New serverless pattern - s3-lambda-bedrock-annotations-cdk#3154
Open
NithinChandranR-AWS wants to merge 7 commits into
Open
Conversation
…count-level enforcement pattern Creates a Bedrock Guardrail with content and topic filters, versions it, and enables account-level enforcement via AwsCustomResource. Test Lambda demonstrates automatic guardrail enforcement on all Bedrock calls without specifying guardrailIdentifier. Key features: - Account-level guardrail enforcement via PutEnforcedGuardrailConfiguration - AwsCustomResource for SDK commands not in Lambda runtime - Content filters (HATE, INSULTS, SEXUAL, VIOLENCE, MISCONDUCT, PROMPT_ATTACK) - Denied topic filter (investment advice) - Test Lambda showing safe vs blocked responses - Automatic cleanup on stack deletion
Replace wildcard resource with specific inference profile ARN and foundation-model/* for least-privilege IAM.
…ead code, copyright 2026
… to enforcement-cdk Address bfreiberg review on PR aws-samples#3067: - Replace both AwsCustomResource workarounds with native resources: CfnGuardrailVersion + AWS::Bedrock::EnforcedGuardrailConfiguration. This removes the broad bedrock:* IAM on the custom resource. - Rename folder/stack from bedrock-guardrails-cross-account-cdk to bedrock-guardrails-enforcement-cdk (name was misleading; pattern is account-level enforcement, not cross-account). - Add scoped bedrock:ApplyGuardrail to the test Lambda - required when an enforced guardrail is active even without passing guardrailIdentifier (found via live deploy+test, was failing with AccessDenied). - Fix test harness: enforced-guardrail interventions return stopReason 'guardrail_intervened' in-band, not a thrown exception. - Bump Lambda runtime to nodejs24.x; example-pattern.json title/description/level. Deployed, tested, and torn down via CodeBuild in us-east-1: safe prompt end_turn (allowed), violating prompt guardrail_intervened (blocked), no guardrailIdentifier passed. tsc clean. sim: aws-samples#3067
Deploy an automated document enrichment pipeline that generates AI metadata (summary, keywords, content type) via Amazon Bedrock and stores it as queryable S3 annotations using the new PutObjectAnnotation API launched at AWS Summit NYC 2026. Architecture: S3 Object Created -> EventBridge -> Lambda -> Bedrock (Claude Sonnet 4) -> PutObjectAnnotation Tested with .txt, .csv, and .json files on account 742460038667.
- Amazon S3 (not S3), Amazon Bedrock (not Bedrock), AWS Lambda (not Lambda) - Fix expected output model ID to match actual inference profile - Apply to README, example-pattern.json, CDK stack comments, handler docstring
- Add try/except error handling on SDK calls in Lambda handler - Wrap deploy/cleanup commands in <code> tags in example-pattern.json - Add cdk.context.json to .gitignore - Remove broken architecture.png reference (file does not exist)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Automated AI document enrichment pipeline using Amazon S3 Annotations (launched June 17, 2026 at AWS Summit NYC) and Amazon Bedrock.
When a file is uploaded to S3, a Lambda function reads the content, invokes Bedrock Claude Sonnet 4 to generate a structured summary, keywords, and content classification, then stores the result as a queryable S3 annotation via
PutObjectAnnotation.Architecture
S3 (Object Created) → Amazon EventBridge → AWS Lambda (Python 3.12 + boto3 layer) → Amazon Bedrock → S3 Annotation
Testing
Deployed and end-to-end tested with .txt, .csv, and .json files. Annotations retrieved successfully via
GetObjectAnnotationandListObjectAnnotations.Key Implementation Details
us.anthropic.claude-sonnet-4-20250514-v1:0(on-demand model invocation requires inference profiles)Checklist