AWS Bedrock Setup¶
This guide walks you through setting up AWS Bedrock access for the New Hires Reporting system.
Overview¶
The Workers service uses AWS Bedrock to intelligently correct validation errors in fixed-width files. Bedrock provides access to powerful AI models including Claude Sonnet 4.5 from Anthropic.
Prerequisites¶
- AWS Account with active subscription
- Access to AWS Console or AWS CLI
- Permissions to:
- Enable Bedrock model access
- Create IAM users/roles
- Attach IAM policies
Step 1: Enable AWS Bedrock Model Access¶
Before you can use Bedrock models, you must request access for each model in your AWS region.
Using AWS Console¶
-
Sign in to AWS Console: https://console.aws.amazon.com/
-
Navigate to AWS Bedrock:
- Search for "Bedrock" in the services search bar
- Click on "Amazon Bedrock"
-
Go to Model Access:
- In the left sidebar, click "Model access"
- Or navigate directly to: https://console.aws.amazon.com/bedrock/home?region=us-east-1#/modelaccess
-
Request Model Access:
- Click the orange "Manage model access" button
- Find "Claude" section and check the boxes for:
- Claude Sonnet 4.5 (required)
- Specifically:
us.anthropic.claude-sonnet-4-5-20250929-v1:0
- Optionally, also enable:
- Llama 4 Scout (alternative model)
- Specifically:
us.meta.llama4-scout-17b-instruct-v1:0
- Click "Request model access"
-
Wait for Approval:
- Access is usually granted immediately for most models
- Status will change from "Pending" to "Available"
- Refresh the page after a few seconds to check status
Region Selection
The application is configured to use us-east-1 (N. Virginia) region. Make sure you're requesting access in this region. Check the region selector in the top-right corner of the AWS Console.
Using AWS CLI¶
# Check current model access
aws bedrock list-foundation-models --region us-east-1 --query 'modelSummaries[?contains(modelId, `claude`) || contains(modelId, `llama`)].modelId'
# Note: Model access must be requested through the console for first-time setup
Step 2: Create IAM Policy¶
Create an IAM policy that grants permission to invoke Bedrock models.
Required IAM Policy¶
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BedrockModelInvocation",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": [
"arn:aws:bedrock:us-east-1::foundation-model/us.anthropic.claude-sonnet-4-5-20250929-v1:0",
"arn:aws:bedrock:us-east-1::foundation-model/us.meta.llama4-scout-17b-instruct-v1:0"
]
}
]
}
Create Policy via AWS Console¶
-
Navigate to IAM:
- Go to: https://console.aws.amazon.com/iam/
- Click "Policies" in the left sidebar
-
Create Policy:
- Click "Create policy"
- Click the "JSON" tab
- Paste the IAM policy JSON above
- Click "Next: Tags" (tags are optional)
- Click "Next: Review"
-
Name the Policy:
- Policy name:
NewHiresBedrockInvokePolicy - Description:
Allows invoking AWS Bedrock models for New Hires Reporting - Click "Create policy"
- Policy name:
Create Policy via AWS CLI¶
# Save the policy JSON to a file
cat > bedrock-policy.json <<'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BedrockModelInvocation",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": [
"arn:aws:bedrock:us-east-1::foundation-model/us.anthropic.claude-sonnet-4-5-20250929-v1:0",
"arn:aws:bedrock:us-east-1::foundation-model/us.meta.llama4-scout-17b-instruct-v1:0"
]
}
]
}
EOF
# Create the policy
aws iam create-policy \
--policy-name NewHiresBedrockInvokePolicy \
--policy-document file://bedrock-policy.json \
--description "Allows invoking AWS Bedrock models for New Hires Reporting"
Step 3: Create IAM User and Credentials¶
Create an IAM user specifically for the New Hires Reporting application.
Using AWS Console¶
-
Navigate to IAM Users:
- Go to: https://console.aws.amazon.com/iam/
- Click "Users" in the left sidebar
-
Create User:
- Click "Create user"
- User name:
newhires-reporting-worker - Click "Next"
-
Attach Policy:
- Select "Attach policies directly"
- Search for
NewHiresBedrockInvokePolicy - Check the box next to the policy
- Click "Next"
-
Review and Create:
- Review the settings
- Click "Create user"
-
Create Access Key:
- Click on the newly created user
- Go to "Security credentials" tab
- Scroll to "Access keys" section
- Click "Create access key"
- Select use case: "Application running outside AWS"
- Click "Next"
- (Optional) Add a description tag
- Click "Create access key"
-
Save Credentials:
- IMPORTANT: Copy the Access Key ID and Secret Access Key
- Download the .csv file or copy the credentials to a secure location
- You will not be able to see the Secret Access Key again!
Using AWS CLI¶
# Create IAM user
aws iam create-user --user-name newhires-reporting-worker
# Attach the policy (replace ACCOUNT_ID with your AWS account ID)
aws iam attach-user-policy \
--user-name newhires-reporting-worker \
--policy-arn arn:aws:iam::ACCOUNT_ID:policy/NewHiresBedrockInvokePolicy
# Create access key
aws iam create-access-key --user-name newhires-reporting-worker
# Output will contain AccessKeyId and SecretAccessKey - save these securely!
Step 4: Test Bedrock Access¶
Test that your credentials can invoke Bedrock models.
Using AWS CLI¶
# Configure AWS CLI with your new credentials
export AWS_ACCESS_KEY_ID="your_access_key_here"
export AWS_SECRET_ACCESS_KEY="your_secret_key_here"
export AWS_REGION="us-east-1"
# Test invoking Claude Sonnet 4.5
aws bedrock-runtime invoke-model \
--model-id us.anthropic.claude-sonnet-4-5-20250929-v1:0 \
--body '{"anthropic_version":"bedrock-2023-05-31","messages":[{"role":"user","content":[{"type":"text","text":"Hello, this is a test. Please respond with: Test successful"}]}],"max_tokens":100,"temperature":0.1}' \
--region us-east-1 \
response.json
# Check the response
cat response.json | jq -r '.content[0].text'
Expected output: "Test successful" or similar confirmation
If you get an error:
- AccessDeniedException: Check IAM policy is attached correctly
- ResourceNotFoundException: Check model ID is correct
- ThrottlingException: Bedrock is rate limiting (normal for first requests)
- ValidationException: Check the request body format
Using Python (Alternative)¶
import boto3
import json
# Initialize Bedrock client
bedrock = boto3.client(
service_name='bedrock-runtime',
region_name='us-east-1',
aws_access_key_id='your_access_key_here',
aws_secret_access_key='your_secret_key_here'
)
# Test API call
body = {
"anthropic_version": "bedrock-2023-05-31",
"messages": [
{
"role": "user",
"content": [
{
"type": "text",
"text": "Hello, this is a test. Please respond with: Test successful"
}
]
}
],
"max_tokens": 100,
"temperature": 0.1
}
response = bedrock.invoke_model(
modelId='us.anthropic.claude-sonnet-4-5-20250929-v1:0',
body=json.dumps(body)
)
result = json.loads(response['body'].read())
print(result['content'][0]['text'])
Step 5: Configure Application¶
Add your AWS credentials to the application's environment variables.
Edit your .env file:
# AWS Bedrock Configuration
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS_REGION=us-east-1
# Optional: Override default model
# BEDROCK_MODEL_ID=us.anthropic.claude-sonnet-4-5-20250929-v1:0
See Environment Variables for full configuration reference.
Security Best Practices¶
Credential Management¶
-
Never commit credentials to Git:
.envfiles should be in.gitignore- Use environment variables or secrets management
-
Rotate credentials regularly:
- Create new access keys every 90 days
- Delete old access keys
-
Use IAM roles when possible:
- If running on EC2, use IAM instance roles instead of access keys
- If running on ECS, use ECS task roles
-
Least privilege principle:
- Only grant
bedrock:InvokeModelpermission - Only for specific model ARNs needed
- Only grant
Monitoring and Auditing¶
-
Enable CloudTrail logging:
- Track all Bedrock API calls
- Monitor for unusual usage patterns
-
Set up CloudWatch alarms:
- Alert on high Bedrock API usage
- Monitor for AccessDenied errors
-
Review IAM access:
- Periodically audit who has Bedrock access
- Remove unused users and policies
Cost Management¶
Understanding Bedrock Pricing¶
AWS Bedrock charges based on: - Input tokens: Text sent to the model - Output tokens: Text generated by the model
Claude Sonnet 4.5 Pricing (as of 2024): - Input: ~$0.003 per 1K tokens - Output: ~$0.015 per 1K tokens
Cost Estimation
- Average correction job: ~5,000 input tokens + 2,000 output tokens
- Cost per job: ~$0.045
- 1,000 jobs: ~$45
- See AWS Bedrock Pricing for current rates
Cost Optimization Tips¶
-
Configure worker concurrency:
MAX_CONCURRENT_BEDROCK_CALLS=2(default)- Increase for higher throughput, but monitor costs
-
Set retry limits:
MAX_AI_ATTEMPTS=5(default)- Prevents infinite retry loops on failed jobs
-
Monitor token usage:
- Check worker logs for token counts
- Adjust batch sizes if token usage is too high
-
Use Llama model for cost savings:
- Meta Llama 4 Scout is cheaper than Claude
- Set
BEDROCK_MODEL_ID=us.meta.llama4-scout-17b-instruct-v1:0 - Note: May have different accuracy/performance
Troubleshooting¶
"Access denied to foundation model"¶
Cause: Model access not enabled in Bedrock console
Solution: Go to Bedrock → Model access → Request access for Claude Sonnet 4.5
"Could not connect to the endpoint URL"¶
Cause: Wrong region configured
Solution: Ensure AWS_REGION=us-east-1 in .env file
"The security token included in the request is invalid"¶
Cause: Invalid AWS credentials
Solution: Double-check AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in .env
"ThrottlingException: Rate exceeded"¶
Cause: Too many Bedrock API calls too quickly
Solution:
- Reduce MAX_CONCURRENT_BEDROCK_CALLS in .env
- Bedrock has per-model rate limits
- Wait a few minutes and retry
"ValidationException: The provided model identifier is invalid"¶
Cause: Model ID is incorrect or not available in region
Solution: Use exact model ID: us.anthropic.claude-sonnet-4-5-20250929-v1:0
Next Steps¶
Now that AWS Bedrock is configured:
- Deploy the Application - Start the services
- Configure Environment Variables - Complete setup
- Monitor Health - Verify Bedrock connectivity