Getting Started with AWS Bedrock AgentCore: From Setup to Production

AWS Bedrock AgentCore lets you deploy AI agents to production without managing infrastructure. This guide takes you from zero to a running agent in under 2 hours—with real code, not theory. By the end, you'll have a deployed agent with memory, authentication, and monitoring.

What is AWS Bedrock AgentCore?

AWS Bedrock AgentCore is a managed runtime for AI agents that handles scaling, memory, authentication, and observability. You write the agent logic; AgentCore handles everything else. It supports any framework (LangGraph, CrewAI, custom) and any Bedrock model (Claude, Titan, Llama, Mistral).

Prerequisites

Before you start, ensure you have:

Time required: 90-120 minutes for first deployment

Step 1: AWS Account Setup

If you already have an AWS account with CLI access, skip to Step 2.

Create AWS Account

1. Go to aws.amazon.com
2. Click "Create an AWS Account"
3. Follow the signup process
4. Add a payment method (required, but free tier covers initial testing)

Configure AWS CLI

# Install AWS CLI (macOS)
brew install awscli

# Install AWS CLI (Linux)
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

# Configure credentials
aws configure

When prompted, enter:

• AWS Access Key ID: From IAM console
• AWS Secret Access Key: From IAM console
• Default region: us-east-1 (recommended for Bedrock)
• Default output format: json

Verify Setup

aws sts get-caller-identity

Expected output:

{
    "UserId": "AIDAXXXXXXXXXXXXXXXXX",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/your-username"
}

Step 2: Enable Bedrock and Configure IAM

Request Bedrock Model Access

1. Open AWS Console → Amazon Bedrock
2. Click "Model access" in left sidebar
3. Click "Manage model access"
4. Select models you need:
   • ✅ Anthropic Claude 3 Sonnet (recommended)
   • ✅ Anthropic Claude 3 Haiku (for cost optimization)
   • ✅ Amazon Titan (backup option)
5. Click "Save changes"

Note: Access typically grants within minutes, but can take up to 24 hours.

Create IAM Role for AgentCore

Create a file agentcore-trust-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "lambda.amazonaws.com",
                    "bedrock.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Create the role:

aws iam create-role \
    --role-name AgentCoreExecutionRole \
    --assume-role-policy-document file://agentcore-trust-policy.json

Attach Required Policies

# Bedrock access
aws iam attach-role-policy \
    --role-name AgentCoreExecutionRole \
    --policy-arn arn:aws:iam::aws:policy/AmazonBedrockFullAccess

# Lambda execution
aws iam attach-role-policy \
    --role-name AgentCoreExecutionRole \
    --policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

# DynamoDB for memory (we'll use this later)
aws iam attach-role-policy \
    --role-name AgentCoreExecutionRole \
    --policy-arn arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

Step 3: Install AgentCore CLI

Install via pip

pip install bedrock-agentcore-cli

Authenticate CLI

agentcore configure

This will prompt for:

• AWS Region: us-east-1
• Default runtime: lambda
• IAM Role ARN: arn:aws:iam::YOUR_ACCOUNT:role/AgentCoreExecutionRole

Verify Installation

agentcore --version
# Expected: agentcore-cli 1.x.x

agentcore status
# Expected: Connected to AWS account XXXXXXXXXXXX

Step 4: Create Your First Agent

Initialize Project

mkdir my-first-agent
cd my-first-agent
agentcore init

This creates:

my-first-agent/
├── agent.py           # Main agent configuration
├── tools/             # Custom tools directory
│   └── __init__.py
├── config.yaml        # Deployment configuration
└── requirements.txt   # Python dependencies

Define Your Agent

Edit agent.py:

from bedrock_agentcore import Agent, Tool

# Define a simple research assistant
agent = Agent(
    name="ResearchAssistant",
    description="Helps users research topics and summarize information",
    model="anthropic.claude-3-sonnet-20240229-v1:0",
    
    system_prompt="""You are a helpful research assistant. Your role is to:
    1. Help users understand complex topics
    2. Provide accurate, well-sourced information
    3. Break down complicated concepts into simple explanations
    
    Always be clear about what you know vs. what you're uncertain about.
    If you don't know something, say so directly.""",
    
    temperature=0.7,
    max_tokens=2000,
)

# Optional: Add a custom tool
@agent.tool
def calculate(expression: str) -> str:
    """
    Evaluate a mathematical expression.
    
    Args:
        expression: A mathematical expression like "2 + 2" or "sqrt(16)"
    
    Returns:
        The result of the calculation
    """
    import math
    # Safe eval for math expressions
    allowed_names = {k: v for k, v in math.__dict__.items() if not k.startswith("_")}
    allowed_names.update({"abs": abs, "round": round})
    
    try:
        result = eval(expression, {"__builtins__": {}}, allowed_names)
        return str(result)
    except Exception as e:
        return f"Error: {str(e)}"

Configure Deployment

Edit config.yaml:

agent:
  name: ResearchAssistant
  runtime: lambda
  region: us-east-1
  
memory:
  enabled: true
  type: session
  ttl_hours: 24
  storage: dynamodb
  table_name: agentcore-memory
  
auth:
  enabled: false  # We'll enable this in Step 8
  
observability:
  enabled: true
  log_level: INFO
  
resources:
  memory_mb: 512
  timeout_seconds: 30

Step 5: Configure Memory

AgentCore's memory layer lets your agent remember conversation history.

Create DynamoDB Table

aws dynamodb create-table \
    --table-name agentcore-memory \
    --attribute-definitions \
        AttributeName=session_id,AttributeType=S \
        AttributeName=timestamp,AttributeType=N \
    --key-schema \
        AttributeName=session_id,KeyType=HASH \
        AttributeName=timestamp,KeyType=RANGE \
    --billing-mode PAY_PER_REQUEST \
    --region us-east-1

Memory Configuration Options

# config.yaml - memory section options

memory:
  enabled: true
  type: session          # Options: session, user, global
  ttl_hours: 24          # Auto-delete after 24 hours
  storage: dynamodb
  table_name: agentcore-memory
  
  # Advanced options
  max_messages: 50       # Keep last 50 messages
  context_window: 8000   # Max tokens for context
  isolation: user        # Isolate memory by user ID
  encryption: true       # Encrypt at rest

How Memory Works

User: "What's the capital of France?"
Agent: "The capital of France is Paris."

User: "What's its population?"  # Agent remembers "France" context
Agent: "Paris has a population of approximately 2.1 million..."

# Memory stored in DynamoDB:
{
    "session_id": "user-123-session-456",
    "timestamp": 1705123456789,
    "messages": [
        {"role": "user", "content": "What's the capital of France?"},
        {"role": "assistant", "content": "The capital of France is Paris."},
        {"role": "user", "content": "What's its population?"},
        {"role": "assistant", "content": "Paris has a population of..."}
    ]
}

Step 6: Deploy to Lambda

Build and Deploy

# Validate configuration
agentcore validate

# Deploy to AWS
agentcore deploy

Expected output:

✓ Validating agent configuration...
✓ Building deployment package...
✓ Creating Lambda function...
✓ Configuring API Gateway...
✓ Setting up DynamoDB access...

Deployment successful!

Endpoint: https://abc123xyz.execute-api.us-east-1.amazonaws.com/prod/agent
API Key: agentcore_xxxxxxxxxxxx

Test with:
  curl -X POST https://abc123xyz.execute-api.us-east-1.amazonaws.com/prod/agent \
    -H "x-api-key: agentcore_xxxxxxxxxxxx" \
    -H "Content-Type: application/json" \
    -d '{"message": "Hello!", "session_id": "test-123"}'

What Got Created

Step 7: Test Your Deployment

Quick Test with cURL

# Set your endpoint and API key
ENDPOINT="https://abc123xyz.execute-api.us-east-1.amazonaws.com/prod/agent"
API_KEY="agentcore_xxxxxxxxxxxx"

# Send a test message
curl -X POST $ENDPOINT \
  -H "x-api-key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "What is machine learning? Explain it simply.",
    "session_id": "test-session-001"
  }'

Expected response:

{
    "response": "Machine learning is a type of artificial intelligence where computers learn from examples rather than being explicitly programmed...",
    "session_id": "test-session-001",
    "tokens_used": {
        "input": 45,
        "output": 187
    },
    "latency_ms": 2340
}

Test Memory Persistence

# First message
curl -X POST $ENDPOINT \
  -H "x-api-key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "My name is Alex and I work at a startup.",
    "session_id": "memory-test-001"
  }'

# Second message - agent should remember context
curl -X POST $ENDPOINT \
  -H "x-api-key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "What do you know about me?",
    "session_id": "memory-test-001"
  }'

Expected: Agent remembers your name is Alex and you work at a startup.

Test Tool Usage

curl -X POST $ENDPOINT \
  -H "x-api-key: $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "What is the square root of 144?",
    "session_id": "tool-test-001"
  }'

Expected: Agent uses the calculate tool and returns "12".

Step 8: Add Cognito Authentication

For production, replace API keys with proper user authentication.

Create Cognito User Pool

# Create user pool
aws cognito-idp create-user-pool \
    --pool-name agentcore-users \
    --auto-verified-attributes email \
    --username-attributes email \
    --policies '{
        "PasswordPolicy": {
            "MinimumLength": 8,
            "RequireUppercase": true,
            "RequireLowercase": true,
            "RequireNumbers": true,
            "RequireSymbols": false
        }
    }' \
    --region us-east-1

Note the UserPoolId from the output.

Create App Client

aws cognito-idp create-user-pool-client \
    --user-pool-id YOUR_USER_POOL_ID \
    --client-name agentcore-app \
    --no-generate-secret \
    --explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_REFRESH_TOKEN_AUTH \
    --region us-east-1

Note the ClientId from the output.

Update Agent Configuration

Edit config.yaml:

auth:
  enabled: true
  provider: cognito
  user_pool_id: us-east-1_XXXXXXXXX
  client_id: XXXXXXXXXXXXXXXXXXXXXXXXXX
  required_claims:
    - email

Redeploy

agentcore deploy

Test with Authentication

# Get auth token (in real app, this happens via login UI)
TOKEN=$(aws cognito-idp initiate-auth \
    --client-id YOUR_CLIENT_ID \
    --auth-flow USER_PASSWORD_AUTH \
    --auth-parameters USERNAME=user@example.com,PASSWORD=YourPassword123 \
    --query 'AuthenticationResult.IdToken' \
    --output text)

# Use token instead of API key
curl -X POST $ENDPOINT \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "message": "Hello with auth!",
    "session_id": "auth-test-001"
  }'

Step 9: Enable CloudWatch Observability

View Logs

# Get log group name
LOG_GROUP="/aws/lambda/ResearchAssistant"

# View recent logs
aws logs tail $LOG_GROUP --follow

Create Dashboard

# Create CloudWatch dashboard
aws cloudwatch put-dashboard \
    --dashboard-name AgentCore-ResearchAssistant \
    --dashboard-body '{
        "widgets": [
            {
                "type": "metric",
                "properties": {
                    "title": "Invocations",
                    "metrics": [
                        ["AWS/Lambda", "Invocations", "FunctionName", "ResearchAssistant"]
                    ],
                    "period": 300
                }
            },
            {
                "type": "metric",
                "properties": {
                    "title": "Latency",
                    "metrics": [
                        ["AWS/Lambda", "Duration", "FunctionName", "ResearchAssistant"]
                    ],
                    "period": 300
                }
            },
            {
                "type": "metric",
                "properties": {
                    "title": "Errors",
                    "metrics": [
                        ["AWS/Lambda", "Errors", "FunctionName", "ResearchAssistant"]
                    ],
                    "period": 300
                }
            }
        ]
    }'

Set Up Alerts

# Alert on high error rate
aws cloudwatch put-metric-alarm \
    --alarm-name "AgentCore-HighErrorRate" \
    --metric-name Errors \
    --namespace AWS/Lambda \
    --dimensions Name=FunctionName,Value=ResearchAssistant \
    --statistic Sum \
    --period 300 \
    --threshold 5 \
    --comparison-operator GreaterThanThreshold \
    --evaluation-periods 1 \
    --alarm-actions arn:aws:sns:us-east-1:YOUR_ACCOUNT:alerts

For deep-dive observability patterns, see our AgentCore Observability Guide.

Production Checklist

Before going live, verify:

Security

• Cognito authentication enabled
• API Gateway throttling configured
• IAM roles follow least-privilege
• DynamoDB encryption at rest enabled
• VPC configuration (if required)

Reliability

• Error handling in agent code
• Fallback responses configured
• CloudWatch alarms set up
• Dead letter queue for failed invocations

Performance

• Lambda memory sized appropriately (start with 512MB)
• Timeout set correctly (30s default, increase if needed)
• Cold start tested and acceptable

Monitoring

• CloudWatch dashboard created
• Log retention configured (30 days minimum)
• Cost alerts set up

Testing

• Unit tests for tools
• Integration tests for agent
• Load testing completed
• Edge cases documented

Common Errors and Fixes

Error: "Access Denied to Bedrock"

Cause: IAM role doesn't have Bedrock permissions.

Fix:

aws iam attach-role-policy \
    --role-name AgentCoreExecutionRole \
    --policy-arn arn:aws:iam::aws:policy/AmazonBedrockFullAccess

Error: "Model not found"

Cause: Model access not granted in Bedrock console.

Fix: Go to Bedrock → Model access → Request access for your model.

Error: "Task timed out"

Cause: Lambda timeout too short for complex queries.

Fix: Update config.yaml:

resources:
  timeout_seconds: 60  # Increase from default 30

Error: "Memory quota exceeded"

Cause: Response too large for Lambda memory.

Fix:

resources:
  memory_mb: 1024  # Increase from 512

Error: "DynamoDB throughput exceeded"

Cause: Too many requests hitting memory table.

Fix: DynamoDB is already set to on-demand. If still hitting limits, check for infinite loops in your agent.

Next Steps

You now have a production-ready AI agent running on AWS. Here's where to go next:

Expand Your Agent

1. Add Memory Sophistication → Learn advanced memory patterns for long-running conversations

2. Build Multi-Agent Systems → Orchestrate multiple specialized agents

3. Deep-Dive Observability → Production monitoring and debugging patterns

Compare Alternatives

1. AgentCore vs Google ADK → Understand when to use each platform

Connect to Knowledge

1. Add RAG Capabilities → Ground your agent with enterprise knowledge bases

---

Need help scaling your agent deployment?

At Cognilium, we've deployed 50+ production AI agent systems. From single agents to complex multi-agent orchestrations, we handle the infrastructure so you can focus on your use case. Let's talk →