EffiGen Oy
multi-agent systemsidentitycloud

Multi agentic systems in AWS with Agentic Core

Design and operate multi-agent systems on AWS using Bedrock AgentCore Runtime: internal A2A, Strands-powered human approvals, Cognito/IAM identity, MCP tools via gateway (FastMCP), and observability with CloudWatch, OpenTelemetry, and Langfuse; deployed via GitHub Actions.

Overview

We designed and implemented a generic, reusable blueprint for multi-agent systems on AWS centered on Bedrock AgentCore Runtime. Clients call the runtime URL directly; identity is enforced via Cognito and IAM Identity Center, with human-in-the-loop approvals using Strands SDK/Runtime. MCP tools are accessed through an MCP Gateway (FastMCP/external), and observability spans CloudWatch, OpenTelemetry, and Langfuse, with CI/CD via GitHub Actions.

Architecture

graph LR
  subgraph Clients
    U[User Portal]:::client
    CLI[Ops CLI]:::client
  end

  subgraph Identity
    Cognito[AWS Cognito]:::identity
    IDCenter[IAM Identity Center]:::identity
    Strands[Strands SDK and Runtime]:::identity
  end

  subgraph Runtime
    AgentRT[Bedrock AgentCore Runtime]:::agent
  end

  subgraph AgentCore
    Queue[SQS Work Queue]:::data
    State[DynamoDB State]:::data
  end

  subgraph Gateway
    MCPGW[MCP Gateway]:::gateway
  end

  subgraph Tools
    FastMCP[FastMCP Servers]:::tool
    External[External MCP Tools]:::tool
  end

  subgraph CI
    GH[GitHub Actions]:::ci
  end

  subgraph Observability
    CW[CloudWatch Logs and Metrics]:::obs
    OTEL[OpenTelemetry Traces]:::obs
    LF[Langfuse]:::obs
  end

  U -->|call runtime url| AgentRT
  CLI -->|call runtime url| AgentRT
  Cognito -->|tokens| AgentRT
  IDCenter -->|role mapping| AgentRT
  Strands -->|human approvals| AgentRT
  AgentRT -->|tasks| Queue
  AgentRT -->|state| State
  AgentRT -->|tools| MCPGW
  MCPGW --> FastMCP
  MCPGW --> External
  GH -->|apply config| AgentRT
  AgentRT --> CW
  AgentRT --> OTEL
  AgentRT --> LF

  classDef client fill:#e3f2fd,stroke:#90caf9,color:#0d47a1
  classDef identity fill:#ede7f6,stroke:#b39ddb,color:#4a148c
  classDef agent fill:#fff3e0,stroke:#ffcc80,color:#e65100
  classDef data fill:#e8f5e9,stroke:#a5d6a7,color:#1b5e20
  classDef infra fill:#f3e5f5,stroke:#ce93d8,color:#6a1b9a
  classDef gateway fill:#fbe9e7,stroke:#ffab91,color:#bf360c
  classDef tool fill:#e0f7fa,stroke:#80deea,color:#006064
  classDef ci fill:#fffde7,stroke:#fff59d,color:#f57f17
  classDef obs fill:#f1f8e9,stroke:#c5e1a5,color:#33691e

Notes

  • Infrastructure and deployments are managed as IaC with environment-specific policies.
  • CI/CD uses GitHub Actions, including build and promotion stages with canary and blue/green options.
  • Policies enforce identity-bound access, rate limits, and auditable human approvals.

Problem

The client needed a scalable agent platform with strong identity and per-agent permissions, safe A2A collaboration, human approvals for sensitive actions, tool integrations via MCP servers, and fast, observable runtime deployments.

Solution

Identity via Cognito and IAM Identity Center combines with Strands SDK for human-in-the-loop approvals. Agents execute on AWS Bedrock AgentCore Runtime for low-latency actions. MCP tools are accessed through the MCP Gateway (FastMCP and external servers). SQS provides work queues; DynamoDB holds state and memory references. GitHub Actions manages releases and runtime configuration/versioning. Observability uses OpenTelemetry, CloudWatch, and Langfuse with correlation by agent identity.

Outcome

Identity-scoped A2A execution with approvals, reliable tool integrations through MCP Gateway, fast blue/green deployments, and unified traces/logs tied to agent identity across runtime components.

Technologies

AWS Bedrock AgentCore RuntimeAWS SQSAWS DynamoDBAWS CognitoIAM Identity CenterMCP GatewayFastMCPStrands SDKStrands RuntimeGitHub ActionsOpenTelemetryAmazon CloudWatchLangfuseJSON Web TokensOpenID ConnectIaC