This content originally appeared on DEV Community and was authored by A. Sinai Rivera
TL;DR
In this lab you’re going to build a fully functional Bedrock Agent that can:
- Read your documents in S3
- Extract information
- Execute functions
- Answer questions in a structured way
- Reason step by step using Amazon Nova Micro
- All 100% from the console, no Studio and no manual code.
You will learn to:
Create a bucket, upload PDFs, create an Agent, add Actions, connect S3, test with real questions, and validate responses using grounding.
Estimated time: 20–30 min
Services: Bedrock Agents, S3, IAM
Cost: Very low (< $0.25)
I decided to create this lab because I want to understand how AI agents in AWS actually work in a simple, practical, and explainable way. I want to guide others, teach GenAI concepts without unnecessary complexity, and build useful demos for my technical portfolio.
🧭 Quick Metadata
| Field | Value |
|---|---|
| CB Category | AI/ML |
| AWS Services | Amazon Bedrock Agents, Amazon S3 |
| Prerequisites | AWS account, S3 + Bedrock enabled, region us-east-1
|
| Estimated costs | Low (< $0.25) |
| Architecture | See diagram |
🗺️ Table of Contents (ToC)
Why It Matters
Architecture / What You Will Build
Prerequisites
Step by Step
Errors
💡 Why It Matters
Companies are moving from “just using LLMs” to building intelligent agents with clear steps, data access, and real grounding.
An agent can:
- Plan
- Reason
- Retrieve data
- Execute actions
- Respond in context without you having to write the entire pipeline yourself
🧰 Architecture
📄 PDFs in S3
⬇️
⚙️ Bedrock Agent Action
⬇️
🤖 Amazon Nova Micro reasoning
⬇️
💬 Final answer based on your documents
🧱 Prerequisites
AWS account with billing enabled
Amazon Bedrock enabled in us-east-1
Access to create:
- S3 buckets
- IAM roles / policies
- Bedrock Agents
🪜 Step by Step
🛠️ STEP 1 — Create the S3 Bucket (for your documents)
- In the AWS Console, search for S3
- Click Create bucket
-
Configure:
- Bucket name: kb-agent-sina-lab
- Region: us-east-1
- Block Public Access: ON (all options)
- Versioning: OFF
- Encryption: SSE-S3 (default)
Click Create bucket
🛠️ STEP 2 — Upload the Documents to Your S3 Bucket
We’re going to upload the three PDFs you just created.
2.1 Go to the bucket
- In the AWS Console, go to S3
- Click your bucket: kb-agent-sina-lab (or the name you used)
2.2 Upload the files
- Click Upload
- Then click Add files
-
Select:
- company-overview.pdf
- internal-policies.pdf
- service-pricing.pdf
Click Upload
2.3 Confirm they’re there
In your S3 bucket you should now see the documents:
🛠️ STEP 3 — Create Your Bedrock Agent
3.1 Open Amazon Bedrock
- In the AWS Console search bar, type: Bedrock
- In the left menu, select Agents
3.2 Create a new Agent
- Click Create agent
- Fill in the fields:
- Agent name: sina-agent-rag-lab
- Description: Agent that answers questions using internal documents stored in Amazon S3 via automatic actions.
- Click Create
- Select the Agent model. For this lab, we’ll use:Amazon Nova Micro (the free + secure model recommended by AWS for agents).
- Agent instructions:
- You are a corporate assistant designed to answer questions using exclusively the information stored in the company’s internal documents in Amazon S3.
- Click Save
🛠️ STEP 4 — Create the Action Group That Reads from S3
4.1 Find the “Action groups” section
Click Add
- Action group name: read-company-docs
- Description (optional): read documents from S3 and retrieve relevant content
- Action group type: select Define with function details
- Here you describe what the function does (name, description, S3 access type) and Bedrock auto-generates the Lambda for you.
- Action group invocation: select Quick create a new Lambda
4.2 Action group function
- Name: get_company_policy
- Description: Function that searches for information within the corporate documents stored in S3. It simulates retrieving internal policies, processes, or relevant details to answer the user’s questions.
4.3 Parameters
Your agent needs to know what information to send to the Lambda function when it wants to use it.
- Click Add parameter
- Name: query
- Description: user question looking for information
- Type: String
- Required: True
- Click Create
🛠️ STEP 5 — Save and Prepare the Agent
Once the Action Group is created:
- Click Save at the top
- Then click Prepare (this validates instructions + model + actions)
🛠️ STEP 6 — Test the Agent
In this step we’re going to test the Agent by asking questions related to the company document stored in the S3 bucket.
6.1 Use Test agent on the right side
- Inside your Agent view:
- On the right panel, in the text box, type a real question based on the PDFs you created, for example:
“What does the company say about its mission or vision?”
ERROR
We got an error – and thanks to AWS services, we can investigate that error and fix it.
🛠️ STEP 7 — Fix the Response Error
We can solve this problem in different ways.
One option is to look at the detailed error and read exactly where it failed.
However, if you’re new and don’t have much experience reading code, AWS has a resource called Amazon Q.
Amazon Q is a chatbot that lets you ask questions about what you’re building and helps you debug.
Let’s use that option first.
7.1 In the error message, click Show trace
- Click Trace step 1
- In the upper-right corner, you’ll see the Amazon Q icon
7.2 Ask Amazon Q
In the chat box, type:
“Why is my agent saying it is unable to help me with my request?”
According to Amazon Q, the possible causes are:
Common Causes and Fixes
1. Permissions and roles
IAM permissions: verify that the service role of your agent has the necessary permissions to invoke the base model.
2. Agent configuration issues
Instructions clarity: your agent instructions may be too restrictive or unclear. Try simplifying them and specifying more clearly what the agent should do.
Action group names: if you’re using action groups, avoid using hyphens (-) in the names; use underscores (_) instead.
🛠️ STEP 8 — Let’s Fix It
We’re going to apply each recommendation from Amazon Q.
8.1 Identify the service role of your Agent
- Go to Amazon Bedrock in the console
- In the left menu, click Agents
- Click your Agent
- On the Agent screen, look for the blue Permissions link
8.2 Check the role permissions
- Inside the role, go to the Permissions tab
- In Permissions policies, review the attached policies
- Click the policy to open it
From the screenshot, we can see that:
AmazonBedrockAgentBedrockFoundationModelPolicy_S1GQAOZ17SK
has a limited access level – read-only. That means:
❌ It cannot invoke models
❌ It cannot call Nova Micro
❌ It cannot generate responses
✔️ It can only read metadata
8.3 Let’s fix it
- Click the JSON tab on the top right
- Click Edit, remove the existing policy content
- Paste the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonBedrockAgentBedrockFoundationModelPolicyProd",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": "*"
}
]
}
- Click Next, then Save
8.4 Test the Agent again
- In your Agent, go to Action details
- Select Edit in Agent builder
- Click Save and exit
- Click Prepare
- Ask the same question again
❌ Still Error 😆😆😆😆
If this didn’t fix the problem, we move to the next likely cause.
🛠️ STEP 9 — Fix Cause #2: Agent Configuration
9.1 Review and simplify Agent instructions
- Go to Amazon Bedrock → Agents
- Click your Agent
- In the Agent panel, look for the Instructions section
Solution 1: The word “EXCLUSIVELY” is killing the Agent
What happens?
If the Agent does not find information in S3 that exactly answers the question… by design it must block the response.
And the default answer in that case is:“Sorry, I am unable to assist you with this request.”
Update the Agent instructions
Replace your entire prompt with:
You are a helpful corporate assistant. Use information from the company's internal documents stored in Amazon S3 when it is relevant. If the information is not available, provide the best possible answer based on your general reasoning and politely indicate when the exact information is not found.
Solution 2: Invalid Action Group name
The Action Group is called: read-company-docs
The hyphens - can cause failures in Bedrock Agents (2024–2025).
- Change read-company-docs → read_company_docs
- Click Save
- Click Prepare
- Ask the question again
Possible error 😆😆😆😆 — Incomplete response
Even though the Agent responded, the answer was incomplete.
What do we do now? Let’s check the trace to understand the possible causes.
- In the error message, click Show trace
- Click Trace step 1
- Copy the code and paste it again into Amazon Q
Based on Amazon Q, these are the possible causes of the incomplete response:
1. The Agent is showing [retrieved information] because:
The instructions or internal prompts are written as if a Knowledge Base existed, but we do not have a Knowledge Base connected and we are using Action Groups, which do not need a Knowledge Base.
So any phrase inside the Agent, like:
- “according to the retrieved information…”
- “based on the retrieved information…”
- “from the knowledge base…”
- or the literal placeholder [retrieved information]
…cannot be replaced with anything, because there is no data source to fill it.
2. The Agent then returns the placeholder as-is, causing confusion.
So there is some text either in Agent instructions, Prompt templates, or Action group outputs that contains placeholders or assumptions about a Knowledge Base.
🛠️ STEP 10 — Let’s Fix That
10.1 Review the instructions again and remove any mention of:
- Knowledge Base
- Internal documents (as a hard requirement)
- “Retrieved information”
- Placeholders like [retrieved information]
For this version of the lab, the Agent should work only with Action Groups, not with a Knowledge Base.
What’s wrong here?
- It mentions internal documents
- It mentions S3 explicitly
- It tells the Agent it can ONLY respond using “documents”
- That forces the Agent to look for retrieved information → but there is no Knowledge Base
Let’s change the instruction to:
You are a corporate assistant designed to answer questions using the information provided by the system and the available action groups. Do not assume information; always rely on the results returned by the actions.
- Click Save
- Click Prepare
- Ask the question again
The Agent should now respond, but it's asking for the company name.
Let’s answer and see the response
I asked another question:
“What does the company say about confidentiality?”
Then:
“What does it say about the confidentiality policy?”
At this point, even though the Agent answered the question, it should have been simpler — so there’s probably still something off.
And that’s okay.
Even though this lab didn’t end with a “perfect” solution, I intentionally decided to leave the last error open. The community grows when we share not only what works, but also what challenges us.
For me, it’s valuable to open the process, show real learnings, and create spaces where others can also learn, contribute, and improve this path together.
Later I’ll share part two of this project, but for now, the important thing is to build community through transparency and shared learning.
🧯 Errors
| Symptom | Probable cause | Fix / Lesson learned |
|---|---|---|
| “Sorry, I am unable to assist with this request.” | Agent role didn’t have permission for bedrock:InvokeModel
|
Update IAM policy JSON to allow model invocation. |
| Agent asks for clarification (e.g., “What is the company name?”) | Automatic user__askuser triggered by internal orchestration |
Add rules in Agent instructions to avoid unnecessary clarifications. |
Placeholder [retrieved information] appears in the response |
Instructions assume a non-existing Knowledge Base | Update instructions to use only Action Groups. |
| Action Group doesn’t execute | Required parameter / invalid name with hyphens | Set required = false and rename using _ instead of -. |
| Incomplete responses | Double <thinking> or invalid structure |
Enforce a single <thinking> followed by a single <answer>. |
| Lambda not returning useful content | Auto-generated Lambda has no actual logic | Replace it with a function that reads files from the S3 bucket. |
📚 Official Resources
Amazon Bedrock Agents
https://docs.aws.amazon.com/bedrock/latest/userguide/agents.html
Action Groups
https://docs.aws.amazon.com/bedrock/latest/userguide/agents-actions.html
S3 — Developer Guide
https://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html
IAM Policies
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
AWS Samples Repository
https://github.com/aws-samples
This content originally appeared on DEV Community and was authored by A. Sinai Rivera
A. Sinai Rivera | Sciencx (2025-11-22T01:14:48+00:00) I Built a Bedrock Agent for Learning… And It Definitely Took That Mission Seriously. Retrieved from https://www.scien.cx/2025/11/22/i-built-a-bedrock-agent-for-learning-and-it-definitely-took-that-mission-seriously/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.