Constructing an AI powered system for compliance proof assortment

Compliance audits require complete proof trails, usually involving a whole bunch of screenshots throughout a number of programs. Your compliance groups seemingly spend hours manually navigating by GitHub repositories, AWS consoles, and inner functions, capturing screenshots at every step. This guide course of is time-consuming, error-prone, and troublesome to breed persistently throughout audit cycles. This publish demonstrates how we automated audit workflows utilizing Amazon Bedrock and browser automation.

On this publish, we present you construct the same system in your group. You’ll be taught the structure selections, implementation particulars, and deployment course of that may assist you to automate your personal compliance workflows. We constructed a browser extension that automates this proof assortment course of utilizing Amazon Bedrock with the Amazon Nova 2 Lite mannequin. Your extension will execute pre-defined compliance workflows, robotically seize timestamped screenshots, and retailer organized proof in Amazon Easy Storage Service (Amazon S3). It may possibly additionally analyze compliance paperwork and generate new workflows utilizing pure language processing (NLP).

You’ll find out how we architected this answer, built-in Amazon Nova 2 Lite for clever automation, and carried out browser automation instruments that deal with the complexity of recent internet functions. We cowl the technical implementation particulars, deployment course of, and real-world utilization patterns.

Answer overview

We selected browser automation mixed with AI for a number of key causes: it really works with any internet utility with out requiring API entry, it captures visible proof that auditors want, and it could adapt to UI modifications by clever automation.

The answer makes use of a browser extension for Chrome and Firefox as the first interface, offering three principal capabilities: an proof collector, an AI-powered workflow designer, and report supply. The proof collector executes pre-defined workflows, navigating by internet functions and capturing timestamped screenshots in an Amazon S3 bucket. The AI-powered workflow designer communicates with Amazon Bedrock utilizing the Amazon Nova 2 Lite mannequin. While you add a compliance textual content doc, Amazon Nova 2 Lite analyzes it and generates executable workflow JSON that the extension can run. For report supply, after a workflow completes, Amazon Easy Electronic mail Service (Amazon SES) generates and sends a compliance report back to a specified electronic mail deal with.

On the infrastructure aspect, two AWS Lambda features assist the answer: one uploads preliminary system prompts to the S3 bucket throughout deployment, and one other handles bucket cleanup. For authentication and authorization, the extension makes use of Amazon Cognito to handle person sign-in. Cognito works with AWS Safety Token Service (AWS STS) and AWS Identification and Entry Administration (IAM) to offer the extension with scoped, least-privilege credentials for accessing Amazon Bedrock, Amazon S3, and Amazon SES. AWS encrypts proof at relaxation, organizes it by date and workflow, and contains complete audit logs.

Structure

Now that you just perceive what the system does, let’s look at the way it’s structured. The browser extension will comply with a modular structure with 4 distinct layers:

A. UI Layer

The aspect panel gives the first interface with three elements. The chat interface permits for pure language interplay with Amazon Nova 2 Lite for compliance questions and one-time automation. The workflow administration panel lists accessible workflows, exhibits execution standing, and gives edit capabilities. The authentication UI handles Amazon Cognito login and configuration administration. The next picture exhibits the UI and its capabilities.

B. AI Agent Layer

Amazon Nova 2 Lite serves because the intelligence layer with three operational modes:

• Chat mode: For instance, ask ad-hoc questions, and it’ll reply compliance questions and execute browser automation instruments primarily based on pure language instructions. That is most helpful while you want fast proof assortment with out making a full workflow.

• Designer mode (used for creating new workflows): Analyzes uploaded .txt paperwork to extract workflow steps and generate automation scripts. Use this when you’ve got compliance documentation and have to create repeatable workflows.

• Report technology mode (used after workflow completion): Analyzes captured screenshots after workflow completion to generate a complete compliance report that features proof summaries, findings, and compliance standing assessments. Amazon SES then emails the finished report back to your specified electronic mail deal with.

C. Workflow Engine

The workflow execution engine processes JSON-defined workflows step-by-step. JSON is a textual content format for outlining step-by-step directions. Don’t fear in regards to the technical particulars but, we present you the way the AI can generate these robotically. The engine handles navigation, waits for web page masses, captures screenshots with context, and manages person affirmation steps for guide actions like authentication. The engine contains an clever error restoration that makes use of Amazon Nova 2 Lite to recommend alternate options when steps fail.

The workflow designer analyzes compliance paperwork utilizing Amazon Nova 2 Lite, extracts required proof factors, and generates workflow JSON. You may take a look at workflows earlier than saving, edit present workflows, and handle workflow variations in Amazon S3.

D. Storage and Providers

Amazon S3 shops proof with a structured folder hierarchy organizing screenshots, compliance paperwork, AI prompts, workflows with backups, chat logs, and generated studies as proven within the following instance:

evidence-collector-bucket-{AccountId}-{Area}/
|
|— proof/
|— README.txt → Explains the proof folder construction and group
|— YYYY/MM/DD/
|— screenshot-*.png → Captured screenshots throughout workflow execution for compliance proof
|
|— workflow-documents/
|— README.txt → Explains the workflow paperwork folder goal
|— {timestamp}-{filename}.txt → Person-uploaded compliance paperwork analyzed by AI to generate workflows
|
|— config/
|— prompts/
| |— compliance-assistant-prompt.txt → Defines AI assistant’s compliance data and response pointers
| |— workflow-designer-prompt.txt → Instructs AI on producing workflows from compliance paperwork
| |— report-analysis-prompt.txt → Guides AI in analyzing workflow execution outcomes for studies
| |
| |— workflows/
|— README.txt → Explains the workflows folder and backup technique
|— user-workflows.json → Present energetic workflows accessible to customers
|— backups/
|— user-workflows-{timestamp}.json → Timestamped backup created earlier than every workflow replace
|
|— chat-logs/
|— README.txt → Explains the chat logs folder goal
|— chat-log-{timestamp}.json → Dialog logs between customers and AI for audit path
|
|— studies/
|— README.txt → Explains the studies folder construction and group
|— YYYY/MM/DD/
|— report-{workflow-name}-{timestamp}.html → Generated HTML proof report documenting workflow execution

AI-powered workflow designer

The next picture exhibits what occurs within the frontend and which AWS companies you work together with.

The workflow designer solves a key problem: creating workflows from compliance paperwork shortly and precisely. You may add a textual content file containing compliance necessities, and Amazon Nova 2 Lite analyzes it to generate executable workflows.

The method works in three steps: (1) Doc add – Add a textual content file containing compliance necessities, (2) AI evaluation – Amazon Nova 2 Lite extracts required proof factors, identifies programs to examine, and determines automation alternatives, and (3) Workflow technology – The AI generates full workflow JSON with navigation steps, screenshot factors, and person affirmation steps the place wanted.

For instance, given a doc stating, “To take the proof we have to take some screenshots from GitHub.com. After logging in, go to repo “https://github.com/aws-samples”. Confirm department safety is enabled on principal department with required evaluations. Take a screenshot after logging in after which once more after verification steps.” Nova 2 Lite analyzes the doc and generates the next workflow:

{
“workflows”: [
{
“name”: “GitHub Branch Protection Verification”,
“description”: “Verify branch protection is enabled on the main branch with required reviews”,
“steps”: [
{
“action”: “navigate”,
“url”: “https://github.com”,
“description”: “Navigate to GitHub homepage”
},
{
“action”: “wait_for_user”,
“description”: “Please log in with your GitHub credentials, then click Continue”
},
{
“action”: “screenshot”,
“description”: “Capture the page after login for evidence”
},
{
“action”: “navigate”,
“url”: “https://github.com/YOUR_REPO”,
“description”: “Navigate to the repository where you want to verify branch protection”
},
{
“action”: “click”,
“element”: “Settings”,
“description”: “Click on the Settings tab”
},
{
“action”: “click”,
“element”: “Branches”,
“description”: “Click on the Branches option under Settings”
},
{
“action”: “screenshot”,
“description”: “Capture the branch protection settings page for evidence”
}
]
}
]
}

The workflow designer features a take a look at mode the place you may execute the generated workflow instantly to confirm that it really works appropriately. If steps want adjustment, the edit mode permits JSON modifications with syntax highlighting and validation.

Conditions

Earlier than you start, confirm that you’ve:

Deployment and setup

Clone the GitHub repository and navigate to the venture listing for the particular browser that you just’re utilizing. The primary listing accommodates chrome-extension and firefox-extension folders.

git clone https://github.com/aws-samples/sample-ai-powered-compliance-evidence-collector

cd sample-ai-powered-compliance-evidence-collector

We offer a unified AWS CloudFormation template that deploys the whole AWS infrastructure with assist for Chrome, Firefox, or each browsers. You should replace AdminEmail with the e-mail deal with that Amazon SES makes use of to ship the generated studies and UserEmail with the e-mail deal with that receives each the short-term Amazon Cognito password and the compliance report.

You should utilize the BrowserType parameter to pick out which browser extensions to assist:

• Chrome – configured for Chrome extension solely
• Firefox – configured for Firefox extension solely
• Each – configured for each Chrome and Firefox extensions (default)

aws cloudformation create-stack
–stack-name evidence-collector
–template-body file://deployment/evidence-collector-cfn.yaml
–parameters
ParameterKey=BrowserType,ParameterValue=Each
ParameterKey=AdminEmail,ParameterValue=admin@instance.com
ParameterKey=UserEmail,ParameterValue=person@instance.com
ParameterKey=BucketName,ParameterValue=my-evidence-bucket
–capabilities CAPABILITY_IAM
–region us-east-1

The template creates:

• Amazon Cognito Person Pool with sturdy password coverage
• Amazon Cognito Identification Pool for AWS service entry with role-based permissions
• S3 Bucket with encryption, versioning, and public entry blocking
• IAM Roles with least-privilege insurance policies for Amazon Bedrock, S3, and SES entry
• AWS Lambda perform that uploads preliminary system prompts to S3
• Preliminary Person with electronic mail invitation containing short-term password

After deployment, the CloudFormation outputs present values wanted to configure the browser extension:

• EvidenceBucketName
• IdentityPoolId
• Area
• UserPoolClientId
• UserPoolId

You’ll enter this information into the browser extension for a one-time setup. The output of the CloudFormation display can be as proven within the following picture.

Browser extension configuration

For Chrome:

Navigate to the chrome extension folder domestically within the GitHub repo you cloned earlier by following these steps

1. cd chrome-extension
2. npm set up
3. npm run construct

This can create a dist folder inside the chrome-extension folder, then you’ll proceed the steps inside the Chrome browser.

1. Go to the Chrome browser.
2. Navigate to chrome://extensions within the deal with bar.
3. Allow Developer mode (toggle within the top-right nook).
4. Choose the Load unpacked button.
5. Navigate to and choose the chrome-extension/dist folder.

After you’ve got the extension put in, you may insert the output from the CloudFormation template to configure it as proven within the following picture.

For Firefox:

Navigate to the Firefox extension folder domestically within the GitHub repo you cloned earlier by following these steps

1. cd firefox-extension
2. npm set up
3. npm run construct

This can create a dist folder inside the firefox-extension folder, then you’ll proceed the steps inside the Firefox browser.

1. Go to the Firefox browser.
2. Navigate to about:debugging within the deal with bar.
3. Within the left-hand menu, choose This Firefox.
4. Select the Load Momentary Add-on button.
5. Navigate to the firefox-extension/dist folder.
6. Choose the manifest.json file.

The extension is now put in briefly and can stay energetic till you restart Firefox. It would seem underneath the Momentary Extensions header. After set up, enter the CloudFormation template outputs into the extension to configure it as proven within the following picture.

After you’ve got the configuration in place, put it aside and log in with the username and short-term password that was emailed to you. At first login, you may be requested to vary the password for the person.

Answer demo

Let’s stroll by a typical audit workflow. In our instance, we use Chrome because the browser and an accessible workflow that’s offered as a beginning instance for AWS IAM Entry Evaluate.

1. Open the extension aspect panel, select the Proof Collector, and choose the gear icon to view accessible workflows. To overview AWS IAM Entry Evaluate, select the attention icon to overview the workflow steps. After it’s prepared, choose the play button to begin the workflow.
2. Execution begin: The workflow begins by navigating to the AWS IAM console web page.
3. Authentication: The workflow pauses with a “Please log in to AWS Console” message and Proceed Workflow button. We’re already logged in, so we are able to choose proceed.
4. Automated proof assortment: The workflow robotically captures screenshots of particular areas as instructed by the workflow.
5. Proof group: The extension uploads screenshots to S3 with timestamps and organizes them /proof/xxxx/xx/xx/aws-iam-access-review/. Every file title contains the timestamp, area, and outline.
6. Workflow completion: The chat shows a Generate Proof Report button after the workflow is accomplished. Choosing it creates an HTML report with screenshots, timestamps, and workflow particulars and sends it by electronic mail.

The method is constant as the identical proof is collected each time, with the identical naming conventions and group. The next video exhibits the workflow in course of.

The next video exhibits the e-mail that’s generated and despatched to the person.

Automated workflow execution

With the structure in thoughts, let’s see how workflows really execute. This instance exhibits a IAM audit workflow:

{
  “workflows”: [
    {
      “description”: “Review AWS IAM users and roles for compliance”,
      “name”: “AWS IAM Access Review”,
      “steps”: [
        {
          “action”: “navigate”,
          “description”: “Navigate to AWS IAM console”,
          “url”: “https://console.aws.amazon.com/iam/home#/users”
        },
        {
          “action”: “wait_for_user”,
          “description”: “Please log into AWS Console, then select Continue”
        },
        {
          “action”: “navigate”,
          “description”: “Navigate to IAM Users page”,
          “url”: “https://console.aws.amazon.com/iam/home#/users”
        },
        {
          “action”: “screenshot”,
          “description”: “Capture IAM Users page for evidence”
        },
        {
          “action”: “navigate”,
          “description”: “Navigate to IAM Roles page”,
          “url”: “https://console.aws.amazon.com/iam/home#/roles”
        },
        {
          “action”: “screenshot”,
          “description”: “Capture IAM Roles page for evidence”
        }
      ]
    }
  ]
}

The workflow engine executes every step sequentially, ready for web page masses and dealing with asynchronous operations. For screenshot steps, the engine verifies that the web page is totally rendered earlier than seize, provides timestamp overlays, and uploads to Amazon S3 with organized naming.

Person affirmation steps (wait_for_user) pause execution and show a Proceed button within the chat interface. This handles situations like authentication the place automation isn’t attainable or fascinating. The workflow resumes while you verify completion.

Clear up

Delete the CloudFormation stack:

aws cloudformation delete-stack –stack-name evidence-collector –-region us-east-1

The stack deletion removes the Amazon Cognito Person Pool, Identification Pool, IAM roles, Lambda perform, and S3 bucket.

Conclusion

On this publish, we confirmed you construct an AI-powered system for automating compliance proof assortment. You discovered use Amazon Nova 2 Lite from Amazon Bedrock and browser extension capabilities to create an answer that works with trendy internet functions and adapts to altering necessities. The answer gives workflow execution with web page load synchronization, generates workflows from compliance paperwork, and shops proof with audit logs. The CloudFormation deployment units up the whole infrastructure in minutes. To get began, deploy the CloudFormation stack, configure the browser extension along with your AWS credentials, and run one of many pattern workflows. Then use the workflow designer to create customized workflows in your compliance necessities.

Concerning the authors

Ravi Kumar

Ravi is a Senior Technical Account Supervisor in AWS Enterprise Help who helps clients within the journey and hospitality trade to streamline their cloud operations on AWS. He’s a results-driven IT skilled with over 20 years of expertise. Ravi is captivated with generative AI and actively explores its functions in cloud computing. In his free time, Ravi enjoys inventive actions like portray. He additionally likes enjoying cricket and touring to new locations.

Salman Ahmed

Salman is a Senior Technical Account Supervisor at AWS. He focuses on guiding clients by the design, implementation, and assist of AWS options. Combining his networking experience with a drive to discover new applied sciences, he helps organizations efficiently navigate their cloud journey. Outdoors of labor, he enjoys images, touring, and watching his favourite sports activities groups.

Sergio Barraza

Sergio is a Senior Technical Account Supervisor at AWS, serving to clients on designing and optimizing cloud options. With greater than 25 years in software program improvement, he guides clients by AWS companies adoption. Outdoors of labor, Sergio is a multi-instrument musician enjoying guitar, piano, and drums, and he additionally practices Wing Chun Kung Fu.