Use AWS Bedrock with Edge Delta

Integrate Edge Delta with your AWS Bedrock service.

Background

Edge Delta features OnCall AI to interpret anomaly patterns generated by Fleets on the edge and monitors in the Edge Delta back end. Edge Delta sends some non-sensitive data, such as log patterns, to Edge Delta’s third-party AI service providers. You can configure Edge Delta to call your AWS Bedrock service instead.

Overview

This how to will demonstrate how to configure AWS and Edge Delta so that Edge Delta executes AI API calls to AWS Bedrock.

1. (Optional) Create a new AWS account

Since you will be granting Edge Delta permission to make AWS Bedrock calls on your behalf it may be difficult to differentiate between the calls made by Edge Delta from other Bedrock calls. An optional step to separate your own AWS Bedrock calls from those initiated by Edge Delta is to create a new AWS account that would be governed by the same billing as your master AWS account. This provides some security and cost tracking benefits.

2. Create an IAM Role

Create an IAM role for Edge Delta:

  1. Go to the IAM section in the AWS Console.
  2. Click Roles in the sidebar and click Create Role.
  3. Select AWS Service and select EC2, Lambda, or whichever service you plan to use with Bedrock.
  4. Click Next: Permissions.

3. Attach a Policy for Bedrock Access

You need to either create a custom policy to the role or attach an existing one.

  1. Click Create Policy, then go to the JSON editor and paste the policy.

This example grants full access to Amazon Bedrock, but you may want to make it more specific to particular resources:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel"
            ],
            "Resource": "*"
        }
    ]
}
  1. Save the policy and give it a name like BedrockLimitedAccess.

4. Attach the Policy to the Role

Next, you assign the policy to the role you created earlier.

  1. Go back to the role creation workflow.
  2. Search for the policy BedrockLimitedAccess and attach it.
  3. Click Next and complete the role creation process.

5. Configure Trust Relationship

Now that the role is created and permissions assigned to it, you give permission to Edge Delta to assume that role. Open the Trust relationships tab and click Edit trust relationship. Paste the following policy after replacing the placeholders.

{"Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "AWS": "arn:aws: iam::<123456789>:root",
       "Action": "sts:AssumeRole",
       "Condition": {
         "StringEquals": {
           "sts:ExternalId": "<some_random_string>"
         }
       }
     }
   }
 ]
}

Replace <some_random_string> with a unique string that you generate. This will be referenced in Edge Delta settings UI. Replace <123456789> with the Edge Delta ARN. Please contact support to obtain it and enable the feature for your account.

6. Enable AWS Bedrock Models

Navigate to the Bedrock Console and request access for the models you want to enable.

7. Configure Edge Delta

In this step you specify the enabled models in Edge Delta and provide the sts:ExternalId.

  1. Click Admin and select the My Organization tab.
  2. Click Edit in your Organization pane.
  3. Click Use Custom AWS Account for AI Processing.
  4. Enter your AWS Account ID, the AWS External ID you configured earlier, and your AWS Region of your resources.
  5. Specify the names of the models you enabled earlier.
  6. Click Save.