Construct a FinOps agent utilizing Amazon Bedrock AgentCore

Managing prices throughout a number of AWS accounts typically requires finance groups to question knowledge from a number of sources to get a whole view of spending and optimization alternatives. On this submit, you discover ways to construct a FinOps agent utilizing Amazon Bedrock AgentCore that helps your finance group handle AWS prices throughout a number of accounts. This conversational agent consolidates knowledge from AWS Price Explorer, AWS Budgets, and AWS Compute Optimizer right into a single interface, so your group can ask questions like “What are my high price drivers this month?” and obtain rapid solutions.

You study to arrange the structure, deploy the answer utilizing AWS Cloud Improvement Package (AWS CDK), and work together along with your price knowledge by way of pure language queries. The answer makes use of AgentCore, Anthropic Claude Sonnet 4.5, the Strands Agent SDK, and the Mannequin Context Protocol (MCP).

You should have dialog reminiscence that retains 30 days of context, so you’ll be able to ask follow-up questions with out repeating info. Over 20 specialised instruments cowl the complete spectrum of price administration, from evaluation to optimization, assuaging the necessity to manually navigate a number of AWS consoles. Pure language interplay makes price knowledge accessible to group members throughout your group.

Resolution overview

This answer consists of two predominant parts: the authentication and frontend layer and the Amazon Bedrock AgentCore Runtime with instruments and reminiscence. Amazon Cognito manages consumer authentication whereas the AgentCore Runtime processes price administration queries. The authentication and frontend layer makes use of AWS Amplify to host the online software interface and Amazon Cognito for consumer authentication. Amazon Cognito handles consumer authentication and offers momentary AWS credentials by way of Id Swimming pools.

The customized agent for FinOps is hosted on AgentCore Runtime and constructed with the Strands Agent that integrates with Amazon Bedrock to entry a Massive Language Mannequin (LLM). Amazon Bedrock AgentCore Gateway manages device invocations and routes requests to backend companies utilizing AWS Id and Entry Administration (IAM) authentication. MCP Servers are hosted on AgentCore Runtime to offer entry to AWS Billing and Price Administration instruments. AgentCore Reminiscence maintains dialog historical past for as much as 30 days of context retention. AgentCore Id manages the OAuth 2.0 credential lifecycle for safe communication between the Gateway and MCP server runtimes. It shops the Amazon Cognito M2M shopper credentials as an OAuth credential supplier and points tokens on behalf of the Gateway when it must authenticate with the MCP runtimes.

With these parts in place, the next part examines how they work collectively within the full structure.

Structure diagram

The next diagram represents the answer structure, which accommodates 5 key sections:

Part A – Authentication Infrastructure: First, the FinOpsAuthStack CDK stack deploys the authentication infrastructure (Amazon Cognito Consumer Pool, Id Pool, M2M shopper, useful resource server, and IAM roles). The Consumer Pool handles consumer authentication, the M2M shopper permits machine-to-machine OAuth 2.0 flows between the Gateway and MCP runtimes, and the Id Pool offers momentary AWS credentials that permit the frontend software to securely talk with the AgentCore Runtime.

Part B – Picture Construct Infrastructure: Subsequent, the FinOpsImageStack CDK stack deploys the container picture construct pipeline (Amazon S3 bucket, AWS CodeBuild tasks, and Amazon Elastic Container Registry (Amazon ECR) repositories). CodeBuild clones the upstream AWS Labs MCP servers, applies a stdio-to-HTTP transformation (patching them for streamable-http transport), and builds AWS Graviton (ARM64) container photographs which are saved in Amazon ECR to be used by the AgentCore Runtimes.

Part C – MCP Server Runtimes: The FinOpsMCPRuntimeStack CDK stack deploys two AgentCore Runtimes operating the remodeled AWS Labs MCP servers (Billing and Pricing). Every runtime is configured with JWT authorization utilizing the AuthStack’s Amazon Cognito and has particular IAM permissions for the AWS APIs it accesses. For instance, AWS Billing and Price Administration and AWS Compute Optimizer for the Billing runtime, and AWS Pricing for the Pricing runtime.

Part D – AgentCore Gateway: The FinOpsAgentCoreGatewayStack CDK stack deploys the AgentCore Gateway with AWS_IAM authorization, an OAuth credential supplier (registered with AgentCore Id utilizing the AuthStack’s Cognito M2M credentials), and two MCP server targets pointing to the Billing and Pricing runtimes. The Gateway offers a unified device discovery and invocation endpoint, dealing with OAuth token change for outbound authentication to the MCP runtimes.

Part E – Principal Agent Runtime: Lastly, the FinOpsAgentRuntimeStack CDK stack deploys the primary AgentCore Runtime. It makes use of the Strands Agent Framework with Claude Sonnet 3.7 to orchestrate mannequin invocations and power calls by way of the Gateway. It additionally deploys AgentCore Reminiscence for dialog historical past. The Runtime connects to the Gateway through IAM SigV4 authentication, discovers 24 instruments from each MCP servers, and routes device requests by way of the Gateway to retrieve price, billing, and pricing knowledge.

Utilizing the online software

Now that you simply perceive the structure, let’s stroll by way of a pattern request circulation. For instance, what occurs when a consumer asks “What are my AWS prices for January 2026?”

1. The FinOps consumer accesses the online software hosted on AWS Amplify, which serves the frontend (HTML, CSS, JavaScript).
2. The consumer authenticates with Amazon Cognito. Amazon Cognito validates the credentials and returns momentary AWS credentials from the Id Pool.
3. The frontend sends the consumer’s query to the AgentCore Runtime and makes use of the momentary AWS credentials to name InvokeAgentRuntime.
4. The Strands agent contained in the runtime sends the query together with 24 out there device definitions to Claude Sonnet 4.5 on Amazon Bedrock. The mannequin analyzes the query and decides it must name the billingMcp__cost_explorer
5. The agent receives the device name request from the mannequin and routes it to the AgentCore Gateway utilizing IAM SigV4 authentication (InvokeGateway).
6. The Gateway should authenticate with the MCP runtime. It contacts AgentCore Id to acquire an OAuth 2.0 token utilizing the registered credential supplier (backed by Cognito M2M shopper credentials).
7. The Gateway sends the MCP instruments/name request with the OAuth token to the Billing MCP Runtime.
8. The Billing MCP Runtime executes the precise API name to AWS Price Explorer and requests price and utilization knowledge for January 2026 utilizing its execution function.
9. The associated fee knowledge flows again by way of the chain. Billing MCP Runtime responds to the Gateway, then the Gateway responds to the agent. The agent sends the fee knowledge again to Amazon Bedrock, the place Claude generates a pure language abstract of the January 2026 prices.
10. The formatted response is returned to the FinOps consumer, displaying the fee breakdown within the chat interface.

Stipulations

Earlier than you start, confirm that you’ve:

• An AWS account with acceptable permissions for the next companies:
  • Amazon Bedrock, AgentCore, Amazon ECR, AWS Lambda, Amazon Cognito, AWS CodeBuild, and IAM
• AWS Command Line Interface (AWS CLI) (v2.x) configured with credentials
• Node.js (v18 or later) and npm put in
• Python 3.13 or increased put in
• AWS CDK put in and bootstrapped in your AWS account
  • Set up: npm set up -g aws-cdk
  • Bootstrap: cdk bootstrap aws://AWS-ACCOUNT-NUMBER/AWS-REGION

Deploy the answer utilizing AWS CDK

This answer deploys to the us-east-1 AWS Area. The deployment makes use of the AWS CDK to provision the infrastructure by way of three AWS CloudFormation stacks.

To deploy the answer:

Step 1: Clone the repository

git clone https://github.com/aws-samples/sample-finops-agent-amazon-bedrock-agentcore
cd sample-finops-agent-amazon-bedrock-agentcore

Step 2: Set surroundings variables

Substitute your-email@instance.com along with your electronic mail deal with to obtain the momentary admin password:

export ADMIN_EMAIL=”your-email@instance.com”

Step 3: Deploy utilizing CDK

cd cdk && npm set up && npm run construct && npx cdk bootstrap && npx cdk deploy –all –require-approval by no means

The deployment script installs CDK dependencies, builds TypeScript code, bootstraps the CDK if wanted, then deploys the three stacks in sequence. The method takes roughly 15-20 minutes. After completion, you’ll have 5 CloudFormation Stacks inside your account.

After deployment completes of the final CloudFormation Stack FinOpsAgentRuntimeStack, be aware the next outputs from the terminal:

• Consumer Pool Id – Cognito Id Pool ID
• Consumer Pool Consumer Id – Cognito Consumer Pool Consumer ID
• Id Pool Id – Id Pool ID
• AgentCore ARN – AgentCore runtime ARN

The next screenshot reveals you what the Outputs will appear to be.

You’ll obtain an electronic mail with a brief password for the admin consumer.

With the infrastructure deployed, now you can configure and use the online software to work together along with your price knowledge.

Deploy the Amplify software

Whereas we offer a pattern frontend hosted on AWS Amplify, you’ll be able to combine the answer with your individual customized frontend or join it to your present enterprise communication instruments. The frontend software requires handbook deployment utilizing code from the GitHub repository:

1. Obtain the frontend code AWS-Amplify-Frontend.zip from GitHub.
2. Navigate to AWS Amplify within the AWS Administration Console.
3. Select Deploy with out Git supplier.
4. Add the applying .zip file.
5. Await deployment to finish.
6. Observe the generated area URL.

Understanding the MCP servers

MCP servers (AWS Billing and Price Administration MCP Server and AWS Pricing MCP Server) present price administration and pricing instruments. Every MCP server is designed to deal with particular sorts of queries. The AWS Billing and Price Administration MCP Server focuses on historic spend evaluation, funds monitoring, price anomaly detection, and optimization suggestions utilizing your precise AWS account knowledge. The AWS Pricing MCP Server handles forward-looking queries by offering real-time pricing knowledge from the AWS Value Checklist API, enabling price estimation for brand new workloads and infrastructure as code (IaC) tasks.

Utilizing the online software

Open the URL supplied after creating your AWS Amplify software. You may be prompted to enter your Amazon Cognito and AgentCore configuration particulars. Enter the values out of your stack output (collected earlier). From the Agent Kind menu, choose AgentCore Agent, enter the deployment Area, and select an Agent Identify (on this instance, we use AgentCore Agent). Save the configuration as proven within the following picture:

Register along with your username and the momentary password despatched to your electronic mail. At first sign-in, you can be requested to reset your password. After resetting your password, you can begin asking questions. For instance, ask “What are my AWS prices for January 2026?” Once you ask about prices, the system retrieves knowledge utilizing the get_cost_and_usage device to retrieve your price knowledge and offers an in depth breakdown by service.

Ask “What are my present price financial savings alternatives?” The agent calls a number of instruments to establish optimization alternatives:

• get_rightsizing_recommendations – identifies over-provisioned or underutilized assets
• get_savings_plans_recommendations – suggests commitment-based low cost plans
• get_compute_optimizer_recommendations – offers compute optimization insights

Subsequent, ask “Are you able to give me particulars of any underutilized EC2 cases?” Due to dialog reminiscence, follow-up questions keep context from the earlier query and supply detailed details about particular cases.

See this interactive session in motion within the following video.

Listed below are further pattern queries to strive:

• “Present me my prices by Area for the final 30 days”
• “What’s my price forecast for the subsequent 3 months?”
• “Evaluate pricing for t3.micro and t3.small cases”
• “Are there any price anomalies in my account?”
• “What’s my free tier utilization standing?”
• “Present me my budgets and their present standing”
• “What’s the pricing for Lambda in us-east-1?”
• “Get rightsizing suggestions for my EC2 cases”

Conversational reminiscence in motion

AgentCore Reminiscence maintains context throughout a number of questions:

You: “What are my high 5 companies by price?” Agent: (Offers checklist of high 5 companies)

You: “What about the second?” Agent: (Remembers the earlier checklist and offers particulars)

You: “How can I optimize it?” Agent: (Offers optimization suggestions)

See this interactive session in motion within the following video.

AgentCore Reminiscence routinely manages dialog historical past, and the Strands session supervisor retrieves related context for every request.

Clear up

To keep away from incurring future costs, delete the assets created by this answer.

Delete the stacks:

cd sample-finops-agent-amazon-agentcore/cdk

npx cdk destroy –all

You may be requested with the next:

Are you positive you wish to delete: FinOpsAgentRuntimeStack, FinOpsAgentCoreGatewayStack, FinOpsMCPRuntimeStack, FinOpsAuthStack, FinOpsImageStack (y/n)

Kind y and this can delete the stacks.

Delete the Amplify software:

1. Within the Amplify console, within the left-hand navigation in your app, select App settings, and choose Common settings.
2. Within the Common settings part, select Delete app.

Conclusion

On this submit, we confirmed you tips on how to construct a FinOps agent utilizing AgentCore. The agent offers pure language entry to price evaluation and optimization suggestions by consolidating knowledge from AWS Price Explorer, AWS Budgets, and Compute Optimizer.

The structure combines AgentCore Runtime, Gateway, Reminiscence, Id, the Strands Framework, MCP, and Claude Sonnet 4.5. You’ll be able to prolong this basis to different use circumstances like DevOps automation, safety evaluation, and compliance monitoring. Get began as we speak by visiting the GitHub repository.

In regards to the authors

Salman Ahmed

Salman is a Senior Technical Account Supervisor at AWS. He focuses on guiding clients by way of the design, implementation, and help of AWS options. Combining his networking experience with a drive to discover new applied sciences, he helps organizations efficiently navigate their cloud journey. Exterior of labor, he enjoys pictures, touring, and watching his favourite sports activities groups.

Ravi Kumar

Ravi is a Senior Technical Account Supervisor in AWS Enterprise Assist who helps clients within the journey and hospitality business to streamline their cloud operations on AWS. He’s a results-driven IT skilled with over 20 years of expertise. Ravi is obsessed with generative AI and actively explores its functions in cloud computing. In his free time, Ravi enjoys artistic actions like portray. He additionally likes enjoying cricket and touring to new locations.

Sergio Barraza

Sergio is a Senior Technical Account Supervisor at AWS, serving to clients on designing and optimizing cloud options. With greater than 25 years in software program improvement, he guides clients by way of AWS companies adoption. Exterior of labor, Sergio is a multi-instrument musician enjoying guitar, piano, and drums, and he additionally practices Wing Chun Kung Fu.