DEV Community: Mohammed Anes The latest articles on DEV Community by Mohammed Anes (@mohammed_anes_6652d05cab7). https://dev.to/mohammed_anes_6652d05cab7 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2046807%2Ff40532ec-2327-476d-b1fe-34e9922e60f1.jpg DEV Community: Mohammed Anes https://dev.to/mohammed_anes_6652d05cab7 en AWS DevOps Agent + CDK Python: Building a Real Agentic SRE From Scratch (No Splunk, No 3 Accounts) Mohammed Anes Sun, 24 May 2026 07:29:05 +0000 https://dev.to/mohammed_anes_6652d05cab7/aws-devops-agent-cdk-python-building-a-real-agentic-sre-from-scratch-no-splunk-no-3-accounts-5efb https://dev.to/mohammed_anes_6652d05cab7/aws-devops-agent-cdk-python-building-a-real-agentic-sre-from-scratch-no-splunk-no-3-accounts-5efb <blockquote> <p>"At 2 AM, a CloudWatch alarm fired on my Lambda function. I did not get paged. The agent woke up instead, investigated the function, correlated logs and metrics, posted the root cause to Slack, and went back to sleep. I only found out the next morning when I checked Slack."</p> </blockquote> <p>That is the system I built this week. This post walks through every step — architecture, CDK code, webhook signing, Skill upload, and the honest parts that went wrong.</p> <div class="ltag-github-readme-tag"> <div class="readme-overview"> <h2> <img src="https://assets.dev.to/assets/github-logo-5a155e1f9a670af7944dd5e12375bc76ed542ea80224905ecaf878b9157cdefc.svg" alt="GitHub logo"> <a href="https://github.com/MohammedAnes" rel="noopener noreferrer"> MohammedAnes </a> / <a href="https://github.com/MohammedAnes/agentic-sre" rel="noopener noreferrer"> agentic-sre </a> </h2> <h3> Autonomous incident response with AWS DevOps Agent + CDK Python </h3> </div> <div class="ltag-github-body"> <div id="readme" class="md"> <div class="markdown-heading"> <h1 class="heading-element">Agentic SRE with AWS DevOps Agent</h1> </div> <p>An end-to-end autonomous incident response system built on AWS DevOps Agent When a CloudWatch alarm fires, the agent automatically investigates root cause correlates telemetry, generates a mitigation plan, and posts findings to Slack — without waking up an engineer.</p> <blockquote> <p>Built as a companion to: <strong>"I Built an Agentic SRE on AWS DevOps Agent — Here's What the Official Guide Left Out"</strong></p> </blockquote> <div class="markdown-heading"> <h2 class="heading-element">Architecture</h2> </div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto"><pre class="notranslate"><code>CloudWatch Alarm (error rate / duration / throttling) │ ▼ SNS Topic │ ▼ Webhook Handler Lambda (HMAC-signed payload) │ ▼ AWS DevOps Agent Space (CloudWatch + GitHub + Slack) │ ├── Investigates using Lambda Runbook Skill ├── Correlates metrics + logs + deployments ├── Generates mitigation plan └── Posts root cause to Slack │ ▼ Agent-Ready Spec → Kiro (code fix) </code></pre></div> <p><strong>Single-account setup.</strong> Unlike the AWS reference architecture (3 accounts + Splunk) this repo is designed to run in one AWS…</p> </div> </div> <div class="gh-btn-container"><a class="gh-btn" href="https://github.com/MohammedAnes/agentic-sre" rel="noopener noreferrer">View on GitHub</a></div> </div> <h2> Why I Built This </h2> <p>Every engineer who has been on-call knows the pattern. Alarm fires. You open the laptop half-asleep. CloudWatch. Logs. Recent deployments. Metrics. Cross-reference timestamps. Forty-five minutes later: someone deployed bad code two hours ago. The fix is a one-line rollback.</p> <p>That entire investigation loop is repeatable, mechanical, and does not require a human. AWS DevOps Agent can do it autonomously. The moment an alarm fires, the agent starts investigating — correlating telemetry, reading your runbooks, checking deployment history, and posting findings to Slack. You get involved only when there is a real decision to make.</p> <p>I wanted to build a working, single-account version of this without requiring Splunk or an enterprise AWS setup. Here is what I built and what I learned.</p> <h2> Before You Start: What Already Exists (And Why This Is Different) </h2> <p>I did my research before writing a single line of code.</p> <p>The AWS official blog covers an end-to-end agentic SRE using DevOps Agent. It is thorough. It also requires a 3-account setup with Splunk, which most developers do not have. There is also an official <code>aws-samples/sample-aws-devops-agent-cdk</code> repo — but it is TypeScript CDK only, with no webhook pipeline, no custom Skill, and no demo trigger scripts.</p> <p>Here is the exact gap this post fills:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Topic</th> <th>AWS Official Blog</th> <th>aws-samples CDK repo</th> <th>This Build</th> </tr> </thead> <tbody> <tr> <td>Language</td> <td>Node.js snippets</td> <td>TypeScript CDK</td> <td><strong>Python CDK</strong></td> </tr> <tr> <td>Accounts needed</td> <td>3 accounts</td> <td>1-2 accounts</td> <td><strong>1 account</strong></td> </tr> <tr> <td>Splunk required</td> <td>Yes</td> <td>No</td> <td><strong>No</strong></td> </tr> <tr> <td>Full webhook handler</td> <td>Partial snippet</td> <td>Not included</td> <td><strong>Complete Python Lambda</strong></td> </tr> <tr> <td>Custom Skill / Skill zip format</td> <td>Mentioned</td> <td>Not included</td> <td><strong>Full runbook + frontmatter gotcha</strong></td> </tr> <tr> <td>Demo trigger script</td> <td>Not included</td> <td>Basic invoke</td> <td><strong>One-liner with 4 modes</strong></td> </tr> <tr> <td>Real investigation screenshots</td> <td>No</td> <td>No</td> <td><strong>Yes — including agent gaps</strong></td> </tr> </tbody> </table></div> <p>If you are a Python CDK developer and you searched for a complete walkthrough — this is it.</p> <h2> Architecture Overview </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────┐ │ AWS Account (Single) │ │ │ │ ┌──────────────┐ metrics + logs │ │ │ Demo Lambda │──────────────────────────────┐ │ │ │ (broken app) │ ▼ │ │ └──────────────┘ ┌──────────────────┐ │ │ CloudWatch │ │ │ Alarms (3) │ │ └────────┬─────────┘ │ │ state change │ ▼ │ ┌──────────────────┐ │ │ SNS Topic │ │ └────────┬─────────┘ │ │ triggers │ ▼ │ ┌──────────────────┐ │ │ Webhook Handler │ │ │ Lambda │ │ │ (HMAC signed) │ │ │ Secret from │ │ │ Secrets Manager │ │ └────────┬─────────┘ │ │ HTTP POST │ ▼ │ ┌─────────────────────────────┐ │ │ AWS DevOps Agent Space │ │ │ (agentic-sre-space) │ │ │ │ │ │ Reads CloudWatch │ │ │ Reads GitHub deploys │ │ │ Follows SKILL.md │ │ │ │ │ │ → Root cause analysis │ │ │ → Mitigation plan │ │ │ → Slack notification │ │ │ → Agent-ready spec → Kiro │ │ └─────────────────────────────┘ └─────────────────────────────────────────────────────────┘ </code></pre> </div> <p>Three CDK stacks deploy in sequence. Stack outputs are passed as cross-stack references — no manual copy-pasting of ARNs.</p> <h2> Prerequisites </h2> <p>Before deploying:</p> <ul> <li>AWS CLI configured (<code>aws configure</code>)</li> <li>Python 3.12+</li> <li>Node.js 18+ (required for CDK CLI)</li> <li>AWS CDK v2 installed: <code>npm install -g aws-cdk</code> </li> <li>AWS DevOps Agent available in your region — currently supported in <strong>us-east-1, us-west-2, ap-southeast-2, ap-northeast-1, eu-central-1, eu-west-1</strong> only</li> <li>A GitHub account (for deployment correlation)</li> <li>A Slack workspace where you can add apps</li> </ul> <h2> Part 1 — Project Structure </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>agentic-sre/ ├── app.py # CDK entry point — wires all 3 stacks ├── cdk.json ├── requirements.txt ├── infra/ │ └── stacks/ │ ├── demo_app_stack.py # Stack 1: the Lambda being monitored │ ├── alarm_stack.py # Stack 2: CloudWatch alarms + SNS topic │ └── webhook_stack.py # Stack 3: webhook handler + Secrets Manager ├── demo_app/ │ └── index.py # Lambda with 4 controllable failure modes ├── webhook_handler/ │ └── index.py # SNS → DevOps Agent forwarder (HMAC signed) ├── skills/ │ └── lambda-investigation-runbook.md └── scripts/ └── trigger.py # Demo: force alarms or burst invocations </code></pre> </div> <p>The CDK entry point wires all three stacks with cross-stack references:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># app.py </span><span class="n">app</span> <span class="o">=</span> <span class="n">cdk</span><span class="p">.</span><span class="nc">App</span><span class="p">()</span> <span class="n">demo</span> <span class="o">=</span> <span class="nc">DemoAppStack</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="sh">"</span><span class="s">AgenticSreDemoApp</span><span class="sh">"</span><span class="p">,</span> <span class="n">env</span><span class="o">=</span><span class="n">env</span><span class="p">)</span> <span class="n">alarm</span> <span class="o">=</span> <span class="nc">AlarmStack</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="sh">"</span><span class="s">AgenticSreAlarms</span><span class="sh">"</span><span class="p">,</span> <span class="n">lambda_fn</span><span class="o">=</span><span class="n">demo</span><span class="p">.</span><span class="n">lambda_fn</span><span class="p">,</span> <span class="n">env</span><span class="o">=</span><span class="n">env</span><span class="p">)</span> <span class="n">webhook</span> <span class="o">=</span> <span class="nc">WebhookStack</span><span class="p">(</span><span class="n">app</span><span class="p">,</span> <span class="sh">"</span><span class="s">AgenticSreWebhook</span><span class="sh">"</span><span class="p">,</span> <span class="n">alarm_topic</span><span class="o">=</span><span class="n">alarm</span><span class="p">.</span><span class="n">alarm_topic</span><span class="p">,</span> <span class="n">env</span><span class="o">=</span><span class="n">env</span><span class="p">)</span> </code></pre> </div> <p><code>AlarmStack</code> receives the Lambda function object from <code>DemoAppStack</code> so it can create metric alarms on the exact function ARN. <code>WebhookStack</code> receives the SNS topic ARN from <code>AlarmStack</code> to subscribe the webhook Lambda. No magic strings anywhere.</p> <h2> Part 2 — Stack 1: The Demo App </h2> <p>This Lambda simulates a production microservice with four controllable failure modes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># demo_app/index.py </span><span class="k">def</span> <span class="nf">handler</span><span class="p">(</span><span class="n">event</span><span class="p">,</span> <span class="n">context</span><span class="p">):</span> <span class="n">simulate</span> <span class="o">=</span> <span class="n">event</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">simulate</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">normal</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Failure Mode 1: DB connection error — triggers error rate alarm </span> <span class="k">if</span> <span class="n">simulate</span> <span class="o">==</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="sh">"</span><span class="s">Simulated DB connection timeout</span><span class="sh">"</span><span class="p">)</span> <span class="k">raise</span> <span class="nc">Exception</span><span class="p">(</span> <span class="sh">"</span><span class="s">DB connection timeout: could not reach postgres://demo-db:5432/app </span><span class="sh">"</span> <span class="sh">"</span><span class="s">after 3 retries. Connection pool exhausted.</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Failure Mode 2: Slow response — triggers duration alarm (P99 near 30s timeout) </span> <span class="k">if</span> <span class="n">simulate</span> <span class="o">==</span> <span class="sh">"</span><span class="s">slow</span><span class="sh">"</span><span class="p">:</span> <span class="n">delay</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">uniform</span><span class="p">(</span><span class="mi">25</span><span class="p">,</span> <span class="mi">28</span><span class="p">)</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">delay</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">latency_simulated</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">})}</span> <span class="c1"># Failure Mode 3: Hard timeout </span> <span class="k">if</span> <span class="n">simulate</span> <span class="o">==</span> <span class="sh">"</span><span class="s">timeout</span><span class="sh">"</span><span class="p">:</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">29</span><span class="p">)</span> <span class="k">return</span> <span class="p">{}</span> <span class="c1"># Normal operation </span> <span class="n">latency</span> <span class="o">=</span> <span class="n">random</span><span class="p">.</span><span class="nf">uniform</span><span class="p">(</span><span class="mi">10</span><span class="p">,</span> <span class="mi">120</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="sh">"</span><span class="s">statusCode</span><span class="sh">"</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="sh">"</span><span class="s">body</span><span class="sh">"</span><span class="p">:</span> <span class="n">json</span><span class="p">.</span><span class="nf">dumps</span><span class="p">({</span><span class="sh">"</span><span class="s">status</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">ok</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">latency_ms</span><span class="sh">"</span><span class="p">:</span> <span class="nf">round</span><span class="p">(</span><span class="n">latency</span><span class="p">)})}</span> </code></pre> </div> <blockquote> <p>💡 <strong>Note:</strong> <strong>Why detailed error messages matter:</strong> The error message includes a fake DB connection string. When the agent reads CloudWatch logs, it sees this and correctly identifies a database connectivity issue — even though no real database exists. Your log quality directly affects investigation quality.</p> </blockquote> <h2> Part 3 — Stack 2: CloudWatch Alarms </h2> <p>Three alarms covering the most common Lambda failure categories:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># infra/stacks/alarm_stack.py </span> <span class="n">self</span><span class="p">.</span><span class="n">alarm_topic</span> <span class="o">=</span> <span class="n">sns</span><span class="p">.</span><span class="nc">Topic</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">AlarmTopic</span><span class="sh">"</span><span class="p">,</span> <span class="n">topic_name</span><span class="o">=</span><span class="sh">"</span><span class="s">agentic-sre-alarm-topic</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Alarm 1: Error rate &gt; 20% over 5 minutes # MathExpression gives you a RATE, not a raw count. # 5 errors from 5 invocations (100%) should alarm. # 5 errors from 10,000 invocations (0.05%) should NOT. </span><span class="n">error_rate_alarm</span> <span class="o">=</span> <span class="n">cw</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ErrorRateAlarm</span><span class="sh">"</span><span class="p">,</span> <span class="n">alarm_name</span><span class="o">=</span><span class="sh">"</span><span class="s">agentic-sre-high-error-rate</span><span class="sh">"</span><span class="p">,</span> <span class="n">metric</span><span class="o">=</span><span class="n">cw</span><span class="p">.</span><span class="nc">MathExpression</span><span class="p">(</span> <span class="n">expression</span><span class="o">=</span><span class="sh">"</span><span class="s">errors / invocations * 100</span><span class="sh">"</span><span class="p">,</span> <span class="n">using_metrics</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">errors</span><span class="sh">"</span><span class="p">:</span> <span class="n">lambda_fn</span><span class="p">.</span><span class="nf">metric_errors</span><span class="p">(</span><span class="n">period</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="n">statistic</span><span class="o">=</span><span class="sh">"</span><span class="s">Sum</span><span class="sh">"</span><span class="p">),</span> <span class="sh">"</span><span class="s">invocations</span><span class="sh">"</span><span class="p">:</span> <span class="n">lambda_fn</span><span class="p">.</span><span class="nf">metric_invocations</span><span class="p">(</span><span class="n">period</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="n">statistic</span><span class="o">=</span><span class="sh">"</span><span class="s">Sum</span><span class="sh">"</span><span class="p">),</span> <span class="p">},</span> <span class="n">period</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="p">),</span> <span class="n">threshold</span><span class="o">=</span><span class="mi">20</span><span class="p">,</span> <span class="n">evaluation_periods</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">treat_missing_data</span><span class="o">=</span><span class="n">cw</span><span class="p">.</span><span class="n">TreatMissingData</span><span class="p">.</span><span class="n">NOT_BREACHING</span><span class="p">,</span> <span class="p">)</span> <span class="n">error_rate_alarm</span><span class="p">.</span><span class="nf">add_alarm_action</span><span class="p">(</span><span class="n">cw_actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">alarm_topic</span><span class="p">))</span> <span class="n">error_rate_alarm</span><span class="p">.</span><span class="nf">add_ok_action</span><span class="p">(</span><span class="n">cw_actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">alarm_topic</span><span class="p">))</span> <span class="c1"># ← don't skip this </span> <span class="c1"># Alarm 2: P99 duration &gt; 24s (80% of 30s timeout) # Alarming at 80% of timeout gives early warning before # requests actually start failing. </span><span class="n">duration_alarm</span> <span class="o">=</span> <span class="n">cw</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">DurationAlarm</span><span class="sh">"</span><span class="p">,</span> <span class="n">alarm_name</span><span class="o">=</span><span class="sh">"</span><span class="s">agentic-sre-high-duration</span><span class="sh">"</span><span class="p">,</span> <span class="n">metric</span><span class="o">=</span><span class="n">lambda_fn</span><span class="p">.</span><span class="nf">metric_duration</span><span class="p">(</span><span class="n">period</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="n">statistic</span><span class="o">=</span><span class="sh">"</span><span class="s">p99</span><span class="sh">"</span><span class="p">),</span> <span class="n">threshold</span><span class="o">=</span><span class="mi">24000</span><span class="p">,</span> <span class="c1"># milliseconds </span> <span class="n">evaluation_periods</span><span class="o">=</span><span class="mi">2</span><span class="p">,</span> <span class="c1"># 2 consecutive periods avoids false positives </span> <span class="n">treat_missing_data</span><span class="o">=</span><span class="n">cw</span><span class="p">.</span><span class="n">TreatMissingData</span><span class="p">.</span><span class="n">NOT_BREACHING</span><span class="p">,</span> <span class="p">)</span> <span class="n">duration_alarm</span><span class="p">.</span><span class="nf">add_alarm_action</span><span class="p">(</span><span class="n">cw_actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">alarm_topic</span><span class="p">))</span> <span class="n">duration_alarm</span><span class="p">.</span><span class="nf">add_ok_action</span><span class="p">(</span><span class="n">cw_actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">alarm_topic</span><span class="p">))</span> <span class="c1"># Alarm 3: Any throttling at all # Throttles = requests being dropped. Zero tolerance. </span><span class="n">throttle_alarm</span> <span class="o">=</span> <span class="n">cw</span><span class="p">.</span><span class="nc">Alarm</span><span class="p">(</span> <span class="n">self</span><span class="p">,</span> <span class="sh">"</span><span class="s">ThrottleAlarm</span><span class="sh">"</span><span class="p">,</span> <span class="n">alarm_name</span><span class="o">=</span><span class="sh">"</span><span class="s">agentic-sre-throttling</span><span class="sh">"</span><span class="p">,</span> <span class="n">metric</span><span class="o">=</span><span class="n">lambda_fn</span><span class="p">.</span><span class="nf">metric_throttles</span><span class="p">(</span><span class="n">period</span><span class="o">=</span><span class="n">Duration</span><span class="p">.</span><span class="nf">minutes</span><span class="p">(</span><span class="mi">5</span><span class="p">),</span> <span class="n">statistic</span><span class="o">=</span><span class="sh">"</span><span class="s">Sum</span><span class="sh">"</span><span class="p">),</span> <span class="n">threshold</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">evaluation_periods</span><span class="o">=</span><span class="mi">1</span><span class="p">,</span> <span class="n">treat_missing_data</span><span class="o">=</span><span class="n">cw</span><span class="p">.</span><span class="n">TreatMissingData</span><span class="p">.</span><span class="n">NOT_BREACHING</span><span class="p">,</span> <span class="p">)</span> <span class="n">throttle_alarm</span><span class="p">.</span><span class="nf">add_alarm_action</span><span class="p">(</span><span class="n">cw_actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">alarm_topic</span><span class="p">))</span> <span class="n">throttle_alarm</span><span class="p">.</span><span class="nf">add_ok_action</span><span class="p">(</span><span class="n">cw_actions</span><span class="p">.</span><span class="nc">SnsAction</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">alarm_topic</span><span class="p">))</span> </code></pre> </div> <blockquote> <p>⚠️ <strong>Warning:</strong> <strong>Don't forget <code>add_ok_action</code>.</strong> Without it, the agent never receives the resolution signal and leaves the incident open in Slack forever.</p> </blockquote> <h2> Part 4 — Stack 3: The Webhook Handler </h2> <p>This Lambda bridges CloudWatch → DevOps Agent. Two production patterns worth highlighting:</p> <h3> Pattern 1: Secrets Manager + Module-level Caching </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1"># webhook_handler/index.py </span> <span class="c1"># Module-level cache — persists across warm invocations. # One Secrets Manager fetch per cold start, zero on warm calls. </span><span class="n">_secret_cache</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">def</span> <span class="nf">get_webhook_config</span><span class="p">():</span> <span class="k">global</span> <span class="n">_secret_cache</span> <span class="k">if</span> <span class="n">_secret_cache</span><span class="p">:</span> <span class="k">return</span> <span class="n">_secret_cache</span> <span class="n">client</span> <span class="o">=</span> <span class="n">boto3</span><span class="p">.</span><span class="nf">client</span><span class="p">(</span><span class="sh">"</span><span class="s">secretsmanager</span><span class="sh">"</span><span class="p">)</span> <span class="n">response</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">get_secret_value</span><span class="p">(</span><span class="n">SecretId</span><span class="o">=</span><span class="n">SECRET_NAME</span><span class="p">)</span> <span class="n">_secret_cache</span> <span class="o">=</span> <span class="n">json</span><span class="p">.</span><span class="nf">loads</span><span class="p">(</span><span class="n">response</span><span class="p">[</span><span class="sh">"</span><span class="s">SecretString</span><span class="sh">"</span><span class="p">])</span> <span class="k">return</span> <span class="n">_secret_cache</span> </code></pre> </div> <p>Never put the webhook URL or HMAC secret in Lambda env vars — they appear in plaintext in the console and CloudTrail.</p> <h3> Pattern 2: HMAC-SHA256 Signing </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">sign_payload</span><span class="p">(</span><span class="n">payload_str</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">secret</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">timestamp</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s"> DevOps Agent verifies this signature on every webhook call. Format: HMAC-SHA256(</span><span class="sh">'</span><span class="s">{timestamp}:{payload}</span><span class="sh">'</span><span class="s">, secret) → base64 Timestamp prevents replay attacks. </span><span class="sh">"""</span> <span class="n">message</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">timestamp</span><span class="si">}</span><span class="s">:</span><span class="si">{</span><span class="n">payload_str</span><span class="si">}</span><span class="sh">"</span> <span class="n">sig</span> <span class="o">=</span> <span class="n">hmac</span><span class="p">.</span><span class="nf">new</span><span class="p">(</span><span class="n">secret</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">),</span> <span class="n">message</span><span class="p">.</span><span class="nf">encode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">),</span> <span class="n">hashlib</span><span class="p">.</span><span class="n">sha256</span><span class="p">).</span><span class="nf">digest</span><span class="p">()</span> <span class="k">return</span> <span class="n">base64</span><span class="p">.</span><span class="nf">b64encode</span><span class="p">(</span><span class="n">sig</span><span class="p">).</span><span class="nf">decode</span><span class="p">(</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> Payload Mapping </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">build_incident_payload</span><span class="p">(</span><span class="n">alarm_detail</span><span class="p">:</span> <span class="nb">dict</span><span class="p">,</span> <span class="n">sns_message</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">:</span> <span class="n">alarm_name</span> <span class="o">=</span> <span class="n">alarm_detail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">alarmName</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">unknown-alarm</span><span class="sh">"</span><span class="p">)</span> <span class="n">state</span> <span class="o">=</span> <span class="n">alarm_detail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">value</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">ALARM</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="c1"># Required — DevOps Agent rejects payloads missing these </span> <span class="sh">"</span><span class="s">eventType</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">incident</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">incidentId</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">cw-</span><span class="si">{</span><span class="n">alarm_name</span><span class="si">}</span><span class="s">-</span><span class="si">{</span><span class="nf">int</span><span class="p">(</span><span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">timestamp</span><span class="p">())</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="nf">map_alarm_state_to_action</span><span class="p">(</span><span class="n">state</span><span class="p">),</span> <span class="c1"># created | resolved | updated </span> <span class="sh">"</span><span class="s">priority</span><span class="sh">"</span><span class="p">:</span> <span class="nf">map_alarm_to_priority</span><span class="p">(</span><span class="n">alarm_name</span><span class="p">),</span> <span class="c1"># HIGH / MEDIUM based on alarm name </span> <span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="sa">f</span><span class="sh">"</span><span class="s">[</span><span class="si">{</span><span class="n">state</span><span class="si">}</span><span class="s">] </span><span class="si">{</span><span class="n">alarm_name</span><span class="si">}</span><span class="sh">"</span><span class="p">,</span> <span class="c1"># Optional — improve investigation quality </span> <span class="sh">"</span><span class="s">description</span><span class="sh">"</span><span class="p">:</span> <span class="n">alarm_detail</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">state</span><span class="sh">"</span><span class="p">,</span> <span class="p">{}).</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">reason</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">),</span> <span class="sh">"</span><span class="s">timestamp</span><span class="sh">"</span><span class="p">:</span> <span class="n">datetime</span><span class="p">.</span><span class="nf">now</span><span class="p">(</span><span class="n">timezone</span><span class="p">.</span><span class="n">utc</span><span class="p">).</span><span class="nf">isoformat</span><span class="p">(),</span> <span class="sh">"</span><span class="s">service</span><span class="sh">"</span><span class="p">:</span> <span class="n">SERVICE_NAME</span><span class="p">,</span> <span class="p">}</span> </code></pre> </div> <p>The CDK stack wires SNS → Lambda in one line:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">alarm_topic</span><span class="p">.</span><span class="nf">add_subscription</span><span class="p">(</span><span class="n">subs</span><span class="p">.</span><span class="nc">LambdaSubscription</span><span class="p">(</span><span class="n">self</span><span class="p">.</span><span class="n">webhook_fn</span><span class="p">))</span> </code></pre> </div> <p>CDK automatically generates the correct Lambda resource policy for SNS to invoke it.</p> <h2> Part 5 — Setting Up the DevOps Agent Space </h2> <h3> Step 1 — Open the Console </h3> <p>Search "DevOps Agent" in the AWS Console. Switch to <strong>us-east-1 (N. Virginia)</strong>. If the service isn't visible, your region isn't supported yet.</p> <h3> Step 2 — Create the Agent Space </h3> <p>Click <strong>"Create Agent Space +"</strong> and fill in:</p> <ul> <li> <strong>Name:</strong> <code>agentic-sre-space</code> </li> <li> <strong>Description:</strong> <code>SRE agent for Lambda incident investigation</code> </li> <li>IAM role → <strong>"Create a new AWS DevOps Agent role using a policy template"</strong> (auto-creates everything)</li> <li>Operator App role → <strong>"Auto-create a new role"</strong> </li> </ul> <p>Click <strong>Create Agent Space</strong>.</p> <h3> Step 3 — Open the Operator Console </h3> <p>From the Agent Space details page → <strong>"Operator Access"</strong> → bookmark the URL. This is your investigation dashboard.</p> <h3> Step 4 — Connect GitHub </h3> <blockquote> <p>💡 <strong>Note:</strong> <strong>CLI docs skip this:</strong> GitHub requires OAuth via the console BEFORE any CLI association. You cannot skip this step.</p> </blockquote> <p><strong>Features tab → CI/CD Pipeline → GitHub → "Create a new registration" → "Install and authenticate"</strong></p> <p>On GitHub: select <strong>"Only select repositories"</strong> → choose <code>agentic-sre</code> → Install.</p> <h3> Step 5 — Connect Slack </h3> <p><strong>Features tab → Notifications → Slack → Connect workspace</strong></p> <p>Select <code>#agent-sre-incidents</code>, then in Slack: <code>/invite @AWS DevOps Agent</code></p> <h3> Step 6 — Create the Webhook (3-Step Wizard) </h3> <p><strong>Integrations → Webhooks → Create webhook</strong></p> <p>The wizard shows you the required payload schema. Our handler already matches it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"eventType"</span><span class="p">:</span><span class="w"> </span><span class="s2">"incident"</span><span class="p">,</span><span class="w"> </span><span class="nl">"incidentId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"created"</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="s2">"updated"</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="s2">"closed"</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="s2">"resolved"</span><span class="p">,</span><span class="w"> </span><span class="nl">"priority"</span><span class="p">:</span><span class="w"> </span><span class="s2">"CRITICAL"</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="s2">"HIGH"</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="s2">"MEDIUM"</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="s2">"LOW"</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="s2">"MINIMAL"</span><span class="p">,</span><span class="w"> </span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"description?"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp?"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="p">,</span><span class="w"> </span><span class="nl">"service?"</span><span class="p">:</span><span class="w"> </span><span class="s2">"string"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>On Step 3: click <strong>Generate</strong>, copy both the URL and secret <strong>immediately</strong> (secret shown only once), then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws secretsmanager create-secret <span class="se">\</span> <span class="nt">--name</span> agentic-sre/devops-agent-webhook <span class="se">\</span> <span class="nt">--secret-string</span> <span class="s1">'{"url":"YOUR_WEBHOOK_URL","secret":"YOUR_SECRET"}'</span> <span class="se">\</span> <span class="nt">--region</span> us-east-1 </code></pre> </div> <h2> Part 6 — The Custom Skill (The Most Underdocumented Feature) </h2> <p>A <strong>Skill</strong> is a Markdown file containing your SRE runbook. The agent reads it at the start of every investigation and follows your documented sequence instead of reasoning from scratch.</p> <h3> The Frontmatter Requirement Nobody Mentions </h3> <p>The console says: <em>"Upload a zip file containing your skill. The zip must include a SKILL.md file with name and description in the frontmatter."</em></p> <p>What it doesn't show you is the exact format. After my first upload failed silently, I found it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="nn">---</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lambda Incident Investigation Runbook</span> <span class="na">description</span><span class="pi">:</span> <span class="s">Use this skill when investigating AWS Lambda function errors,</span> <span class="s">timeouts, high duration, or throttling incidents. Guides the agent through</span> <span class="s">a 5-step investigation sequence covering alarm confirmation, metric analysis,</span> <span class="s">log inspection, deployment correlation, and root cause identification.</span> <span class="nn">---</span> <span class="gh"># Lambda Incident Investigation Runbook</span> <span class="gu">## Investigation Sequence</span> ... </code></pre> </div> <p>The zip structure must be exactly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>lambda-investigation-skill.zip └── SKILL.md ← root level, frontmatter required </code></pre> </div> <h3> What the Default Skill vs Your Custom Skill Looks Like </h3> <p>In the Operator Console I saw:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Read skill: /aidevops/skills/user/understanding-agent-space/SKILL.md </code></pre> </div> <blockquote> <p>💡 <strong>Note:</strong> <strong>Clarification:</strong> <code>understanding-agent-space</code> is a <strong>default skill AWS pre-loads into every Agent Space</strong>. It ran here because I triggered the alarm manually with no real incident context. When you trigger via <code>burst</code> mode with real Lambda errors, the agent selects your custom skill instead.</p> </blockquote> <p>Skill path structure:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>/aidevops/skills/user/ understanding-agent-space/ ← AWS default (pre-loaded) lambda-incident-investigation-runbook/ ← your custom skill </code></pre> </div> <h3> My 5-Step Runbook </h3> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## Investigation Sequence</span> <span class="gu">### Step 1 — Confirm the Alarm</span> <span class="p">-</span> Which alarm triggered: error rate, duration, or throttling? <span class="p">-</span> Check state history in CloudWatch for the last 30 minutes <span class="p">-</span> Note exact time alarm entered ALARM state <span class="gu">### Step 2 — Check Lambda Metrics (Last 30 Minutes)</span> Pull for function <span class="sb">`agentic-sre-demo-app`</span>: <span class="p">-</span> Errors, Invocations, Duration (p50/p95/p99), Throttles, ConcurrentExecutions <span class="gu">### Step 3 — Check Recent Logs</span> Query /aws/lambda/agentic-sre-demo-app: <span class="p">-</span> ERROR or CRITICAL level lines <span class="p">-</span> "Task timed out after" messages <span class="p">-</span> Time window: alarm trigger ± 10 minutes <span class="gu">### Step 4 — Correlate With Recent Deployments</span> Check GitHub for deployments in last 2 hours: <span class="p">-</span> Was a new version deployed before the incident? <span class="p">-</span> Does deployment timestamp correlate with metric anomaly? <span class="gu">### Step 5 — Identify Root Cause Category</span> | Symptom | Likely Root Cause | |---|---| | High error rate + exception in logs | Code bug or bad deploy | | High duration + no errors | Slow downstream (DB, external API) | | High duration + timeout logs | Lambda timeout too low | | Throttling | Concurrency limit too low | </code></pre> </div> <h2> Part 7 — Deploy Everything </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/MohammedAnes/agentic-sre.git <span class="nb">cd </span>agentic-sre python <span class="nt">-m</span> venv .venv <span class="nb">source</span> .venv/bin/activate <span class="c"># Windows: .venv\Scripts\activate</span> pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt cdk bootstrap <span class="c"># first time only</span> cdk deploy <span class="nt">--all</span> <span class="c"># deploys DemoApp → Alarms → Webhook</span> </code></pre> </div> <p>Deploy takes 3-4 minutes. Expected outputs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">AgenticSreDemoApp.LambdaFunctionName</span> <span class="p">=</span> <span class="s">agentic-sre-demo-app</span> <span class="py">AgenticSreAlarms.AlarmTopicArn</span> <span class="p">=</span> <span class="s">arn:aws:sns:us-east-1:...</span> <span class="py">AgenticSreWebhook.WebhookFunctionName</span> <span class="p">=</span> <span class="s">agentic-sre-webhook-handler</span> </code></pre> </div> <h2> Part 8 — Triggering Investigations </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Force error rate alarm immediately</span> python scripts/trigger.py error <span class="c"># Force duration alarm</span> python scripts/trigger.py slow <span class="c"># Force throttle alarm</span> python scripts/trigger.py throttle <span class="c"># Trigger NATURALLY — 15 real invocations, waits for CloudWatch</span> <span class="c"># Produces much better investigation quality</span> python scripts/trigger.py burst 15 <span class="c"># Reset everything to OK</span> python scripts/trigger.py ok </code></pre> </div> <blockquote> <p>⚠️ <strong>Warning:</strong> <strong>Critical lesson:</strong> <code>trigger.py error</code> calls <code>set-alarm-state</code> — forces the alarm but creates zero real logs or metrics. The agent reports "No information about what triggered this investigation." Use <code>burst 15</code> instead. Takes 5 minutes to trip naturally but the investigation quality is dramatically better.</p> </blockquote> <h2> Part 9 — What Actually Happened </h2> <h3> In Slack (#agent-sre-incidents) </h3> <p>The agent posted real-time investigation updates. The standout behavior: <strong>automatic alarm grouping</strong>. When two follow-up alarms fired 59 seconds and 2 minutes after the primary, the agent recognized them as related and linked them instead of opening duplicate investigations:</p> <blockquote> <p><em>"Investigation linked: [ALARM] unknown-alarm — Same alarm type, same priority (HIGH), triggered 59 seconds after the primary. This is a continuation of the same ongoing issue affecting the system."</em></p> </blockquote> <p>This deduplication is built-in — no configuration needed.</p> <h3> In the Operator Console </h3> <p>The investigation timeline showed every step:</p> <ul> <li>Read the default <code>understanding-agent-space</code> skill (pre-loaded by AWS)</li> <li>Made one datetime call to establish time context</li> <li>Topology discovery across the account</li> <li>Metric and log correlation</li> <li>Root cause + mitigation plan generated</li> </ul> <p>The <strong>Topology</strong> tab mapped resource relationships — Lambda, API Gateway, CloudFormation, GitHub, X-Ray, Bedrock Foundation Models — before investigation started.</p> <h3> The Investigation Gaps (The Honest Part) </h3> <p>The agent surfaced two gaps worth sharing:</p> <p><strong>Gap 1:</strong></p> <blockquote> <p><em>"Cannot directly query Bedrock AgentCore API to verify runtime operational status — GetAgentRuntime, ListAgentRuntimes, InvokeRuntime, GetGateway APIs are not available in the current toolset."</em></p> </blockquote> <p>AgentCore runtime APIs aren't in the DevOps Agent toolset yet. It infers from CloudWatch instead.</p> <p><strong>Gap 2:</strong></p> <blockquote> <p><em>"No information about what triggered this investigation — the investigation was created with N/A for both description and starting point."</em></p> </blockquote> <p>This was my fault — I used <code>set-alarm-state</code>. No real invocations, no logs, nothing to investigate. Use <code>burst</code> mode.</p> <blockquote> <p>✅ <strong>Tip:</strong> These gaps make the post more credible, not less. The agent being honest about its limits is a feature, not a bug.</p> </blockquote> <h2> Part 10 — Cost Breakdown </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Service</th> <th>What runs</th> <th>Pricing basis</th> <th>Monthly cost</th> </tr> </thead> <tbody> <tr> <td>Lambda — demo app</td> <td>~100 test invocations/month</td> <td>1M req free/month</td> <td><strong>$0</strong></td> </tr> <tr> <td>Lambda — webhook handler</td> <td>Fires only on alarms</td> <td>1M req free/month</td> <td><strong>$0</strong></td> </tr> <tr> <td>CloudWatch Alarms</td> <td>3 standard alarms</td> <td>$0.10/alarm/month</td> <td><strong>$0.30</strong></td> </tr> <tr> <td>CloudWatch Metrics</td> <td>AWS-vended Lambda metrics</td> <td>Always free</td> <td><strong>$0</strong></td> </tr> <tr> <td>CloudWatch Logs</td> <td>~5 MB/month</td> <td>$0.50/GB ingested</td> <td><strong>&lt; $0.01</strong></td> </tr> <tr> <td>SNS</td> <td>&lt; 1,000 notifications/month</td> <td>1M free</td> <td><strong>$0</strong></td> </tr> <tr> <td>Secrets Manager</td> <td>1 secret</td> <td>$0.40/secret/month</td> <td><strong>$0.40</strong></td> </tr> <tr> <td>CDK Bootstrap S3</td> <td>Staging bucket</td> <td>S3 standard</td> <td><strong>~$0.01</strong></td> </tr> <tr> <td><strong>Infra subtotal</strong></td> <td></td> <td></td> <td><strong>~$0.71/month</strong></td> </tr> <tr> <td>AWS DevOps Agent</td> <td>Autonomous investigations</td> <td>2-month free trial</td> <td><strong>$0 (trial)</strong></td> </tr> </tbody> </table></div> <p>After the trial: credits based on AWS Support plan offset the cost — up to 100% for Unified Operations, 75% for Enterprise On-Ramp, 30% for Business+.</p> <p><strong>You can build and blog about this for under $1/month.</strong></p> <h2> Key Learnings </h2> <p><strong>1. Skills are your biggest leverage point</strong> — investigation quality scales directly with runbook quality. Write a good SKILL.md before running anything.</p> <p><strong>2. Use rate-based alarms</strong> — <code>MathExpression</code> for error rate is significantly more signal than raw error count.</p> <p><strong>3. Secrets Manager + module-level caching</strong> — one line over env vars, significant security improvement.</p> <p><strong>4. Always <code>add_ok_action</code></strong> — without it the agent never resolves incidents in Slack.</p> <p><strong>5. <code>set-alarm-state</code> = empty investigation</strong> — use <code>burst</code> mode for realistic demos.</p> <p><strong>6. Alarm grouping is built-in</strong> — duplicate investigations from repeated alarms are handled automatically.</p> <p><strong>7. The official CDK sample is TypeScript only</strong> — if you're a Python CDK developer, that's the gap this repo fills.</p> <h2> What I Am Building Next </h2> <p>A <strong>human approval gate</strong> before any remediation executes — Step Functions pauses the agent, sends a Slack approve/reject message, and only continues after human confirmation. That's the MCP Governance pattern applied to DevOps Agent.</p> <p>Also exploring <strong>AgentCore Payments</strong> — the agent autonomously paying for premium monitoring data during investigations. Follow-up post coming.</p> <h2> Resources </h2> <ul> <li><a href="https://aws.amazon.com/devops-agent/" rel="noopener noreferrer">AWS DevOps Agent — product page</a></li> <li><a href="https://aws.amazon.com/blogs/devops/building-an-end-to-end-agentic-sre-using-aws-devops-agent/" rel="noopener noreferrer">Official Agentic SRE blog post (3-account + Splunk)</a></li> <li><a href="https://docs.aws.amazon.com/devopsagent/latest/userguide/getting-started-with-aws-devops-agent-getting-started-with-aws-devops-agent-using-aws-cdk.html" rel="noopener noreferrer">AWS DevOps Agent CDK getting started guide</a></li> <li><a href="https://docs.aws.amazon.com/devopsagent/latest/userguide/about-aws-devops-agent-devops-agent-skills.html" rel="noopener noreferrer">DevOps Agent Skills documentation</a></li> <li> <a href="https://github.com/aws-samples/sample-aws-devops-agent-cdk" rel="noopener noreferrer">aws-samples/sample-aws-devops-agent-cdk</a> <em>(TypeScript — the repo this post complements)</em> </li> </ul> <p><em>I am Mohammed Anes, an AWS Community Builder in the AI/ML category. Building on AWS DevOps Agent, AgentCore, or Bedrock? Let's connect.</em></p> aws python serverless devops Amazon Nova Act Deep Dive — Perceive, Act, Deploy: How AWS Built a 90%+ Reliable Browser Agent Mohammed Anes Sun, 22 Mar 2026 06:59:28 +0000 https://dev.to/mohammed_anes_6652d05cab7/amazon-nova-act-deep-dive-perceive-act-deploy-how-aws-built-a-90-reliable-browser-agent-4ao6 https://dev.to/mohammed_anes_6652d05cab7/amazon-nova-act-deep-dive-perceive-act-deploy-how-aws-built-a-90-reliable-browser-agent-4ao6 <p>Raise your hand if this has happened to you:</p> <p>You write a Selenium script. It works on Friday. On Monday, the site changed a button class, and it's broken.</p> <p>You switch to Playwright. Better. But the moment a cookie banner pops up at the wrong time, your agent halts, completely lost.</p> <p>This is the core problem with browser automation: <strong>it's rule-based</strong>. You're telling it exactly what to click — not what you want to accomplish.</p> <p>AI agents were supposed to fix this. But the first generation of LLM-powered browser bots had a different problem: give a general LLM one big instruction like <em>"book me the cheapest flight to Delhi"</em>, and it would hallucinate steps, lose context midway, or confidently click the wrong thing with zero awareness of failure.</p> <p>Benchmarks showed state-of-the-art models hitting only <strong>30–60% accuracy</strong> on real browser tasks.</p> <p><strong>Amazon Nova Act was built specifically to close this gap — and it reports over 90% reliability at scale.</strong></p> <p>Here's the full architecture breakdown.</p> <h2> What Is Amazon Nova Act? </h2> <p>Nova Act is an AWS service for building and managing fleets of reliable AI agents that automate browser-based UI workflows. Introduced by Amazon AGI Labs in early 2025 as a research preview, it moved to general availability with full AWS integrations: IAM, S3, CloudWatch, and Bedrock AgentCore.</p> <p>The one-line summary: <strong>Nova Act is what you get when you train a model specifically and exclusively for browser automation</strong> — not bolt an LLM onto existing tools.</p> <p>What makes it different:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Feature</th> <th>Traditional Automation</th> <th>Nova Act</th> </tr> </thead> <tbody> <tr> <td>Element targeting</td> <td>CSS selectors / XPath</td> <td>Natural language + vision</td> </tr> <tr> <td>Breaks on UI change?</td> <td>Yes, constantly</td> <td>Rarely — it sees the page</td> </tr> <tr> <td>Reliability</td> <td>30–60% (complex tasks)</td> <td>90%+</td> </tr> <tr> <td>Infrastructure</td> <td>You manage it</td> <td>AgentCore handles it</td> </tr> <tr> <td>Human escalation</td> <td>Manual alert setup</td> <td>Built-in, first-class</td> </tr> </tbody> </table></div> <p>The key insight behind the reliability number: <strong>vertical integration</strong>. Most agentic frameworks take a general model and attach browser tools. Nova Act co-trained the model, orchestrator, and browser actuator together end-to-end. That's what moves the needle from 50% to 90%.</p> <h2> The Core Loop: Perceive → Reason → Act </h2> <p>Every Nova Act workflow runs on one repeating cycle:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>📸 Screenshot → 🧠 Nova 2 Lite Model → ⚡ Action → 📸 Screenshot again </code></pre> </div> <p><strong>Step 1 — Perceive:</strong> A screenshot of the current browser state is taken and passed to the model along with your natural language instruction. No DOM parsing. No HTML inspection. It <em>sees</em> the page visually, the same way a human does.</p> <p><strong>Step 2 — Reason:</strong> Amazon Nova 2 Lite (the custom foundation model powering Nova Act) produces a low-level action plan: <code>click at (x, y)</code>, <code>type "Chennai"</code>, <code>scroll down 400px</code>, <code>press Enter</code>. Trained with reinforcement learning on in-domain browser data — it predicts the next correct <em>browser action</em>, not just the next token.</p> <p><strong>Step 3 — Act:</strong> The action is executed via <strong>Playwright</strong> under the hood. Nova Act sits on top of Playwright, translating natural language to precise Playwright commands automatically.</p> <p>Then a new screenshot is taken and the loop repeats — until the task is done, or until the agent decides it needs a human.</p> <h2> The Most Important Pattern: Atomic <code>act()</code> Calls </h2> <p>This is the single design decision that separates Nova Act from everything else. And it's deceptively simple:</p> <blockquote> <p><strong>Don't give one big instruction. Give many small, precise ones.</strong></p> </blockquote> <p>❌ <strong>This approach has ~50% success:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">book me the cheapest flight from Chennai to Delhi next Friday</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>✅ <strong>This approach gets 90%+:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">go to makemytrip.com</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">click on </span><span class="sh">'</span><span class="s">Flights</span><span class="sh">'"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">set origin to Chennai</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">set destination to Delhi</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">set date to next Friday</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">click Search</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">sort results by price</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">click the cheapest result</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Each <code>act()</code> call:</p> <ul> <li>Takes a <strong>fresh screenshot</strong> of the current state</li> <li>Executes exactly <strong>one clearly scoped action</strong> </li> <li>Returns a <strong>result object</strong> you can inspect, assert, and branch on in Python</li> </ul> <p>Because you're writing Python <em>around</em> these calls, you get conditionals, loops, retries, and error handling for free. It's not a black box — it's a library.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">nova_act</span> <span class="kn">import</span> <span class="n">NovaAct</span> <span class="k">with</span> <span class="nc">NovaAct</span><span class="p">(</span><span class="n">starting_page</span><span class="o">=</span><span class="sh">"</span><span class="s">https://www.amazon.com</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">nova</span><span class="p">:</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">search for a noise cancelling headphone under 5000 rupees</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">select the first result</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span> <span class="sh">"</span><span class="s">what is the price shown on this page?</span><span class="sh">"</span><span class="p">,</span> <span class="n">schema</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">price</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">}}}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">parsed_response</span><span class="p">)</span> <span class="c1"># {"price": "₹3,499"} </span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">parsed_response</span><span class="p">[</span><span class="sh">"</span><span class="s">price</span><span class="sh">"</span><span class="p">]:</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">click Add to Cart</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Notice the <code>schema</code> parameter — that's how you extract structured data from any page. No CSS selectors. No XPath. Just natural language + a JSON schema, and Nova Act fills it in from what it sees on screen.</p> <h2> Structured Outputs: Turn Any Website Into an API </h2> <p>This feature deserves its own callout because it's genuinely powerful.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">result</span> <span class="o">=</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span> <span class="sh">"</span><span class="s">what are the top 3 products on this page?</span><span class="sh">"</span><span class="p">,</span> <span class="n">schema</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">products</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">array</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">items</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">price</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">rating</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="n">products</span> <span class="o">=</span> <span class="n">result</span><span class="p">.</span><span class="n">parsed_response</span><span class="p">[</span><span class="sh">"</span><span class="s">products</span><span class="sh">"</span><span class="p">]</span> <span class="c1"># [{"name": "...", "price": "...", "rating": "..."}, ...] </span></code></pre> </div> <p>Any website — even one with zero public API — becomes a structured data source. Combine with <code>ThreadPoolExecutor</code> and you're running 10 concurrent extractions at once.</p> <h2> Running Workflows in Parallel </h2> <p>Nova Act is designed for fleet-scale. Here's the concurrency pattern:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">concurrent.futures</span> <span class="kn">import</span> <span class="n">ThreadPoolExecutor</span><span class="p">,</span> <span class="n">as_completed</span> <span class="kn">from</span> <span class="n">nova_act</span> <span class="kn">import</span> <span class="n">NovaAct</span><span class="p">,</span> <span class="n">ActError</span> <span class="k">def</span> <span class="nf">process_vendor</span><span class="p">(</span><span class="n">vendor_url</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">with</span> <span class="nc">NovaAct</span><span class="p">(</span><span class="n">starting_page</span><span class="o">=</span><span class="n">vendor_url</span><span class="p">)</span> <span class="k">as</span> <span class="n">nova</span><span class="p">:</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">log in using saved credentials</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">navigate to pending invoices</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span> <span class="sh">"</span><span class="s">extract all invoices</span><span class="sh">"</span><span class="p">,</span> <span class="n">schema</span><span class="o">=</span><span class="n">invoice_schema</span> <span class="p">).</span><span class="n">parsed_response</span> <span class="n">vendor_urls</span> <span class="o">=</span> <span class="p">[</span> <span class="sh">"</span><span class="s">https://vendor1.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://vendor2.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://vendor3.com</span><span class="sh">"</span><span class="p">,</span> <span class="p">]</span> <span class="k">with</span> <span class="nc">ThreadPoolExecutor</span><span class="p">(</span><span class="n">max_workers</span><span class="o">=</span><span class="mi">10</span><span class="p">)</span> <span class="k">as</span> <span class="n">executor</span><span class="p">:</span> <span class="n">futures</span> <span class="o">=</span> <span class="p">{</span><span class="n">executor</span><span class="p">.</span><span class="nf">submit</span><span class="p">(</span><span class="n">process_vendor</span><span class="p">,</span> <span class="n">url</span><span class="p">):</span> <span class="n">url</span> <span class="k">for</span> <span class="n">url</span> <span class="ow">in</span> <span class="n">vendor_urls</span><span class="p">}</span> <span class="k">for</span> <span class="n">future</span> <span class="ow">in</span> <span class="nf">as_completed</span><span class="p">(</span><span class="n">futures</span><span class="p">):</span> <span class="k">try</span><span class="p">:</span> <span class="n">data</span> <span class="o">=</span> <span class="n">future</span><span class="p">.</span><span class="nf">result</span><span class="p">()</span> <span class="nf">save_to_s3</span><span class="p">(</span><span class="n">data</span><span class="p">)</span> <span class="k">except</span> <span class="n">ActError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Failed: </span><span class="si">{</span><span class="n">futures</span><span class="p">[</span><span class="n">future</span><span class="p">]</span><span class="si">}</span><span class="s"> → </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Ten browser sessions, running in parallel, each isolated, each logged — all managed through AWS.</p> <h2> The Full AWS Stack </h2> <p>Nova Act doesn't run in a silo. Here's how it slots into AWS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌─────────────────────────────────────────────────┐ │ Developer Tools │ │ Web Playground · IDE Extension · Python SDK │ └────────────────────┬────────────────────────────┘ │ ┌────────────────────▼────────────────────────────┐ │ Nova Act Engine │ │ Amazon Nova 2 Lite · Orchestrator · Playwright │ └────────────────────┬────────────────────────────┘ │ ┌────────────────────▼────────────────────────────┐ │ Amazon Bedrock AgentCore │ │ Runtime · Browser Tool · Session Isolation │ └────────────────────┬────────────────────────────┘ │ ┌────────────────────▼────────────────────────────┐ │ AWS Infrastructure │ │ ECR · IAM · S3 · CloudWatch · CloudTrail │ └─────────────────────────────────────────────────┘ </code></pre> </div> <h3> AgentCore Browser Tool </h3> <p>Provides a fully managed, cloud-based browser runtime:</p> <ul> <li> <strong>Session isolation</strong> — every workflow gets its own containerized browser</li> <li> <strong>Parallel execution</strong> at scale — no infrastructure to manage</li> <li> <strong>Live viewing + session replay</strong> — debug in real time</li> <li> <strong>CloudTrail logging</strong> — full audit trail for every browser action</li> <li> <strong>Ephemeral containers</strong> — browser environment destroyed after each session (security by default)</li> </ul> <h3> Connecting to AgentCore Browser from code: </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">bedrock_agentcore.tools.browser_client</span> <span class="kn">import</span> <span class="n">browser_session</span> <span class="kn">from</span> <span class="n">nova_act</span> <span class="kn">import</span> <span class="n">NovaAct</span> <span class="kn">import</span> <span class="n">boto3</span> <span class="k">def</span> <span class="nf">run_cloud_agent</span><span class="p">(</span><span class="n">prompt</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">starting_page</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">nova_act_key</span><span class="p">:</span> <span class="nb">str</span><span class="p">):</span> <span class="k">with</span> <span class="nf">browser_session</span><span class="p">(</span><span class="n">region</span><span class="o">=</span><span class="sh">"</span><span class="s">us-east-1</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">client</span><span class="p">:</span> <span class="n">ws_url</span><span class="p">,</span> <span class="n">headers</span> <span class="o">=</span> <span class="n">client</span><span class="p">.</span><span class="nf">generate_ws_headers</span><span class="p">()</span> <span class="k">with</span> <span class="nc">NovaAct</span><span class="p">(</span> <span class="n">cdp_endpoint_url</span><span class="o">=</span><span class="n">ws_url</span><span class="p">,</span> <span class="n">cdp_headers</span><span class="o">=</span><span class="n">headers</span><span class="p">,</span> <span class="n">nova_act_api_key</span><span class="o">=</span><span class="n">nova_act_key</span><span class="p">,</span> <span class="n">starting_page</span><span class="o">=</span><span class="n">starting_page</span><span class="p">,</span> <span class="p">)</span> <span class="k">as</span> <span class="n">nova</span><span class="p">:</span> <span class="k">return</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="n">prompt</span><span class="p">)</span> </code></pre> </div> <p>Your agent now runs in a sandboxed cloud browser — not on your laptop.</p> <h3> Deployment in one command </h3> <p>The VS Code extension handles the entire deployment pipeline automatically:</p> <ol> <li>Packages your workflow → Docker container</li> <li>Pushes image → Amazon ECR</li> <li>Creates → IAM roles + S3 buckets</li> <li>Deploys → AgentCore Runtime</li> </ol> <p>Zero manual infrastructure. One click in the IDE.</p> <h2> Cost Effectiveness: The Real Story </h2> <p>Traditional browser automation has <strong>hidden costs</strong> that never show up in your AWS bill:</p> <ul> <li>Developer time maintaining brittle selectors (breaks every sprint)</li> <li>Failed workflows causing downstream data errors</li> <li>Re-running failed jobs, debugging silent failures</li> </ul> <p>Nova Act's natural language instructions are resilient to UI changes. "Click the submit button" works whether it's labelled Submit, Send, or Confirm — blue or orange — left side or right side.</p> <p>On infrastructure costs, AgentCore's pricing model is genuinely aligned with how agentic workloads behave:</p> <ul> <li>✅ <strong>Consumption-based</strong> — pay per second of actual CPU/memory use</li> <li>✅ <strong>No charge during I/O wait</strong> — agentic workloads spend 30–70% of time waiting for pages to load or LLM responses. That idle time is free.</li> <li>✅ <strong>No reserved instances</strong> — no upfront commitment</li> <li>✅ <strong>Free Tier</strong> — up to $200 credit for new AWS customers</li> </ul> <p><strong>Practical example:</strong> A workflow that spends 60% of its time waiting (page loads, API calls) — you only pay for 40% of wall-clock time. At scale, that compounds significantly.</p> <h2> Real-World Use Cases </h2> <h3> 🧪 QA and Automated Testing </h3> <p>Your test cases can now read like user stories:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">with</span> <span class="nc">NovaAct</span><span class="p">(</span><span class="n">starting_page</span><span class="o">=</span><span class="sh">"</span><span class="s">https://yourapp.com</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">nova</span><span class="p">:</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">log in as a standard user</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">add one item to cart and go to checkout</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">complete checkout using test card 4111111111111111</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span> <span class="sh">"</span><span class="s">is an order confirmation visible?</span><span class="sh">"</span><span class="p">,</span> <span class="n">schema</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">confirmed</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">boolean</span><span class="sh">"</span><span class="p">},</span> <span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="k">assert</span> <span class="n">result</span><span class="p">.</span><span class="n">parsed_response</span><span class="p">[</span><span class="sh">"</span><span class="s">confirmed</span><span class="sh">"</span><span class="p">]</span> <span class="ow">is</span> <span class="bp">True</span> </code></pre> </div> <p>No selector maintenance. No brittle IDs. Tyler Technologies (public sector software) converted manual test plans to automated suites in minutes using Nova Act — without a single CSS selector.</p> <h3> 📋 ERP and Legacy System Automation </h3> <p>Many enterprise systems — legacy CRMs, ERP portals, government platforms — have no API. Nova Act handles them:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">for</span> <span class="n">record</span> <span class="ow">in</span> <span class="n">crm_records</span><span class="p">:</span> <span class="k">with</span> <span class="nc">NovaAct</span><span class="p">(</span><span class="n">starting_page</span><span class="o">=</span><span class="sh">"</span><span class="s">https://legacy-erp.company.com</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">nova</span><span class="p">:</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">click New Contact</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">enter </span><span class="sh">'</span><span class="si">{</span><span class="n">record</span><span class="p">[</span><span class="sh">'</span><span class="s">name</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">'</span><span class="s"> in the Name field</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">enter </span><span class="sh">'</span><span class="si">{</span><span class="n">record</span><span class="p">[</span><span class="sh">'</span><span class="s">email</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">'</span><span class="s"> in the Email field</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">select </span><span class="sh">'</span><span class="si">{</span><span class="n">record</span><span class="p">[</span><span class="sh">'</span><span class="s">region</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">'</span><span class="s"> from the Region dropdown</span><span class="sh">"</span><span class="p">)</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span><span class="sh">"</span><span class="s">click Save</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <h3> 🔍 Competitive Intelligence </h3> <p>Monitor competitor pricing or product listings without an API:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">with</span> <span class="nc">NovaAct</span><span class="p">(</span><span class="n">starting_page</span><span class="o">=</span><span class="sh">"</span><span class="s">https://competitor.com/pricing</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">nova</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span> <span class="sh">"</span><span class="s">extract all pricing plans and their features</span><span class="sh">"</span><span class="p">,</span> <span class="n">schema</span><span class="o">=</span><span class="n">pricing_schema</span> <span class="p">)</span> <span class="nf">save_to_s3</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">parsed_response</span><span class="p">)</span> </code></pre> </div> <h3> 🏢 Vendor Portal Processing </h3> <p>Dozens of vendor portals, no API integration, invoice processing and status checks — run them all concurrently with automatic human escalation on exceptions.</p> <h2> Human-in-the-Loop: Built for Production Reality </h2> <p>Production agentic systems <em>will</em> hit edge cases. CAPTCHAs. Unexpected modals. Two-factor prompts. Nova Act handles this without you building custom alerting:</p> <ol> <li>Workflow hits an ambiguous state</li> <li>Nova Act pauses and sends an <strong>SNS notification</strong> to a designated supervisor</li> <li>Supervisor receives a <strong>devtools URL</strong> — they can inspect and interact with the live browser state</li> <li>Supervisor takes corrective action</li> <li>Workflow <strong>resumes automatically</strong> </li> </ol> <p>This isn't bolted on — it's a core architectural feature. The design acknowledges that 90% reliability means 10% still needs a human. That 10% is handled gracefully.</p> <h2> The Developer Journey: Playground → Code → Cloud </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>nova.amazon.com/act → pip install nova-act → VS Code Extension → Deploy Explore in browser Write Python workflow Debug step-by-step One click to AWS </code></pre> </div> <p><strong>Quick start:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>nova-act <span class="nb">export </span><span class="nv">NOVA_ACT_API_KEY</span><span class="o">=</span><span class="s2">"your_api_key"</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">nova_act</span> <span class="kn">import</span> <span class="n">NovaAct</span> <span class="k">with</span> <span class="nc">NovaAct</span><span class="p">(</span><span class="n">starting_page</span><span class="o">=</span><span class="sh">"</span><span class="s">https://news.ycombinator.com</span><span class="sh">"</span><span class="p">)</span> <span class="k">as</span> <span class="n">nova</span><span class="p">:</span> <span class="n">result</span> <span class="o">=</span> <span class="n">nova</span><span class="p">.</span><span class="nf">act</span><span class="p">(</span> <span class="sh">"</span><span class="s">what are the top 5 post titles on this page?</span><span class="sh">"</span><span class="p">,</span> <span class="n">schema</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">object</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">properties</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span> <span class="sh">"</span><span class="s">posts</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">array</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">items</span><span class="sh">"</span><span class="p">:</span> <span class="p">{</span><span class="sh">"</span><span class="s">type</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">string</span><span class="sh">"</span><span class="p">}}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">parsed_response</span><span class="p">)</span> </code></pre> </div> <p>That's all it takes to extract structured data from any webpage.</p> <h2> For Builders in Restricted Regions </h2> <p>Nova Act is currently only available in <strong>US East (N. Virginia)</strong>. If you're in India, Southeast Asia, or any other region without access — here's what to do right now:</p> <p><strong>1. Learn the atomic act() pattern today.</strong> This architecture pattern is what matters. When access opens up, your mental model is already in place.</p> <p><strong>2. Approximate it with Bedrock + Playwright.</strong> Use Amazon Bedrock's Claude models with tool use + Playwright for browser control. The perceive→reason→act loop is buildable today. You lose the purpose-built model advantage, but you learn the architecture.</p> <p><strong>3. Read the public GitHub.</strong> The <code>aws/nova-act</code> repo is open. The <code>amazon-agi-labs/nova-act-samples</code> repo has CDK examples for Lambda, ECS, and AgentCore. Reading these is free and region-independent.</p> <h2> What's Coming </h2> <p>Amazon has been explicit about the roadmap:</p> <ul> <li> <strong>MCP integration</strong> — Nova Act workflows calling external tools and APIs mid-session via Model Context Protocol</li> <li> <strong>Strands Agents</strong> — Amazon's open-source multi-agent SDK already supports Nova Act as a sub-agent in larger pipelines</li> <li> <strong>Beyond the browser</strong> — the same RL training methodology is being extended to more complex real-world task environments</li> <li> <strong>More regions</strong> — no official dates, but global expansion is the clear direction</li> </ul> <p>Browser automation is the beachhead. The broader target is any workflow that requires perception, reasoning, and action in a UI environment.</p> <h2> Key Takeaways </h2> <blockquote> <p><strong>6 things to remember from this article:</strong></p> <ol> <li> <strong>Vertical integration</strong> is why it's reliable — model + orchestrator + actuator trained together</li> <li> <strong>Atomic act() calls</strong> are the pattern — small precise steps beat one big instruction</li> <li> <strong>Vision &gt; DOM selectors</strong> — screenshots don't break when UI classes change</li> <li> <strong>AgentCore pricing</strong> — you don't pay for the 30–70% of time your agent spends waiting</li> <li> <strong>Human-in-the-loop</strong> is first-class — production agents hit edge cases; it's designed for that</li> <li> <strong>One-command deployment</strong> — Docker, ECR, IAM, AgentCore Runtime handled automatically</li> </ol> </blockquote> <h2> Resources </h2> <ul> <li>🏠 Product page → <a href="https://aws.amazon.com/nova/act" rel="noopener noreferrer">aws.amazon.com/nova/act</a> </li> <li>📖 Official docs → <a href="https://docs.aws.amazon.com/nova-act/latest/userguide/" rel="noopener noreferrer">docs.aws.amazon.com/nova-act/latest/userguide</a> </li> <li>💻 GitHub SDK → <a href="https://github.com/aws/nova-act" rel="noopener noreferrer">github.com/aws/nova-act</a> </li> <li>🧪 Sample code + CDK → <a href="https://github.com/amazon-agi-labs/nova-act-samples" rel="noopener noreferrer">github.com/amazon-agi-labs/nova-act-samples</a> </li> <li>💰 AgentCore pricing → <a href="https://aws.amazon.com/bedrock/agentcore/pricing/" rel="noopener noreferrer">aws.amazon.com/bedrock/agentcore/pricing</a> </li> <li>🎮 Web playground → <a href="https://nova.amazon.com/act" rel="noopener noreferrer">nova.amazon.com/act</a> </li> </ul> <p><strong>Found this useful?</strong> Drop a ❤️, share with your AWS friends, and follow for more deep dives on agentic AI on AWS. I'll be posting the "Build it yourself with Bedrock + Playwright" version next — a practical guide for restricted-region builders who want to implement the same perceive→act loop today.</p> aws ai automation python