The AWS DevOps Agent is a production-ready AI-powered automation tool that transforms complex AWS DevOps operations into natural language conversations. Built on the Strands framework with Bedrock Agent Core integration, it combines real-time AWS data with intelligent analysis to provide actionable insights for cost optimization, security compliance, and infrastructure management.
Core Architecture:
- Strands Framework for AI orchestration
- Bedrock Agent Core for sophisticated reasoning with Claude Sonnet 4
- Official AWS MCP Servers for real-time data access
- GitHub Integration for automated infrastructure improvements
- Multi-Account Support for enterprise operations
Instead of manually running complex AWS CLI commands, navigating multiple consoles, or writing custom scripts, you can:
- Analyze costs with real-time AWS pricing and usage data
- Optimize infrastructure with actionable recommendations
- Validate security against compliance frameworks (SOC2, HIPAA, PCI-DSS, ISO27001)
- Manage Infrastructure as Code for Terraform, CloudFormation, and CDK
- Generate professional reports automatically saved to files
- Create GitHub pull requests with infrastructure improvements
- Monitor multi-account AWS environments
- Automate compliance checking and reporting
- Python 3.10+
- AWS credentials configured
- Basic familiarity with AWS services
# 1. Clone and setup everything
git clone <repository-url>
cd strands-bedrock-mcp-devops-agent
make setup
source .venv/bin/activate
# 2. Start the agent
make runThe setup automatically installs and configures all required components including AWS MCP servers.
1. Interactive Mode (Recommended)
make runFull conversation mode with context awareness and follow-up questions.
2. Single Query Mode
make query QUERY="Analyze my AWS costs for the last 30 days"Perfect for automation, scripts, and CI/CD pipelines.
3. Demo Mode
make devWatch automated examples to learn capabilities.
Real-Time Cost Analysis
get_actual_aws_costs- Live cost data from Cost Exploreranalyze_cost_trends_real- Cost trend analysis over timeget_real_aws_pricing- Current AWS pricing across all servicesanalyze_cost_optimization_opportunities- Find savings opportunities
Instance and Resource Optimization
get_rightsizing_recommendations- EC2 instance rightsizingget_reserved_instance_recommendations- RI savings analysiscalculate_reserved_instance_savings- RI vs On-Demand cost comparisongenerate_cost_comparison_report- Multi-service cost comparisons
Example Queries:
"Analyze my AWS costs for the last 30 days"
"Compare t3.medium vs m5.large for web application workloads"
"Find Reserved Instance opportunities with ROI analysis"
"What would it cost to migrate this workload to us-west-2?"
Terraform Analysis
analyze_terraform_project- Comprehensive project analysisvalidate_terraform_configuration- Syntax and logic validationplan_terraform_changes- Generate and analyze Terraform plansanalyze_terraform_state- State file analysis and drift detectiongenerate_terraform_optimization_report- Detailed optimization reports
CloudFormation Analysis
validate_cloudformation_template- Template validationanalyze_cloudformation_stack- Stack configuration analysisscan_infrastructure_drift- Detect configuration driftgenerate_iac_best_practices_report- Best practices validation
CDK Analysis
analyze_cdk_project- CDK project structure and code analysissynthesize_cdk_project- Generate CloudFormation from CDKanalyze_cdk_synthesized_output- Analyze generated templatesgenerate_cdk_optimization_report- Comprehensive CDK optimization
Example Queries:
"Analyze my Terraform configuration for best practices"
"Validate my CloudFormation template for security issues"
"Generate a CDK optimization report for my project"
"Check for infrastructure drift in my environment"
Real AWS Security Analysis
analyze_security_hub_findings- Live Security Hub dataanalyze_config_compliance- AWS Config compliance statusanalyze_inspector_findings- Amazon Inspector vulnerabilitiesget_security_recommendations- Trusted Advisor security recommendationsperform_comprehensive_security_analysis- Combined security assessment
Compliance Framework Support
validate_security_policies- Security policy validationcheck_compliance_standards- SOC2, HIPAA, PCI-DSS, ISO27001 checksgenerate_compliance_report- Framework-specific compliance reportsscan_security_vulnerabilities- Multi-service vulnerability scanning
Example Queries:
"Perform comprehensive security analysis using real AWS data"
"Check SOC2 compliance for my infrastructure"
"Scan for security vulnerabilities across all services"
"Generate HIPAA compliance report for my healthcare application"
Cross-Account Operations
list_cross_account_resources- Resource discovery across accountsexecute_cross_account_operation- Multi-account operationsgenerate_multi_account_report- Organization-wide reportingmonitor_cross_account_compliance- Cross-account compliance monitoring
Account Management
- Interactive account selection and switching
- Cross-account role assumption
- Organization-wide cost analysis
- Centralized compliance monitoring
Example Queries:
"Generate cost report for all accounts in my organization"
"Check compliance across all AWS accounts"
"List all EC2 instances across my organization"
"Monitor security status across multiple accounts"
Automated Infrastructure Improvements
create_optimization_pull_request- Cost optimization PRsupdate_iac_via_github- Infrastructure updates via GitHubcreate_terraform_security_pr- Security improvement PRslist_infrastructure_repositories- Repository discoverymonitor_infrastructure_prs- PR monitoring and management
Repository Analysis
check_repository_connectivity- Test GitHub accessget_repository_info- Repository details and structurelist_repository_branches- Branch listing and analysiscreate_branch_simple- Automated branch creation
Example Queries:
"Create a pull request with cost optimization recommendations"
"Generate infrastructure updates based on security analysis"
"Analyze my Terraform repository structure"
"Create a GitHub issue for critical security findings"
Automatic Report Creation
generate_document- General document generationgenerate_cost_analysis_document- Cost analysis reportsgenerate_security_compliance_document- Security compliance reportsgenerate_infrastructure_document- IaC analysis reportsgenerate_cdk_analysis_document- CDK optimization reports
Report Management
list_generated_documents- View all generated reportsget_document_info- Document details and metadata- Automatic organization in
reports/folder - Multiple formats: Markdown, JSON, CSV, Excel
Example Queries:
"Generate a comprehensive cost analysis report"
"Create a security compliance document for audit"
"Generate executive summary of infrastructure analysis"
"List all reports generated this month"
All analysis can be saved as professional reports in the reports/ folder:
reports/
├── cost-analysis/ # Cost optimization reports
├── security-compliance/ # Security and compliance reports
├── infrastructure-as-code/ # IaC analysis reports
├── cdk-analysis/ # CDK project reports
├── compliance-reports/ # Framework-specific compliance
├── multi-account/ # Organization-wide reports
└── general/ # Custom reports
- Markdown (.md) - Human-readable with rich formatting
- JSON (.json) - Machine-readable structured data
- CSV (.csv) - Spreadsheet-compatible tabular data
- Excel (.xlsx) - Complex reports with multiple sheets
All files are automatically timestamped to prevent overwrites:
- Format:
{title}_{YYYYMMDD_HHMMSS}.{extension} - Example:
cost_analysis_20250906_192643.md
Required for Production:
export AWS_REGION=us-east-1
export BEDROCK_MODEL_ID=claude-3.5-sonnet
export PORT=8080
export HOST=0.0.0.0Optional Configuration:
export DEBUG_MODE=false
export LOG_LEVEL=INFO
export AWS_PROFILE=production
export MCP_TIMEOUT=30
export MCP_MAX_WORKERS=10GitHub Integration:
export GITHUB_PERSONAL_ACCESS_TOKEN=ghp_xxxxxxxx
export GITHUB_ORG=your-organization
export GITHUB_DEFAULT_REPO=your-org/your-repoMulti-Account Configuration:
export CROSS_ACCOUNT_ROLES=account1:role1,account2:role2
export AWS_ACCOUNT_ID=123456789012
export AWS_ACCOUNT_NAME=Production Account# Create production environment
make agentcore-env-prod
# Create development environment
make agentcore-env-dev
# Validate configuration
make agentcore-validate# Standard local deployment
make run
# Test locally before production
make agentcore-test-localComplete Production Process:
# 1. Configure for production
make agentcore-configure
# 2. Test locally first
make agentcore-test-local
# 3. Human verification (mandatory)
make agentcore-deploy-verify
# 4. Deploy to production
make agentcore-deploy
# 5. Monitor deployment
make agentcore-status
make agentcore-logsProduction Features:
- Multi-stage Docker build with security hardening
- Health monitoring endpoints (
/health,/metrics) - Structured logging with request tracking
- IAM policy with comprehensive permissions
- Automatic rollback capabilities
# Example GitHub Actions
- name: AWS Cost Analysis
run: make query QUERY="Analyze costs for this deployment"
- name: Security Validation
run: make query QUERY="Validate security policies for new resources"No Automatic Actions:
- Never creates PRs without explicit user consent
- Never modifies infrastructure without permission
- Never pushes code without approval
- All dangerous operations require
user_consent=Trueparameter
Function-Level Protection:
# All dangerous functions include safety checks
if not user_consent:
return {
"status": "error",
"error": "CRITICAL: User consent required!",
"safety_message": "This function requires explicit user approval."
}Message-Level Protection: The agent automatically detects dangerous patterns in requests:
- "create pull request", "deploy", "modify infrastructure"
- Blocks action and requests explicit approval
- Provides clear safety warnings
analyze_*,scan_*,check_*,validate_*monitor_*,list_*,get_*,read_*generate_report,prepare_recommendations
create_*,update_*,modify_*,deploy_*push_*,commit_*, infrastructure changes- Any GitHub or code modifications
@dataclass
class SafetyConfig:
require_explicit_consent_for_prs: bool = True
require_explicit_consent_for_commits: bool = True
require_explicit_consent_for_infrastructure_changes: bool = True-
GitHub Personal Access Token with scopes:
repo- Full control of private repositoriesread:org- Read org and team membershipread:user- Read user profile dataproject- Read/write project boards
-
Go Installation (for GitHub MCP server)
-
Environment Configuration
- Repository Management: Browse, analyze, manage repositories
- Pull Request Automation: Create PRs with infrastructure changes
- Issue Tracking: Create and manage GitHub issues
- Branch Operations: Create branches, manage merges
- Code Analysis: Analyze repository structure and dependencies
# Install GitHub MCP server
make mcp-install
# Add GitHub token
echo "GITHUB_PERSONAL_ACCESS_TOKEN=your_token" >> .env
# Test connectivity
make github-test-connectivity REPO=octocat/Hello-World
# Start agent with GitHub integration
make run- Cost Explorer MCP - Real-time cost data
- CloudWatch MCP - Metrics and monitoring data
- AWS Pricing MCP - Current service pricing
- Terraform MCP - Terraform operations
- DynamoDB MCP - Database operations
- GitHub MCP - Repository management
# Check all MCP servers
make mcp-check
# Install MCP servers
make mcp-install
# Test MCP connections
make mcp-test
# Start MCP servers
make mcp-run
# Stop MCP servers
make mcp-stop1. "Analyze my AWS costs for the last 90 days"
2. "Find Reserved Instance opportunities with ROI analysis"
3. "Generate a cost optimization report for management"
4. "Create a GitHub PR with cost optimization changes"
1. "Perform comprehensive security analysis using real AWS data"
2. "Check SOC2 compliance for my infrastructure"
3. "Generate security compliance report for audit"
4. "Create GitHub issues for critical security findings"
1. "Analyze my Terraform project for best practices"
2. "Check for security vulnerabilities in my CDK code"
3. "Generate infrastructure optimization report"
4. "Create PR with recommended infrastructure improvements"
1. "List all accounts in my organization"
2. "Generate cost report across all accounts"
3. "Check compliance status organization-wide"
4. "Create consolidated security assessment"
- Morning cost check: "Show yesterday's AWS spending"
- Resource optimization: "Find underutilized resources"
- Security monitoring: "Check for new security alerts"
- Performance review: "Show CloudWatch metrics for critical services"
- Cost trend analysis: "Analyze weekly cost trends"
- Compliance monitoring: "Run weekly security assessment"
- Infrastructure health: "Check infrastructure drift"
- Team reporting: "Generate weekly DevOps summary"
- Executive reporting: "Generate monthly cost report for management"
- Capacity planning: "Analyze resource utilization trends"
- Security audits: "Perform comprehensive monthly security review"
- Compliance preparation: "Generate SOC2 compliance documentation"
- New deployments: "Estimate cost impact of new infrastructure"
- Migration planning: "Compare costs between architectures"
- Code reviews: "Analyze IaC changes for security issues"
- Compliance validation: "Check changes against compliance requirements"
Virtual Environment Problems:
# Recreate environment
make clean
make setup
source .venv/bin/activateAWS Credentials Issues:
# Configure credentials
aws configure
aws sts get-caller-identityMCP Server Issues:
# Reinstall MCP servers
make mcp-install
make mcp-checkPermission Denied:
- Ensure AWS credentials have required permissions
- Check IAM policies include necessary actions
- Verify cross-account roles are properly configured
GitHub Integration Issues:
# Check GitHub token
echo $GITHUB_PERSONAL_ACCESS_TOKEN
# Test connectivity
make github-test-connectivity REPO=octocat/Hello-WorldAgent Not Responding:
# Check status
make status
# View logs
make agentcore-logs
# Restart agent
make clean && make setup# Enable detailed logging
export LOG_LEVEL=DEBUG
export DEBUG_MODE=true
make run- Run cost analysis weekly
- Review RI recommendations quarterly
- Monitor for cost anomalies daily
- Implement cost allocation tags
- Perform security assessments monthly
- Enable continuous compliance monitoring
- Keep security policies current
- Maintain audit documentation
- Use Infrastructure as Code consistently
- Implement automated testing
- Maintain version control for all infrastructure
- Document architecture decisions
- Use AWS Organizations for centralized billing
- Implement least privilege access
- Standardize policies across accounts
- Monitor all accounts consistently
- Review all generated PRs before merging
- Test infrastructure changes in development
- Document all automated changes
- Maintain branch protection rules
Cost Management: Cost Explorer, Pricing API, Budgets, Trusted Advisor Compute: EC2, Lambda, ECS, EKS, Fargate Storage: S3, EBS, EFS, FSx Database: RDS, DynamoDB, ElastiCache, Redshift Security: Security Hub, Config, Inspector, IAM, KMS Networking: VPC, CloudFront, Route 53, Load Balancers Monitoring: CloudWatch, CloudTrail, X-Ray
Terraform: HCL configuration analysis, state management, plan generation CloudFormation: Template validation, stack analysis, drift detection AWS CDK: TypeScript, JavaScript, Python, Java project analysis
SOC2: System and Organization Controls Type 2 HIPAA: Healthcare Information Portability and Accountability Act PCI-DSS: Payment Card Industry Data Security Standard ISO27001: Information Security Management System NIST: National Institute of Standards and Technology frameworks
CDK Support: TypeScript, JavaScript, Python, Java Terraform: HCL (HashiCorp Configuration Language) CloudFormation: JSON, YAML templates
- Cost analysis: 10-30 seconds
- Security analysis: 15-45 seconds
- IaC analysis: 5-20 seconds
- Document generation: 5-15 seconds
- Multi-account operations may take longer
- Large Terraform projects require more processing time
- Comprehensive security analysis increases with resource count
- GitHub operations depend on repository size
- Memory: 512MB - 2GB depending on analysis complexity
- Network: Requires stable internet for AWS API calls
- Storage: Reports stored locally in
reports/folder
Begin with basic cost analysis to understand current spending patterns and tool capabilities.
Integrate the agent into daily operations:
- Morning: Quick cost and security checks
- Code reviews: IaC analysis for changes
- Planning: Cost estimation for new projects
- Reporting: Automated report generation
Use in CI/CD pipelines for:
- Cost impact analysis on deployments
- Security validation on infrastructure changes
- Compliance checks before production releases
- Automated documentation generation
- Generate reports for different stakeholders
- Use GitHub integration for team reviews
- Maintain consistency across environments
- Document decisions and recommendations
- This comprehensive user manual
- Individual tool documentation in source
- Example workflows and demos
- Troubleshooting guides
# Check all available commands
make help
# View system status
make status
# Run diagnostics
make mcp-test- AWS MCP servers automatically provide latest data
- Agent uses current AWS APIs for real-time information
- GitHub integration stays current with repository changes
# Setup and Installation
make setup # Complete setup with all components
make status # Check system status
make help # Show all commands
# Running the Agent
make run # Interactive conversation mode
make dev # Demo mode with examples
make query QUERY="question" # Single query mode
# MCP Server Management
make mcp-check # Check MCP server status
make mcp-install # Install all AWS MCP servers
make mcp-test # Test MCP connections
# GitHub Integration
make github-test-connectivity REPO=owner/repo
make mcp-install # Includes GitHub MCP setup
# Production Deployment
make agentcore-configure # Configure for Bedrock AgentCore
make agentcore-test-local # Test locally before production
make agentcore-deploy-verify # Mandatory human verification
make agentcore-deploy # Deploy to production
make agentcore-status # Check deployment status
make agentcore-logs # View production logs
make agentcore-rollback # Emergency rollback
# Environment Management
make agentcore-env-prod # Create production environment
make agentcore-env-dev # Create development environment
make agentcore-validate # Validate configuration
# Maintenance
make clean # Clean temporary files
make test # Run test suiteThe AWS DevOps Agent transforms complex AWS operations into natural conversations, providing real-time insights, automated improvements, and professional reports. Whether you're optimizing costs, ensuring compliance, or managing infrastructure, the agent makes advanced AWS operations accessible to everyone.