A. Sinai Rivera

Posted on Nov 22

I Built a Bedrock Agent for Learning… And It Definitely Took That Mission Seriously

#aws #ai #beginners #cloud

TL;DR

In this lab you’re going to build a fully functional Bedrock Agent that can:

Read your documents in S3
Extract information
Execute functions
Answer questions in a structured way
Reason step by step using Amazon Nova Micro
All 100% from the console, no Studio and no manual code.

You will learn to:

Create a bucket, upload PDFs, create an Agent, add Actions, connect S3, test with real questions, and validate responses using grounding.

Estimated time: 20–30 min
Services: Bedrock Agents, S3, IAM
Cost: Very low (< $0.25)

I decided to create this lab because I want to understand how AI agents in AWS actually work in a simple, practical, and explainable way. I want to guide others, teach GenAI concepts without unnecessary complexity, and build useful demos for my technical portfolio.

🧭 Quick Metadata

Field	Value
CB Category	AI/ML
AWS Services	Amazon Bedrock Agents, Amazon S3
Prerequisites	AWS account, S3 + Bedrock enabled, region `us-east-1`
Estimated costs	Low (< $0.25)
Architecture	See diagram

🗺️ Table of Contents (ToC)

Why It Matters
Architecture / What You Will Build
Prerequisites
Step by Step
Errors

💡 Why It Matters

Companies are moving from “just using LLMs” to building intelligent agents with clear steps, data access, and real grounding.

An agent can:

Plan
Reason
Retrieve data
Execute actions
Respond in context without you having to write the entire pipeline yourself

🧰 Architecture

📄 PDFs in S3
⬇️
⚙️ Bedrock Agent Action
⬇️
🤖 Amazon Nova Micro reasoning
⬇️
💬 Final answer based on your documents

🧱 Prerequisites

AWS account with billing enabled
Amazon Bedrock enabled in us-east-1
Access to create:

S3 buckets
IAM roles / policies
Bedrock Agents

🪜 Step by Step

🛠️ STEP 1 — Create the S3 Bucket (for your documents)

In the AWS Console, search for S3
Click Create bucket
Configure:
- Bucket name: kb-agent-sina-lab
- Region: us-east-1
- Block Public Access: ON (all options)
- Versioning: OFF
- Encryption: SSE-S3 (default)
Click Create bucket

🛠️ STEP 2 — Upload the Documents to Your S3 Bucket

We’re going to upload the three PDFs you just created.

2.1 Go to the bucket

In the AWS Console, go to S3
Click your bucket: kb-agent-sina-lab (or the name you used)

2.2 Upload the files

Click Upload
Then click Add files
Select:
- company-overview.pdf
- internal-policies.pdf
- service-pricing.pdf
Click Upload

2.3 Confirm they’re there

In your S3 bucket you should now see the documents:

🛠️ STEP 3 — Create Your Bedrock Agent

3.1 Open Amazon Bedrock

In the AWS Console search bar, type: Bedrock
In the left menu, select Agents

3.2 Create a new Agent

Click Create agent
Fill in the fields:
- Agent name: sina-agent-rag-lab
- Description: Agent that answers questions using internal documents stored in Amazon S3 via automatic actions.
Click Create
Select the Agent model. For this lab, we’ll use:Amazon Nova Micro (the free + secure model recommended by AWS for agents).
Agent instructions:
You are a corporate assistant designed to answer questions using exclusively the information stored in the company’s internal documents in Amazon S3.
Click Save

🛠️ STEP 4 — Create the Action Group That Reads from S3

4.1 Find the “Action groups” section

Click Add

Action group name: read-company-docs
Description (optional): read documents from S3 and retrieve relevant content
Action group type: select Define with function details
- Here you describe what the function does (name, description, S3 access type) and Bedrock auto-generates the Lambda for you.
Action group invocation: select Quick create a new Lambda

4.2 Action group function

Name: get_company_policy
Description: Function that searches for information within the corporate documents stored in S3. It simulates retrieving internal policies, processes, or relevant details to answer the user’s questions.

4.3 Parameters

Your agent needs to know what information to send to the Lambda function when it wants to use it.

Click Add parameter
Name: query
Description: user question looking for information
Type: String
Required: True
Click Create

🛠️ STEP 5 — Save and Prepare the Agent

Once the Action Group is created:

Click Save at the top
Then click Prepare (this validates instructions + model + actions)

🛠️ STEP 6 — Test the Agent

In this step we’re going to test the Agent by asking questions related to the company document stored in the S3 bucket.

6.1 Use Test agent on the right side

Inside your Agent view:
On the right panel, in the text box, type a real question based on the PDFs you created, for example:

“What does the company say about its mission or vision?”

ERROR

We got an error – and thanks to AWS services, we can investigate that error and fix it.

🛠️ STEP 7 — Fix the Response Error

We can solve this problem in different ways.
One option is to look at the detailed error and read exactly where it failed.

However, if you’re new and don’t have much experience reading code, AWS has a resource called Amazon Q.

Amazon Q is a chatbot that lets you ask questions about what you’re building and helps you debug.

Let’s use that option first.

7.1 In the error message, click Show trace

Click Trace step 1
In the upper-right corner, you’ll see the Amazon Q icon

7.2 Ask Amazon Q

In the chat box, type:

“Why is my agent saying it is unable to help me with my request?”

According to Amazon Q, the possible causes are:

Common Causes and Fixes

1. Permissions and roles

IAM permissions: verify that the service role of your agent has the necessary permissions to invoke the base model.

2. Agent configuration issues

Instructions clarity: your agent instructions may be too restrictive or unclear. Try simplifying them and specifying more clearly what the agent should do.
Action group names: if you’re using action groups, avoid using hyphens (-) in the names; use underscores (_) instead.

🛠️ STEP 8 — Let’s Fix It

We’re going to apply each recommendation from Amazon Q.

8.1 Identify the service role of your Agent

Go to Amazon Bedrock in the console
In the left menu, click Agents
Click your Agent
On the Agent screen, look for the blue Permissions link

8.2 Check the role permissions

Inside the role, go to the Permissions tab
In Permissions policies, review the attached policies
Click the policy to open it

From the screenshot, we can see that:

AmazonBedrockAgentBedrockFoundationModelPolicy_S1GQAOZ17SK
has a limited access level – read-only. That means:

❌ It cannot invoke models
❌ It cannot call Nova Micro
❌ It cannot generate responses
✔️ It can only read metadata

8.3 Let’s fix it

Click the JSON tab on the top right
Click Edit, remove the existing policy content
Paste the following policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AmazonBedrockAgentBedrockFoundationModelPolicyProd",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    }
  ]
}

Click Next, then Save

8.4 Test the Agent again

In your Agent, go to Action details
Select Edit in Agent builder
Click Save and exit
Click Prepare
Ask the same question again

❌ Still Error 😆😆😆😆

If this didn’t fix the problem, we move to the next likely cause.

🛠️ STEP 9 — Fix Cause #2: Agent Configuration

9.1 Review and simplify Agent instructions

Go to Amazon Bedrock → Agents
Click your Agent
In the Agent panel, look for the Instructions section

Solution 1: The word “EXCLUSIVELY” is killing the Agent

What happens?
If the Agent does not find information in S3 that exactly answers the question… by design it must block the response.

And the default answer in that case is:“Sorry, I am unable to assist you with this request.”

Update the Agent instructions

Replace your entire prompt with:

You are a helpful corporate assistant. Use information from the company's internal documents stored in Amazon S3 when it is relevant. If the information is not available, provide the best possible answer based on your general reasoning and politely indicate when the exact information is not found.

Solution 2: Invalid Action Group name

The Action Group is called: read-company-docs
The hyphens - can cause failures in Bedrock Agents (2024–2025).

Change read-company-docs → read_company_docs
Click Save
Click Prepare
Ask the question again

Possible error 😆😆😆😆 — Incomplete response

Even though the Agent responded, the answer was incomplete.

What do we do now? Let’s check the trace to understand the possible causes.

In the error message, click Show trace
Click Trace step 1
Copy the code and paste it again into Amazon Q

Based on Amazon Q, these are the possible causes of the incomplete response:

1. The Agent is showing [retrieved information] because:

The instructions or internal prompts are written as if a Knowledge Base existed, but we do not have a Knowledge Base connected and we are using Action Groups, which do not need a Knowledge Base.

So any phrase inside the Agent, like:

“according to the retrieved information…”
“based on the retrieved information…”
“from the knowledge base…”
or the literal placeholder [retrieved information]

…cannot be replaced with anything, because there is no data source to fill it.

2. The Agent then returns the placeholder as-is, causing confusion.

So there is some text either in Agent instructions, Prompt templates, or Action group outputs that contains placeholders or assumptions about a Knowledge Base.

🛠️ STEP 10 — Let’s Fix That

10.1 Review the instructions again and remove any mention of:

Knowledge Base
Internal documents (as a hard requirement)
“Retrieved information”
Placeholders like [retrieved information]

For this version of the lab, the Agent should work only with Action Groups, not with a Knowledge Base.

What’s wrong here?

It mentions internal documents
It mentions S3 explicitly
It tells the Agent it can ONLY respond using “documents”
That forces the Agent to look for retrieved information → but there is no Knowledge Base

Let’s change the instruction to:

You are a corporate assistant designed to answer questions using the information provided by the system and the available action groups. Do not assume information; always rely on the results returned by the actions.

Click Save
Click Prepare
Ask the question again

The Agent should now respond, but it's asking for the company name.
Let’s answer and see the response

I asked another question:

“What does the company say about confidentiality?”

Then:

“What does it say about the confidentiality policy?”

At this point, even though the Agent answered the question, it should have been simpler — so there’s probably still something off.

And that’s okay.

Even though this lab didn’t end with a “perfect” solution, I intentionally decided to leave the last error open. The community grows when we share not only what works, but also what challenges us.

For me, it’s valuable to open the process, show real learnings, and create spaces where others can also learn, contribute, and improve this path together.

Later I’ll share part two of this project, but for now, the important thing is to build community through transparency and shared learning.

🧯 Errors

Symptom	Probable cause	Fix / Lesson learned
“Sorry, I am unable to assist with this request.”	Agent role didn’t have permission for `bedrock:InvokeModel`	Update IAM policy JSON to allow model invocation.
Agent asks for clarification (e.g., “What is the company name?”)	Automatic `user__askuser` triggered by internal orchestration	Add rules in Agent instructions to avoid unnecessary clarifications.
Placeholder `[retrieved information]` appears in the response	Instructions assume a non-existing Knowledge Base	Update instructions to use only Action Groups.
Action Group doesn’t execute	Required parameter / invalid name with hyphens	Set `required = false` and rename using `_` instead of `-`.
Incomplete responses	Double `<thinking>` or invalid structure	Enforce a single `<thinking>` followed by a single `<answer>`.
Lambda not returning useful content	Auto-generated Lambda has no actual logic	Replace it with a function that reads files from the S3 bucket.