- 🏛️ Architecture Overview
- 📋 Solution Overview
- 💰 Cost
- ✅ Prerequisites
- 🚀 Deployment Steps
- 🔍 Deployment Validation
- 📘 Running the Guidance
- 🔒 Security Considerations
- 🚀 Performance Optimization
- ➡️ Next Steps
- 🧹 Cleanup
- ❓ FAQ, Known Issues, Additional Considerations, and Limitations
- 📝 Revisions
⚠️ Notices- 👥 Authors
Figure 1: Architecture diagram showing the secure authentication flow and connection to Amazon Bedrock Agents
The architecture implements a secure pattern for browser-based applications to interact with Amazon Bedrock Agents:
- Frontend Hosting: AWS Amplify hosts the React application, providing scalable content delivery
- Authentication: Amazon Cognito manages user authentication and provides temporary AWS credentials
- Secure API Access: Temporary credentials allow the frontend to make authenticated calls to Amazon Bedrock
- AI Interaction: Amazon Bedrock Agents process user queries and return responses directly to the frontend
This architecture eliminates the need for a custom backend while maintaining enterprise-grade security.
This guidance demonstrates how to build a secure, browser-based chat application that connects directly to Amazon Bedrock Agents. The solution addresses the need for organizations to quickly deploy AI-powered chat interfaces with enterprise-grade security and authentication.
What: A React-based chat UI that securely connects to Amazon Bedrock Agents.
Who: Developers and organizations looking to implement secure AI chat interfaces.
Why: To provide a production-ready solution for deploying secure AI chat applications with minimal setup.
The solution leverages AWS Amplify for hosting and deployment, while implementing secure access through Amazon Cognito's User and Identity Pools for temporary credential management and API authentication.
Demo-SecureChatUI-For-Amazon-bedrock-Agents.mp4
- The user navigates to the Secure Chat UI URL, which is hosted on AWS Amplify
- The page is returned with HTML, CSS, JavaScript. User is now able to input the configuration details for Amazon Cognito and Amazon Bedrock Agents
- Upon configuration completion, the user is prompted to authenticate using Amazon Cognito with a username and password configured for them in the user pool
- After successful authentication, Cognito Identity Pool will negotiate temporary credentials from AWS Security Token Service (STS)
- Cognito Identity Pool passes temporary AWS credentials to the frontend
- Once authenticated, the user now sees the Secure Chat UI chat prompt to interact with the Amazon Bedrock Agent that is configured
You are responsible for the cost of the AWS services used while running this Guidance.
As of May 2025, the cost for running this Guidance with the default settings in the US East (N. Virginia) Region is approximately $8.65 per month for serving up to 300 daily active users and hourly summarization by 5 developers.
We recommend creating a Budget through AWS Cost Explorer to help manage costs. Prices are subject to change. For full details, refer to the pricing webpage for each AWS service used in this Guidance.
| AWS Service | Dimensions | Cost (USD) |
|---|---|---|
| Amazon Cognito | 1,000 active users per month without advanced security feature | $0.00/month |
| AWS Amplify | 5 developers committing code twice a day + 300 daily active users | $8.00/month |
| Amazon Bedrock | 5 developers summarizing 2K to 1K output tokens hourly using Amazon Nova Lite | $0.65/month |
Development Tools
- Node.js v18+
- Latest npm version
AWS Account Requirements
-
Access to the following services:
- AWS Amplify (for hosting and deployment)
- Amazon Bedrock Agents (for AI functionality)
- Amazon Cognito (for authentication)
-
AWS Identity and Access Management (IAM) permissions to:
- Configure and manage Bedrock Agents
- Set up Cognito user/identity pools
- Deploy Amplify applications
Note: Ensure your AWS account has sufficient permissions before starting the deployment process.
Objective: Set up and deploy the Secure Chat UI application with proper configuration.
- Clone repository to your local machine:
git clone https://github.com/aws-samples/sample-cognito-integrated-bedrock-agents-chat-ui.git- Change directory to the folder:
cd sample-cognito-integrated-bedrock-agents-chat-ui- Install dependencies:
npm installSuccess Criteria: All dependencies are installed without errors.
- Start the development server:
npm run dev- Open your browser and navigate to http://localhost:5173
- Verify the application loads correctly
Success Criteria: The application is running locally and the UI is displayed correctly.
Objective: Deploy the application to AWS Amplify manually.
- Build the application:
npm run build- Package the dist folder contents:
cd dist
zip -r ../deployment.zip ./*- Navigate to the AWS Amplify Console in your AWS account
- Click on Host web app > Deploy without Git provider
- Upload the deployment.zip file created in step 2
- Follow the prompts to complete the deployment
Success Criteria: The application is successfully deployed and accessible via the Amplify URL.
Objective: Deploy the application to AWS Amplify using GitHub integration.
-
Fork this repository
-
Follow the steps in this documentation to create an app and connect to the GitHub repository you just forked
-
After connecting to your repository, you will be at the "App Setting" step in the AWS Amplify console. From there click on Edit YML File and paste the following:
version: 1
frontend:
phases:
build:
commands:
- npm install
- npm run build
artifacts:
baseDirectory: dist
files:
- "**/*"
cache:
paths:
- node_modules/**/*- Click Next and then on Save and Deploy if everything looks good in the review page
Success Criteria: The application is successfully deployed and accessible via the Amplify URL.
Objective: Configure an Amazon Bedrock Agent to work with the chat UI.
- Navigate to the Amazon Bedrock console in your AWS account
- Create and configure your Bedrock Agent
- Note down the Agent ID and other relevant configuration details
- To test this solution with a sample agent, you can leverage the Virtual Meteorologist Agent AWS CloudFormation template located here
Success Criteria: Amazon Bedrock Agent is created and configured with the necessary permissions.
Objective: Verify that all components are working correctly together.
- Navigate to your deployed Amplify application URL
- Verify that the login page appears and you can authenticate using Cognito credentials
- After login, confirm that the chat interface loads correctly
- Enter a test prompt and verify that the Bedrock Agent responds appropriately
Success Criteria:
- Amplify app is successfully deployed and accessible
- Authentication with Cognito works correctly
- The chat interface renders properly
- The Bedrock Agent responds to user inputs
If any validation step fails, refer to the Troubleshooting section below.
Objective: Use the deployed chat application to interact with your Bedrock Agent.
- Launch the app (locally or via Amplify)
- Log in via Cognito
- Enter a prompt into the chat input
- Observe the response generated by the Bedrock Agent
- You will see a conversational response in the chat UI rendered by the React app
- All requests go securely through Amplify using temporary credentials
- Errors from the backend will be printed out in the chat for your visualization and troubleshooting
- More detailed causes of an error will be also printed in the console log of the browser
- For development and debugging purposes there are specific events that are printed in the console log of the browser
This solution implements several security best practices:
- Authentication: Uses Amazon Cognito for secure user authentication
- Temporary Credentials: Leverages AWS Security Token Service to provide short-lived credentials
- No Stored Secrets: No long-term credentials are stored in the frontend
- HTTPS: All communication is encrypted in transit
Additional Security Recommendations:
- Enable Multi-Factor Authentication (MFA) in your Cognito User Pool
- Implement the principle of least privilege for IAM roles
- Consider enabling AWS WAF for additional protection against common web exploits
To optimize the performance of your deployment:
- Response Time: Configure appropriate timeouts for Bedrock Agent interactions
- Caching: Implement client-side caching for frequently accessed resources
- Monitoring: Set up Amazon CloudWatch metrics to track performance and identify bottlenecks
This implementation leverages AWS Cloudscape Design System components to create a consistent and professional user interface aligned with AWS design patterns. For future enhancements, you can also take advantage of Amplify Gen2's chat capabilities, which would allow you to seamlessly integrate interactive chat features while maintaining the same AWS-native look and feel. The addition of Amplify Gen2 chat components would complement the existing Cloudscape foundation, particularly in areas requiring real-time user interaction and support.
Objective: Remove all resources created by this guidance to avoid ongoing charges.
-
Delete Amplify app
- From AWS Amplify Console, delete the app
-
Delete Cognito pools
- Remove both User and Identity Pools
-
Delete Bedrock Agent
- Navigate to the Amazon Bedrock console and delete the created agent
-
Optional: Delete associated IAM roles and policies
Success Criteria: All resources are successfully removed and no longer incurring charges.
- Some browsers may block third-party cookies, which may affect login behavior
-
Authentication Issues:
- Verify that your Cognito User Pool is correctly configured
- Check browser console for CORS-related errors
-
Agent Not Responding:
- Confirm that your Bedrock Agent has the necessary permissions
- Verify that the Agent ID is correctly entered in the configuration
-
Deployment Failures:
- Check Amplify build logs for any errors
- Ensure all dependencies are correctly specified in package.json
- Amazon Bedrock requests are charged per token
- Consider implementing rate limiting for production deployments
- For high-traffic applications, evaluate scaling options for Cognito
For issues or feature requests, please use the GitHub Issues tab.
- v1.0.0 – Initial release with Bedrock Agent integration and Amplify deployment support
Customers are responsible for making their own independent assessment of the information in this Guidance.
This Guidance:
(a) is for informational purposes only,
(b) represents AWS current product offerings and practices, which are subject to change without notice, and
(c) does not create any commitments or assurances from AWS and its affiliates, suppliers, or licensors.
AWS products or services are provided "as is" without warranties, representations, or conditions of any kind, whether express or implied.
AWS responsibilities and liabilities to its customers are controlled by AWS agreements, and this Guidance is not part of, nor does it modify, any agreement between AWS and its customers.
- Sergio Barraza
- Salman Ahmed
- Ravi Kumar
- Ankush Goyal