Within the realm of Amazon Web Services’ generative AI platform Amazon Bedrock, an action group is a technical concept used to define the tasks that an agent can perform. It’s not a group of people, but rather a structured component of conversational AI workflows:
- An action group bundles together one or more actions. like BookHotel, CreateBooking, CancelBooking that your Bedrock AI agent can call upon .
- You can configure these actions using:
- OpenAPI schemas, which define API endpoints, parameters, and responses,
- or function details, wherein you specify the parameters your agent will elicit from users, and connect them to backend services (such as AWS Lambda functions) .
- Once configured, the agent uses chain-of-thought reasoning to determine which action group to invoke, elicits required parameters from users, and either executes business logic via Lambda or returns control to your application .
Simple Example for Network and Cybersecurity Engineers
Think of an AWS Bedrock Action Group like a toolbox in a physical security engineer’s van.
- The toolbox (Action Group) contains specific tools (Actions) — for example, BookHotel, CreateBooking, CancelBooking are like your crimping tool, cable tester, and patch panel punch-down tool.
- Before you use the tools, you need to label and describe them so anyone on your team knows exactly how to use them:
- OpenAPI schema is like the instruction manual for each tool — it tells you what the tool does, what size connectors it fits, and what result to expect.
- Function details are like a checklist you hand to your apprentice — “Before using the cable tester, make sure you get the cable length, port number, and rack location from the customer.”
- The agent is like a smart dispatcher in your NOC — when a request comes in (“We need a hotel booked” / “The branch office switch is down”), it thinks through:
- Which toolbox do I need?
- Which tool inside it fits the job?
- Do I have all the details from the user before starting?
- Once ready, it either:
- Executes the job (like you driving to site and fixing the switch — in Bedrock’s case, calling a Lambda function), or
- Hands the task back to someone else (returning control to your app).
It’s basically organized automation — grouping related tasks, clearly defining how to use them, and letting the AI pick and run the right one when needed.
Cybersecurity and IAM Analogy: Access Playbooks for Incident Response
- Action Group = An incident response playbook
- Think of it like your “Phishing Response Playbook” or “Privilege Escalation Mitigation Playbook.”
- Inside that playbook, you’ve got specific steps (Actions) — e.g., DisableUserAccount, RotateAccessKeys, RevokeSession.
- OpenAPI schema = The SOAR (Security Orchestration, Automation, and Response) integration doc
- This is the formal spec telling your automation platform exactly what API endpoint to call, what parameters to send, and what to expect back — just like how you document the exact API call to AWS IAM to disable a user account.
- Function details = The runbook parameters checklist
- For example: “Before disabling an account, collect: username, reason code, incident ticket number.”
- This ensures the automation only runs once it has all the required security context.
- The Bedrock agent = Your SOC Tier 1 Analyst with AI-level decisioning
- A new alert comes in → the agent thinks through the situation (chain-of-thought reasoning) → chooses the right playbook (action group) → collects missing intel from the analyst or system → and executes the automation via Lambda (like a SOAR workflow triggering the IAM API).
- Returning control = Escalation or hand-off
- If the agent can’t fully execute (e.g., needs manager approval for account deletion), it returns control to your SOC tool or IAM admin for manual review.
In short: An Action Group in Bedrock is like pre-approved, API-ready security playbooks that your AI can pick from, fill in the blanks for, and run — just like an IAM or SOAR automation would handle account lockdowns or key rotations in response to an incident.
Comments are closed