Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.elementum.io/llms.txt

Use this file to discover all available pages before exploring further.

Overview

AWS Bedrock integrates with Elementum in two ways:
  • AI Services — Select and configure Claude models hosted on Bedrock, then use them across automations and agents like any other provider. Running models through your own AWS account keeps AI workloads within your cloud infrastructure and compliance boundaries.
  • Bedrock Agents — Connect a Bedrock Agent you’ve built in AWS to an Elementum App so you can invoke it from automations and Intelligence.
Setup involves adding an Amazon Bedrock AI Provider, selecting Bedrock-hosted models for AI Services, and optionally connecting Bedrock Agents. You will:
  • Add an Amazon Bedrock AI Provider in Organization Settings
  • Select and configure Bedrock-hosted Claude models for use in AI Services
  • Optionally create a Bedrock Agent and agent alias in AWS
  • Connect the agent via App Intelligence using the Agent Alias ARN
  • Use Bedrock models and agents in automations
Time required: About 20–30 minutes, depending on your existing AWS setup

Prerequisites

Before beginning, ensure you have the following in place.

Elementum Requirements

  • App access: Access to the App where you want to use Bedrock Agents
  • Organization permissions: Ability to add or edit AI Providers in Organization Settings

AWS Requirements

Your AWS environment must have:
  • AWS Account: Active AWS account with Bedrock access
  • Region: Bedrock available in your target region (e.g., us-east-1, us-east-2, us-west-2)
  • Bedrock Access: Amazon Bedrock service enabled for your account
  • Foundation Model Access: Access granted to at least one foundation model (Claude, Titan, etc.)
  • IAM Permissions: Ability to create IAM users and policies
Model access: You need access to the foundation models you plan to use — whether for AI Services or Bedrock Agents. In the Amazon Bedrock console, confirm model access for your account and region; approval timing depends on AWS.

IAM Credentials

You’ll need AWS credentials with the appropriate Bedrock permissions:
  • Access Key ID: AWS access key for programmatic access
  • Secret Access Key: Corresponding secret key
  • IAM Policy: Permission to invoke Bedrock models (bedrock:InvokeModel) and, if using Bedrock Agents, permission to invoke agents (bedrock:InvokeAgent)

Step 1: Configure AWS Bedrock Agent (Optional)

If you plan to connect a Bedrock Agent to an App, configure the agent in AWS first. If you only need Bedrock-hosted models for AI Services, skip ahead to Step 2.

Create a Bedrock Agent in AWS

1

Access Amazon Bedrock

  1. Sign in to the AWS Management Console
  2. Navigate to Amazon Bedrock service
  3. Select Agents from the left navigation
2

Create New Agent

Click Create agent and configure:
  • Agent name: Provide a descriptive name (e.g., “Customer Support Agent”)
  • Description: Describe the agent’s purpose
  • Agent resource role: Create a new role or select an existing one with Bedrock permissions
3

Configure Agent Instructions

Provide clear instructions that define the agent’s behavior:
You are a helpful customer support assistant. You help users with 
their questions about orders, returns, and product information.
Always be polite and professional.
Clear, specific instructions lead to better agent performance. Include examples of expected behavior and any constraints.
4

Select Foundation Model

Choose the foundation model to power your agent
Model availability depends on your region and account access. Request model access in the Bedrock console if needed.
5

Configure Optional Features

Optionally enhance your agent with:Knowledge Bases:
  • Attach Amazon Bedrock knowledge bases using supported data sources (for example, Amazon S3)
  • The agent can retrieve and cite that content when answering
Action Groups:
  • Define custom actions via Lambda functions
  • Enable the agent to perform specific tasks
Guardrails:
  • Implement content filtering
  • Define topic restrictions
6

Save and Prepare

Click Create to save the agent configuration.The agent will be created in Draft status.

Create an agent alias

Elementum invokes agents with an Agent Alias ARN, not the base agent ARN.
  1. In the Bedrock console, open the agent and open the Aliases tab.
  2. Click Create alias. Set an alias name and description, and choose Create a new version and associate it to this alias so the alias points at a prepared version.
  3. After creation, copy the Agent Alias ARN. Format: arn:aws:bedrock:{region}:{account-id}:agent-alias/{agent-id}/{alias-id}
Example: 
arn:aws:bedrock:us-east-2:123456789012:agent-alias/ABCD1234EF/GHIJ5678KL

Test Agent in AWS Console

Before connecting to Elementum, verify your agent works correctly:
  1. In the Bedrock console, open your agent
  2. Use the Test panel on the right side
  3. Send test messages to verify behavior
  4. Confirm responses match your expectations

Step 2: Create IAM Credentials

Create IAM credentials that Elementum will use to call Bedrock models and (optionally) invoke Bedrock Agents.

Create IAM User

1

Navigate to IAM

In the AWS Console, go to IAMUsersCreate user
2

Configure User

  • User name: Choose a descriptive name (e.g., “elementum-bedrock-invoker”)
  • Do not enable console access (programmatic access only)
3

Attach Permissions

Create and attach a policy with the required permissions. Include bedrock:InvokeModel for AI Services and bedrock:InvokeAgent if you are connecting Bedrock Agents:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeAgent"
      ],
      "Resource": "*"
    }
  ]
}
Least Privilege: For production, restrict the Resource to specific model and agent ARNs:
"Resource": [
  "arn:aws:bedrock:us-east-2::foundation-model/*",
  "arn:aws:bedrock:us-east-2:123456789012:agent-alias/*"
]
4

Create Access Keys

After creating the user:
  1. Open the user details
  2. Go to Security credentials tab
  3. Click Create access key
  4. Choose a use case that matches programmatic access from outside AWS (for example, application running outside AWS), then complete the prompts
  5. Copy and securely store the Access Key ID and Secret Access Key
Store Credentials Securely: The secret access key is only shown once. Store it in a secure password manager until you configure it in Elementum.

Required IAM Permissions Summary

PermissionDescription
bedrock:InvokeModelRequired to call Bedrock-hosted models (Claude) for AI Services
bedrock:InvokeAgentRequired to invoke Bedrock Agents and receive responses
If you only need Bedrock-hosted models for AI Services, bedrock:InvokeModel is sufficient. Add bedrock:InvokeAgent when you also connect Bedrock Agents. If your agent uses knowledge bases or action groups, the agent’s own IAM role (not the invoker role) needs additional permissions for those resources.

Step 3: Create Bedrock AI Provider in Elementum

Configure Elementum to call AWS with the credentials from Step 2.

Add the provider

  1. Go to Organization Settings and open the Providers tab (same place you configure other AI Providers).
  2. Click + Provider and select Amazon Bedrock.
  3. Enter a Provider name, the Region where your Bedrock resources are deployed (for example us-east-2), Access Key ID, and Secret Access Key.
  4. Use Test Connection to confirm the credentials, then Save.
The provider is now available for creating AI Services and connecting Bedrock Agents. Tips
  • The provider Region must match the region where your Bedrock models and agents are available.
  • Use separate providers for different AWS accounts or regions if needed.

Select Bedrock-hosted models for AI Services

Once the provider is saved, you can create AI Services that use Bedrock-hosted Claude models:
  1. In Organization Settings, go to the Services tab.
  2. Click + Service and select the service type (LLM).
  3. Choose your Amazon Bedrock provider.
  4. Select a Claude model from the available list (model availability depends on your AWS region and account access).
  5. Configure service settings (name, temperature, max tokens) and Save.
The service is now available across automations and agents, just like services from any other provider.
Bedrock-hosted models run within your AWS account, keeping AI workloads inside your own cloud infrastructure and compliance boundaries.

Step 4: Connect Agent in App Intelligence (Optional)

If you configured a Bedrock Agent in Step 1, connect it to an App.

Open App Intelligence

  1. Open the App where you want to use Bedrock Agents.
  2. In the App menu, click Intelligence.

Connect the Bedrock agent

1

Add Agent

On the Intelligence page, click + Connect (or the control your workspace uses to connect a managed agent).
2

Select Bedrock

Choose Bedrock as the agent source.
3

Select Provider

Choose your Amazon Bedrock AI Provider. Only providers with working credentials appear.
4

Enter Agent Alias ARN

Paste the Agent Alias ARN from Create an agent alias. Do not use the base agent ARN.
5

Configure Agent Settings

Agent Name: Optionally customize the display name in ElementumDescription: Add notes about how this agent will be used in your App
6

Save Configuration

Click Save to connect the external agentThe agent will now appear in your App’s Intelligence configuration

Step 5: Test the Integration

Verify the agent connection works correctly.

Test in Elementum

1

Open Agent

In App Intelligence, click on the connected Bedrock agent
2

Start Chat

Click Chat to open the interactive testing panel
3

Send Test Messages

Send messages to confirm:
  • The agent responds successfully
  • Responses are appropriate and match expectations
  • Latency is acceptable for your use case
4

Verify Behavior

Test various scenarios relevant to your use case:
  • Standard queries
  • Edge cases
  • Knowledge base retrieval (if configured)
  • Action group execution (if configured)

Expected Behavior

TestExpected Result
Simple greetingAgent responds appropriately
Domain-specific questionAgent uses knowledge base (if configured)
Action requestAgent executes action group (if configured)
Out-of-scope questionAgent handles gracefully per instructions

Step 6: Integrate with Automations

Use your Bedrock Agent in App automations for production workflows.

Using Agents in Automation Actions

In the automation builder, the action type is Run Agent Task. For full field-level detail, see Run Agent Task in the automation actions reference.
1

Navigate to Automation

In your App, open the automation where you want to use the agent.
2

Add Run Agent Task

Add a new action or edit an existing one, then choose Run Agent Task.
3

Select Bedrock Agent

Under AI Agent (or equivalent), choose the external Bedrock Agent you connected in Intelligence.It may appear as External or Managed, depending on your workspace.
4

Configure the task and outputs

Task definition: Describe what the agent should do and how success is judged. Use value references for record fields, prior action outputs, or static text where supported.Output type: Choose Text or Structured. For structured output, define fields so later automation steps can map results to records or variables.Configure any error or follow-up behavior your automation requires after the task completes.
5

Set Execution Options

Timeout: Set a maximum execution time that fits your agent and knowledge sources (the editor may suggest a default)Retry Policy: Configure retry behavior for transient failuresError Handling: Define failure behavior
  • Continue with default values
  • Halt automation and alert
  • Escalate to human review

Example automation (conceptual)

The following illustrates how steps might flow; exact builder labels can vary by release. 
Workflow: Customer Inquiry Processing
Trigger: New inquiry record created
Automations:
  1. Gather Context:
     - Collect customer information
     - Retrieve previous interactions
  
  2. Run Agent Task – Analysis:
     Type: Run Agent Task
     Agent: Customer Support Agent (Bedrock / Managed)
     Inputs:
       - customer_inquiry: {record.description}
       - customer_history: {customer.interaction_history}
     Outputs:
       - response: record.suggested_response
       - category: record.inquiry_category
       - sentiment: record.customer_sentiment
  
  3. Route Based on Category:
     - High priority → Immediate escalation
     - Standard → Queue for review
     - FAQ → Auto-respond with suggestion

Understanding the Architecture

How Bedrock Agent Invocation Works

When Elementum invokes a Bedrock Agent:

AWS Bedrock APIs Used

Elementum uses two Bedrock APIs depending on the feature: InvokeModel Sends a prompt to a Bedrock-hosted foundation model (e.g., Claude) and returns the model response. Used by AI Services created with the Bedrock provider. Key Parameters:
  • modelId: The identifier of the foundation model
  • body: The request payload (prompt, parameters)
  • contentType / accept: Media types for the request and response
Documentation: Amazon Bedrock InvokeModel API InvokeAgent Sends a prompt to the agent and returns the agent’s response (including optional tool and knowledge-base steps on the AWS side). Key Parameters:
  • agentAliasId: The alias ID of the agent
  • agentId: The unique identifier of the agent
  • sessionId: Session identifier for conversation continuity
  • inputText: The message to send to the agent
Documentation: Amazon Bedrock InvokeAgent API

Security Model

AspectImplementation
AuthenticationIAM Access Key/Secret Key via Bedrock AI Provider
AuthorizationIAM policies control which models and agents can be invoked
Data in TransitTLS encryption for all API calls
AuditAWS CloudTrail logs all Bedrock API calls
IsolationApp-level configuration with provider-based access

Monitoring and Maintenance

Monitoring Agent Performance

In Elementum
  • Use automation history and related logs to review invocations, response times, success and failure rates, and error messages.
In AWS
  • Use CloudWatch and Cost Explorer (as applicable) for Bedrock API volume, latency, errors, and token or usage-related metrics.

Maintenance Tasks

Weekly:
  • Review automation logs for agent errors
  • Monitor response times and latency
  • Check for timeout patterns
Monthly:
  • Review agent usage and costs
  • Audit IAM permissions
  • Test agent behavior after any updates
Quarterly:
  • Rotate IAM access keys
  • Review and optimize agent instructions
  • Evaluate new foundation models

Troubleshooting

Common Issues

Error: “Access Denied” or “Not authorized to perform bedrock:InvokeAgent”Possible Causes:
  • IAM user missing bedrock:InvokeAgent permission
  • Policy not attached to user
  • Resource restrictions in policy don’t match agent ARN
Solutions:
  1. Verify IAM policy includes bedrock:InvokeAgent and is attached to the IAM user whose keys are on the Bedrock AI Provider
  2. Ensure the policy Resource matches your agent alias ARNs or uses a permitted pattern (see Step 2: Create IAM credentials)
  3. Confirm the access keys in Elementum belong to that user
Error: “Invalid ARN format” or “Resource not found”Possible Causes:
  • Using agent ARN instead of agent alias ARN
  • Typo in the ARN
  • Wrong region in ARN
Solutions:
  1. Ensure you’re using the Agent Alias ARN, not the base Agent ARN
  2. Verify the format: arn:aws:bedrock:{region}:{account}:agent-alias/{agent-id}/{alias-id}
  3. Copy the ARN directly from the AWS console
  4. Check region matches your provider configuration
Correct Format:
arn:aws:bedrock:us-east-2:123456789012:agent-alias/ABCD1234EF/GHIJ5678KL
Incorrect (base agent ARN):
arn:aws:bedrock:us-east-2:123456789012:agent/ABCD1234EF
Error: “Could not connect to endpoint” or timeout errorsPossible Causes:
  • Provider configured for different region than agent
  • Agent not available in specified region
Solutions:
  1. Verify the region in your Bedrock AI Provider matches where the agent is deployed
  2. Check the region in the Agent Alias ARN
  3. Confirm Bedrock is available in your target region
  4. Update provider configuration if needed
Error: “Agent execution timed out”Possible Causes:
  • Timeout set too low for agent complexity
  • Agent accessing slow knowledge bases
  • Large response generation
  • Network latency
Solutions:
  1. Increase timeout in automation configuration
  2. Optimize agent instructions for faster responses
  3. Review knowledge base configuration for performance
  4. Consider breaking complex tasks into multiple calls
Error: “Alias has no associated version” or unexpected behaviorPossible Causes:
  • Alias created without linking to a version
  • Agent in draft state without prepared version
Solutions:
  1. In Bedrock console, verify the alias has an associated version
  2. Create a new alias and select “Create a new version and associate it”
  3. Ensure the agent is not in draft state

Debugging Tips

  1. Test in AWS First: Always verify agent works in the Bedrock console before troubleshooting Elementum integration
  2. Check CloudTrail: Review AWS CloudTrail logs for detailed API call information
  3. Verify Credentials: Test IAM credentials independently using AWS CLI
  4. Review Provider Status: Check the Bedrock AI Provider status in Elementum

Best Practices

  • Apply least privilege; scope bedrock:InvokeModel and bedrock:InvokeAgent to specific model and agent alias ARNs when practical.
  • Rotate access keys on a schedule your organization defines (for example, every 90 days).
  • Use different IAM users or keys per environment (development vs production).
  • Use Bedrock Guardrails and clear instruction scope where appropriate.
  • Review agent behavior and access periodically.
Clear, concise agent instructions usually produce faster, more predictable responses. Prefer explicit scope, examples, and constraints over long generic prompts.
Pick a foundation model that balances latency, cost, and quality for your task. Available models depend on your AWS region and account.
Track response times in automations and in AWS where you have metrics. Set automation timeouts high enough for knowledge-base retrieval and tool use, without masking real failures.
Where the same or similar agent inputs occur often, consider caching or deduplicating at the automation level so you do not pay latency and usage for identical work.
Use AWS Cost Explorer (and related billing views) to monitor token-related usage and Bedrock charges tied to your agents.
Prefer smaller or faster models for straightforward classification or short replies when quality requirements allow; reserve larger models for harder reasoning.
For automations that invoke agents at high volume, add throttling or batching so you stay within quotas and avoid unnecessary parallel cost spikes.
Review knowledge base size, refresh cadence, and retrieval settings so you are not indexing or retrieving more content than the agent needs.

Example Use Cases

Scenario: Automatically triage and respond to IT support tickets.Implementation:
  1. Create a Bedrock Agent with an IT knowledge base (documentation, FAQs).
  2. Configure action groups for ticket operations.
  3. Connect the agent in the IT Support App Intelligence.
  4. Set up automation: New ticket → Agent analysis → Auto-categorize and suggest resolution.
Outcomes:
  • Faster first response times
  • Consistent ticket categorization
  • Reduced L1 support workload
Scenario: Generate personalized customer communications.Implementation:
  1. Create a Bedrock Agent with communication templates and brand guidelines.
  2. Configure guardrails for appropriate content.
  3. Connect the agent in the CRM App.
  4. Automation: Communication request → Agent drafts message → Human review → Send.
Outcomes:
  • Consistent brand voice
  • Personalized content at scale
  • Faster communication turnaround

Next Steps

AI Services

Create LLM services using Bedrock-hosted Claude models

AI Models

Compare models across providers to choose the right one for your use case

Automation System

Learn how to build automations with Bedrock models and agents

AWS Bedrock Docs

Reference AWS’s official Bedrock documentation