior

Test various scenarios relevant to your use case:
  • Standard queries
  • Edge cases
  • Knowledge base retrieval (if configured)
  • Action group execution (if configured)

Expected Behavior

TestExpected Result
Simple greetingAgent responds appropriately
Domain-specific questionAgent uses knowledge base (if configured)
Action requestAgent executes action group (if configured)
Out-of-scope questionAgent handles gracefully per instructions

Step 6: Integrate with Automations

Use your Bedrock Agent in App automations for production workflows.

Using Agents in Automation Actions

1

Navigate to Automation

In your App, go to the automation where you want to use the agent
2

Add Agent Action

Add a new automation action or edit existingSelect Agent Action as the action type
3

Select Bedrock Agent

In the agent configuration:Agent: Choose the external Bedrock Agent you configuredThe agent will be labeled as “External” or “Managed”
4

Configure Parameters

Input Mapping: Map automation data to agent input
  • Use field values from the current record
  • Reference previous automation action outputs
  • Include static values or formulas
Output Handling: Configure how to handle responses
  • Map agent outputs to record fields
  • Store results for later actions
  • Set error handling behavior
5

Set Execution Options

Timeout: Set maximum execution time (default: 60 seconds)Retry Policy: Configure retry behavior for transient failuresError Handling: Define failure behavior
  • Continue with default values
  • Halt automation and alert
  • Escalate to human review

Example Automation

Workflow: Customer Inquiry Processing
Trigger: New inquiry record created
Automations:
  1. Gather Context:
     - Collect customer information
     - Retrieve previous interactions
  
  2. External Agent - Analysis:
     Type: External Agent (Bedrock)
     Agent: Customer Support Agent
     Inputs:
       - customer_inquiry: {record.description}
       - customer_history: {customer.interaction_history}
     Outputs:
       - response: record.suggested_response
       - category: record.inquiry_category
       - sentiment: record.customer_sentiment
  
  3. Route Based on Category:
     - High priority → Immediate escalation
     - Standard → Queue for review
     - FAQ → Auto-respond with suggestion

Understanding the Architecture

How Bedrock Agent Invocation Works

When Elementum invokes a Bedrock Agent:

AWS Bedrock APIs Used

Elementum leverages the Amazon Bedrock Runtime API: InvokeAgent API Used to send messages to your agent and receive responses. Key Parameters:
  • agentAliasId: The alias ID of the agent
  • agentId: The unique identifier of the agent
  • sessionId: Session identifier for conversation continuity
  • inputText: The message to send to the agent
Documentation: Amazon Bedrock InvokeAgent API

Security Model

AspectImplementation
AuthenticationIAM Access Key/Secret Key via Bedrock AI Provider
AuthorizationIAM policies control which agents can be invoked
Data in TransitTLS encryption for all API calls
AuditAWS CloudTrail logs all Bedrock API calls
IsolationApp-level configuration with provider-based access

Monitoring and Maintenance

Monitoring Agent Performance

Elementum Logs

View agent execution in automation historyMonitor:
  • Invocation frequency
  • Response times
  • Success/failure rates
  • Error messages

AWS CloudWatch

Monitor Bedrock metrics in AWSTrack:
  • API call volumes
  • Latency percentiles
  • Error rates
  • Token usage

Maintenance Tasks

Weekly:
  • Review automation logs for agent errors
  • Monitor response times and latency
  • Check for timeout patterns
Monthly:
  • Review agent usage and costs
  • Audit IAM permissions
  • Test agent behavior after any updates
Quarterly:
  • Rotate IAM access keys
  • Review and optimize agent instructions
  • Evaluate new foundation models

Troubleshooting

Common Issues

Error: “Access Denied” or “Not authorized to perform bedrock:InvokeAgent”Possible Causes:
  • IAM user missing bedrock:InvokeAgent permission
  • Policy not attached to user
  • Resource restrictions in policy don’t match agent ARN
Solutions:
  1. Verify IAM policy includes bedrock:InvokeAgent action
  2. Check policy is attached to the correct IAM user
  3. Ensure resource ARN in policy matches or uses wildcard
  4. Verify access keys belong to the correct user
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "bedrock:InvokeAgent",
      "Resource": "*"
    }
  ]
}
Error: “Invalid ARN format” or “Resource not found”Possible Causes:
  • Using agent ARN instead of agent alias ARN
  • Typo in the ARN
  • Wrong region in ARN
Solutions:
  1. Ensure you’re using the Agent Alias ARN, not the base Agent ARN
  2. Verify the format: arn:aws:bedrock:{region}:{account}:agent-alias/{agent-id}/{alias-id}
  3. Copy the ARN directly from the AWS console
  4. Check region matches your provider configuration
Correct Format:
arn:aws:bedrock:us-east-2:123456789012:agent-alias/ABCD1234EF/GHIJ5678KL
Incorrect (base agent ARN):
arn:aws:bedrock:us-east-2:123456789012:agent/ABCD1234EF
Error: “Could not connect to endpoint” or timeout errorsPossible Causes:
  • Provider configured for different region than agent
  • Agent not available in specified region
Solutions:
  1. Verify the region in your Bedrock AI Provider matches where the agent is deployed
  2. Check the region in the Agent Alias ARN
  3. Confirm Bedrock is available in your target region
  4. Update provider configuration if needed
Error: “Agent execution timed out”Possible Causes:
  • Timeout set too low for agent complexity
  • Agent accessing slow knowledge bases
  • Large response generation
  • Network latency
Solutions:
  1. Increase timeout in automation configuration
  2. Optimize agent instructions for faster responses
  3. Review knowledge base configuration for performance
  4. Consider breaking complex tasks into multiple calls
Error: “Alias has no associated version” or unexpected behaviorPossible Causes:
  • Alias created without linking to a version
  • Agent in draft state without prepared version
Solutions:
  1. In Bedrock console, verify the alias has an associated version
  2. Create a new alias and select “Create a new version and associate it”
  3. Ensure the agent is not in draft state

Debugging Tips

  1. Test in AWS First: Always verify agent works in the Bedrock console before troubleshooting Elementum integration
  2. Check CloudTrail: Review AWS CloudTrail logs for detailed API call information
  3. Verify Credentials: Test IAM credentials independently using AWS CLI
  4. Review Provider Status: Check the Bedrock AI Provider status in Elementum

Best Practices

Security

IAM Best Practices

  • Use least privilege permissions
  • Restrict resource ARNs when possible
  • Rotate access keys regularly (every 90 days)
  • Use separate credentials per environment

Agent Security

  • Enable Bedrock Guardrails for content filtering
  • Define clear scope in agent instructions
  • Monitor for unexpected behavior patterns
  • Regular security reviews

Performance

  1. Optimize Instructions: Clear, concise agent instructions lead to faster responses
  2. Right-size Models: Use appropriate models for your use case (Haiku for speed, Opus for complexity)
  3. Monitor Latency: Track response times and set appropriate timeouts
  4. Cache When Possible: Cache repeated queries at the automation level

Cost Management

  • Monitor token usage in AWS Cost Explorer
  • Use smaller models for simpler tasks
  • Implement rate limiting for high-volume automations
  • Review and optimize knowledge base sizes

Example Use Cases

Use Case 1: IT Helpdesk Automation

Scenario: Automatically triage and respond to IT support tickets Implementation:
  1. Create Bedrock Agent with IT knowledge base (documentation, FAQs)
  2. Configure action groups for ticket operations
  3. Connect agent in IT Support App Intelligence
  4. Set up automation: New ticket → Agent analysis → Auto-categorize and suggest resolution
Benefits:
  • Faster first response times
  • Consistent ticket categorization
  • Reduced L1 support workload

Use Case 2: Customer Communication

Scenario: Generate personalized customer communications Implementation:
  1. Create Bedrock Agent with communication templates and brand guidelines
  2. Configure guardrails for appropriate content
  3. Connect agent in CRM App
  4. Automation: Communication request → Agent drafts message → Human review → Send
Benefits:
  • Consistent brand voice
  • Personalized content at scale
  • Faster communication turnaround

Next Steps

Agent Orchestration Center

View and manage all agents across your organization

Agent Architecture

Understand the technical architecture of Native and Managed agents

Automation System

Learn how to build sophisticated automations with agents

AWS Bedrock Docs

Reference AWS’s official Bedrock Agents documentation
By integrating AWS Bedrock Agents through your App’s Intelligence configuration, you extend your automation capabilities with powerful AI while leveraging your existing AWS infrastructure and security model. This integration enables sophisticated conversational AI, knowledge retrieval, and custom actions within your Elementum workflows.