Using Kiro (an AI-powered IDE built on Claude) to generate a complete, production-grade AWS deployment from a spec — CloudFormation nested stacks, HIPAA-compliant networking, multi-agent Bedrock orchestration, MCP server infrastructure on ECS Fargate, and five interactive dashboards — without writing a line of IaC manually.
The EARE AWS deployment wasn't built the traditional way — writing CloudFormation YAML module by module, hand-coding Lambda functions, and manually wiring IAM roles. It was generated by Kiro, an AI-powered development environment, from a structured product requirements document and design specification.
Kiro is a spec-driven AI IDE built on Claude. The workflow: write a requirements document and design spec describing what you want to build — architecture decisions, data models, API contracts, security posture, observability requirements. Kiro reads the spec and generates the implementation: CloudFormation templates, Python Lambda functions, ECS Dockerfiles, deployment scripts, test suites, and runbooks.
For this deployment, the design spec described 13 infrastructure modules, 8 Lambda functions, 2 containerized MCP servers, a 5-agent Bedrock multi-agent swarm, 5 HTML dashboards, and a full observability stack. Kiro generated all of it from that spec — not as pseudocode or stubs, but as production-ready, deployable artifacts with least-privilege IAM, HIPAA tagging, structured logging, CloudWatch alarms, and smoke tests.
9 modules: networking, ingestion, ETL, masking, databases, compute, CDN, AI layer, security — plus orchestrator. Full parameter files for dev/staging/prod.
IaC · CloudFormation10.0.0.0/16 VPC, public/private subnet isolation, 2 NAT Gateways, 5 VPC endpoints, 3 security groups, VPC Flow Logs — all tagged HIPAA=true.
AWS · NetworkingAPI handlers (health, applications, recommendations, reviews, pipeline trigger), ingestion validator, Neptune loader, vector indexer — all Python 3.11, VPC-placed.
Python 3.1112-state normalization workflow: file type detection, Glue DataBrew jobs, Textract PDF extraction, Macie PHI scanning, Comprehend Medical, masking, graph/vector routing.
AWS · Step FunctionsGraph MCP Server (Gremlin → 4 tools) and Vector MCP Server (OpenSearch → 4 tools) on ECS Fargate. Dockerfiles, requirements, server.py — all generated.
ECS Fargate · PythonOrchestrator + 4 specialist agents (Telemetry, Dependency, Procurement, Provisioning) + Synthesizer. Action group definitions, model IDs, timeout configs, error handling.
Amazon Bedrock · Claude6R Output, Data Quality scoring, Custom Weights simulator, ROI Engine, and Human-in-the-Loop Review — all Chart.js, Tailwind CSS, API Gateway + static fallback.
HTML · Chart.js · TailwindPer-function IAM roles with explicit allow-only policies. Read-only for MCP servers. No wildcard * actions. Secrets Manager via VPC endpoint only.
IAM · Secrets ManagerCloudWatch log groups (5 categories), 5 metric alarms (Lambda errors, SFN failures, Neptune CPU, API 5xx, ingestion staleness), structured log format, SNS alerts.
CloudWatch · SNSdeploy-web-aws.sh (S3 sync + CloudFront invalidation + config.js injection), smoke-test-aws.sh (4 connectivity checks), validate-env-aws.sh, load-sample-data.py.
Bash · Python · MakeEARE (Enterprise Agentic Rationalization Engine) processes clinical/COTS application portfolios through the 6Rs framework. The AWS deployment runs the complete pipeline: data ingestion, ETL and PHI masking, graph and vector database population, multi-agent AI analysis, and five dashboards consumed by enterprise architects.
raw/{date}/{dimension}/. S3 event fires Lambda validator, which checks file extension and dimension prefix. Valid files start Step Functions; invalid files move to quarantine/ and fire an SNS alert.normalized/{date}/{dimension}/. Invalid schema → quarantine with structured error.review-required/. Passed files get deterministic masking: [MASKED_NAME_a1b2c3d4] — same input always produces same token for referential consistency. Audit log written per file.The multi-agent swarm is orchestrated by a Bedrock Orchestrator agent (Claude Sonnet 4.5) that delegates to four specialist action groups, each calling specific MCP server tools. Parallelism is baked into the execution plan: Telemetry and Procurement run concurrently; Dependency and Provisioning run sequentially after Telemetry.
| Agent | MCP Server | Tools Called | Execution Order |
|---|---|---|---|
| Orchestrator | — | Delegates to all action groups, collects outputs for Synthesizer | Drives the loop · Claude Sonnet 4.5 · 4096 tokens · 30s timeout |
| Telemetry Agent | Graph MCP | get_application_profile, get_dependencies |
Parallel with Procurement |
| Dependency Agent | Graph MCP | get_dependencies, get_blast_radius, detect_circular_dependencies |
Sequential — after Telemetry |
| Procurement Agent | Vector MCP | search_contracts, search_market_intel |
Parallel with Telemetry |
| Provisioning Agent | Graph MCP | get_application_profile (CMDB cross-ref) |
Sequential — after Dependency |
| Synthesizer Agent | — | Aggregates all specialist outputs | Final step → DynamoDB write |
Five standalone HTML dashboards walk an enterprise architect through the rationalization workflow — from raw 6R output through data quality scoring, confidence tuning, financial modeling, and final human sign-off. All generated by Kiro from the spec.
Kiro generated 8 distinct IAM roles with explicit allow-only policies — one per function type. The MCP server roles are read-only with explicit deny on write operations to Neptune and OpenSearch. The Lambda ETL role can write to Neptune and OpenSearch but cannot read DynamoDB. The API Lambda role can read/write DynamoDB but not OpenSearch.
| Role | Key Permissions |
|---|---|
| lambda-api-role | DynamoDB CRUD (recommendations + reviews), Neptune read, S3 read |
| lambda-ingestion-role | S3 read/write (ingestion bucket), Step Functions start, SNS publish |
| lambda-etl-role | S3 read (masked/), Neptune write, OpenSearch write, Bedrock Titan invoke |
| mcp-graph-role | Neptune read-only + explicit deny on writes |
| mcp-vector-role | OpenSearch read-only + explicit deny on index/delete |
| bedrock-role | Bedrock invoke model, ECS describe tasks for MCP |
| sfn-role | Lambda invoke, Glue start job, Macie create job, Comprehend detect, S3 R/W |
| neptune-loader-role | S3 read (masked/ only), Neptune bulk load |
Every file traverses the masking pipeline before it reaches any database. Amazon Macie
classifies files for PHI/PII. Comprehend Medical detects entity types (NAME, ADDRESS, DATE,
PHONE_OR_FAX, EMAIL, ID, AGE, PROTECTED_HEALTH_INFORMATION). High-severity findings halt
the pipeline and move the file to review-required/ with an SNS alert.
Masking uses deterministic pseudonymization: [MASKED_{entity_type}_{sha256_first_8_chars}].
The same input value always produces the same masked token across all files — preserving
referential integrity for joins and cross-file analysis. A per-file audit log records
entity counts, job IDs, and timestamps in masking-audit/.
Every Lambda function, ECS Fargate container, Neptune instance, and OpenSearch collection runs in private subnets (10.0.3.0/24, 10.0.4.0/24) across 2 AZs. The only public-facing resources are NAT Gateways and CloudFront. API Gateway sits at the edge with its own resource policy.
Five VPC endpoints keep AWS service traffic inside the network: S3 (Gateway),
DynamoDB (Gateway), Bedrock Runtime (Interface), Secrets Manager (Interface),
CloudWatch Logs (Interface). No database or AI service call transits the public
internet. All resources are tagged HIPAA=true for policy enforcement
and compliance inventory.
Every Lambda and Step Functions execution emits structured JSON logs with
correlation_id, component_name, operation,
application_id, duration_ms, and status.
MCP server tool call logs include requesting agent ID, tool name, parameters,
response size, and latency. CloudWatch log groups have 30-day dev / 90-day prod retention.
Five CloudWatch alarms fire to SNS: Lambda errors (>5 in 5 min), Step Functions failures (>0 in 5 min), Neptune CPU (>80% for 5 min), API Gateway 5xx (>1% in 5 min), and a custom ingestion staleness alarm (no new S3 objects in 24 hours). VPC Flow Logs capture ALL traffic (ACCEPT + REJECT) with 90-day CloudWatch retention.
The traditional model for building a production AWS deployment at this scope — 9 CloudFormation modules, 8 Lambda functions, 2 containerized services, a multi-agent AI pipeline, 5 dashboards — is measured in weeks of infrastructure engineering. The AI-generated approach compresses that timeline and changes the nature of the work.
When AI can generate production-grade deployments from a well-written spec, the most valuable skill shifts from writing infrastructure code to designing the architecture and specifying it precisely. This is what that looks like in practice.
AWS CloudFormation · Lambda · Neptune · OpenSearch Serverless · Bedrock · ECS Fargate · Step Functions · Python 3.11