BroadOakData.UK

Category: articles

  • Building Cost-Effective Agentic AI on AWS: From Sandbox to Production

    Introduction

    The promise of Agentic AI—AI that doesn’t just talk, but does things—is transforming software development. But for many developers, the barrier to entry isn’t code; it’s cost.

    Spinning up managed vector databases, serverless agents, and persistent memory stores can easily rack up bills of $200+ per month just for a proof-of-concept. Furthermore, key features are often region-locked (missing in London/eu-west-2), making development frustrating.

    In this guide, I will share how we architected a robust, enterprise-grade Agentic AI sandbox on AWS for under $3.00 a month, using the open-source AWS Strands framework, Model Context Protocol (MCP), and smart architectural choices.

    What is Agentic AI?

    Before we dive into the code, it is vital to distinguish Generative AI from Agentic AI.

    • Generative AI is a Thinker. It creates text, images, video, and code based on prompts. It excels at creation but stops there.
    • Agentic AI is a Doer. It uses autonomy, reasoning, and tool use to complete multi-step workflows without human intervention.

    Instead of just asking “Write a SQL query,” an Agentic system can:

    1. Perceive: Connect to your database and read the schema.
    2. Reason: Plan a safe query based on your request.
    3. Act: Execute the query against the database.
    4. Report: Analyze the results and give you a business answer.

    The Challenge: The Cloud Cost Trap

    When we started this project, we faced three major blockers using standard managed services:

    1. Cost: Managed Vector Databases (like OpenSearch Serverless) have high minimum monthly charges ($200+).
    2. Region Locks: AWS Bedrock Agent features (Code Interpreter) were not available in our region (eu-west-2).
    3. Complexity: Setting up IAM roles (PassRole, Trust Policies) for managed agents is heavy lifting for a simple prototype.

    The Solution: The EC2 “Sandbox” Architecture

    To solve this, we moved the “Agentic Logic” out of managed services and onto a persistent, low-cost compute instance.

    The Stack

    • Compute: AWS EC2 t3.medium (2 vCPU, 4GB RAM).
    • Runtime: Podman (chosen over Docker for lower memory footprint).
    • Stability Hack: We added a 4GB Swap File to prevent the server from crashing during heavy Python library installations.
    • Cost Strategy: Using AWS EventBridge to auto-stop the instance at night, bringing costs down to ~$2.50/month.

    Evolution of Capabilities: Local Tools

    Since we couldn’t use the cloud-managed tools (due to region locks), we built Local Tools that run directly on the EC2 instance. This actually resulted in faster execution and zero incremental cost.

    1. The Code Interpreter

    Instead of an API call to a remote sandbox, we built a Python tool that executes code locally with exec(), capturing stdout to return results to the AI.

    Python

    @tool
def local_python_executor(code: str) -> str:
    """Executes Python code locally for math and data analysis."""
    output_buffer = io.StringIO()
    with contextlib.redirect_stdout(output_buffer):
        exec(code)
    return output_buffer.getvalue()

    2. The Web Browser

    We replaced the managed browser service with Playwright and BeautifulSoup running in headless mode on the server. This allows the agent to visit URLs, strip out the HTML noise, and read the core text content.

    3. Memory

    We replaced the managed Agent Memory service with a simple local SQLite database (agent_memory.db). This gives us persistent conversation history that survives server restarts, for free.

    Advanced Pattern: Model Context Protocol (MCP)

    We integrated the Model Context Protocol (MCP), an open standard for connecting AI to data.

    We encountered issues with the official Node.js/NPM-based MCP servers (broken packages). Our solution was to build a Pure Python MCP Architecture:

    1. Server: A local Python script (math_server.py) running via Stdio.
    2. Client: A robust Python client that manages the subprocess connection.
    3. Bridge: A tool wrapper that allows the Strands Agent to “call” the MCP tools transparently.

    This proved that you don’t need complex microservices to use MCP; you just need a standard input/output pipe.

    Orchestration: “Agents as Tools”

    The true power of Strands is the “Agents as Tools” pattern. We built a Warehouse Management System where one “Boss” agent directs multiple “Specialist” agents.

    • The Orchestrator: The interface for the user. It has no tools of its own.
    • The Selector Agent: A specialist that can read the database schema but cannot run queries. It writes the SQL.
    • The Warehouse Tool: A “dumb” tool that executes the SQL provided by the Selector.

    The Flow:

    User asks: “How much stock in London?”

    1. Orchestrator asks Selector: “Write a query for stock in London.”
    2. Selector (using Fuzzy Logic): Writes SELECT ... WHERE loc LIKE '%London%'.
    3. Orchestrator passes query to Warehouse Tool.
    4. Warehouse Tool returns: 50.
    5. Orchestrator replies: “We have 50 units.”

    Security: Contextual Moderation

    Standard guardrails often fail because they lack context (e.g., blocking a “drop table” discussion in a database tutorial). We implemented Contextual Moderation using a 3-Layer Defense:

    Layer 1: Input Guardrail (The Hook)

    A fast Regex filter that blocks PII (emails, SSNs) and banned topics before the LLM is ever called. This saves money by rejecting bad requests instantly.

    Layer 2: Semantic Judge (The Brain)

    We use Amazon Nova Micro (a tiny, cheap model) as a “Judge.” Before executing any tool, it reviews the intent.

    • Scenario: User asks to “Delete the production database.”
    • Judge: “Intent is destructive. BLOCK.”

    Layer 3: Execution Guardrail (The Wrapper)

    A static analysis layer that parses generated SQL/Code and blocks dangerous keywords (DROP, DELETE, import os).

    Governance: Dynamic Policy Injection

    We implemented Role-Based Access Control (RBAC) by injecting permissions into the System Prompt at runtime.

    • Managers: Can see “Profit Margins.”
    • Interns: Can only see “Product Catalog.”
    • Result: The agent self-polices based on who is asking, providing true contextual safety.

    Path to Production

    While the EC2 sandbox is perfect for development, moving to production requires scalability.

    1. Database: Migrate local SQLite to Amazon Aurora Serverless v2 (PostgreSQL).
    2. Memory: Migrate local files to Amazon DynamoDB (Key-Value store for session history).
    3. Compute: Containerize the scripts and deploy them to AWS Fargate for serverless, auto-scaling compute.
    4. Security: Move hardcoded secrets to AWS Secrets Manager and use IAM Task Roles for least-privilege access.

    Conclusion

    By rethinking the architecture and leaning on open-source tools like Strands, Podman, and MCP, we dramatically reduced the cost of innovation. You don’t need a massive budget to build cutting-edge Agentic AI; you just need the right design patterns.

    ref: https://github.com/aws-samples/sample-bedrock-agentcore-with-strands-and-nova/