Skip to main content

Prerequisites

Before deploying Bedrock Chat, ensure you have:

AWS Account

An AWS account with appropriate permissions to create resources

Bedrock Model Access

Model access enabled in Amazon Bedrock console

Supported Region

Deploy in a region where OpenSearch Serverless is available

CloudShell Access

Ability to open AWS CloudShell in your deployment region

Supported Regions

Deploy Bedrock Chat in a region where OpenSearch Serverless and Ingestion APIs are available if you want to use bots and knowledge bases.
Supported regions (as of August 2025):
  • US: us-east-1, us-east-2, us-west-1, us-west-2
  • Asia Pacific: ap-south-1, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2
  • Europe: eu-central-1, eu-west-1, eu-west-2, eu-south-2, eu-north-1
  • Other: ca-central-1, sa-east-1
For the bedrock-region parameter, choose a region where Bedrock is available.

Deployment Steps

1

Enable Bedrock Model Access

In the us-east-1 region, navigate to Bedrock Model Access:
  1. Click Manage model access
  2. Check all models you wish to use:
    • Claude Models: claude-v4-opus, claude-v3.7-sonnet, claude-v3.5-sonnet, claude-v3.5-haiku
    • Amazon Nova: amazon-nova-pro, amazon-nova-lite, amazon-nova-micro
    • Llama: llama3-3-70b-instruct, llama3-2-90b-instruct
    • Mistral: mistral-large-2, mixtral-8x7b-instruct
    • DeepSeek: deepseek-r1
  3. Click Save changes
Bedrock Model Access
2

Open CloudShell

Open AWS CloudShell in the region where you want to deploy Bedrock Chat.
CloudShell provides a pre-configured environment with AWS CLI, Git, and other tools already installed.
3

Run Deployment Script

Execute the following commands in CloudShell:
git clone https://github.com/aws-samples/bedrock-chat.git
cd bedrock-chat
chmod +x bin.sh
./bin.sh
When prompted, confirm you’re ready to deploy v3.x by entering y.
4

Wait for Deployment

The deployment takes approximately 35 minutes. The script will:
  1. Create a CloudFormation stack with CodeBuild project
  2. Start CodeBuild to deploy CDK stacks
  3. Provision all AWS resources
  4. Build and deploy the frontend application
You can monitor progress in the CloudFormation console.
5

Access Your Application

Once deployment completes, you’ll receive a Frontend URL:
Frontend URL: https://xxxxxxxxx.cloudfront.net
Sign-in ScreenThe sign-up screen will appear where you can register with your email and log in.

Deployment Parameters

You can customize your deployment with optional parameters:

Security Parameters

./bin.sh \
  --disable-self-register \
  --ipv4-ranges "192.0.2.0/25,192.0.2.128/25" \
  --ipv6-ranges "2001:db8:1:2::/64" \
  --allowed-signup-email-domains "example.com,anotherexample.com"
--disable-self-register
flag
Disable self-registration (default: enabled). Users must be created via Cognito console.
--ipv4-ranges
string
Comma-separated list of allowed IPv4 CIDR ranges. Default allows all IPv4 addresses.
--ipv6-ranges
string
Comma-separated list of allowed IPv6 CIDR ranges. Default allows all IPv6 addresses.
--disable-ipv6
flag
Disable connections over IPv6 (default: enabled).
--allowed-signup-email-domains
string
Comma-separated list of allowed email domains for sign-up (e.g., “company.com”).

Configuration Parameters

--bedrock-region
string
default:"us-east-1"
Region where Bedrock is available. See supported regions.
--enable-lambda-snapstart
flag
Enable Lambda SnapStart for faster cold starts (default: disabled).
--version
string
default:"v3"
Specific version to deploy (e.g., “v3.0.0”).
--repo-url
string
Custom repository URL if you’ve forked Bedrock Chat.

Advanced Configuration with CDK Override

Use --cdk-json-override to override any CDK context values: 
./bin.sh --cdk-json-override '{
  "context": {
    "selfSignUpEnabled": false,
    "enableLambdaSnapStart": true,
    "allowedIpV4AddressRanges": ["192.168.1.0/24"],
    "allowedCountries": ["US", "CA"],
    "allowedSignUpEmailDomains": ["example.com"],
    "globalAvailableModels": [
      "claude-v3.7-sonnet",
      "claude-v3.5-sonnet",
      "amazon-nova-pro",
      "amazon-nova-lite",
      "llama3-3-70b-instruct"
    ]
  }
}'
Available override options:
  • selfSignUpEnabled - Enable/disable self-registration
  • enableLambdaSnapStart - Enable Lambda SnapStart
  • allowedIpV4AddressRanges / allowedIpV6AddressRanges - IP restrictions
  • allowedCountries - ISO-3166 country codes for geo-restrictions
  • allowedSignUpEmailDomains - Restrict sign-up email domains
  • bedrockRegion - Bedrock API region
  • enableRagReplicas - Enable/disable RAG database replicas
  • enableBedrockCrossRegionInference - Enable cross-region inference
  • globalAvailableModels - List of model IDs to enable (empty list enables all)
  • logoPath - Custom logo path under frontend/public/
Override values merge with existing cdk.json configuration during deployment. Override values take precedence.

Production Deployment Recommendations

Without parameters, this deployment allows anyone who knows the URL to sign up. For production:
  1. Add IP restrictions using --ipv4-ranges and --ipv6-ranges
  2. Disable self-registration with --disable-self-register
  3. Restrict email domains with --allowed-signup-email-domains
  4. Configure geo-restrictions if needed using --cdk-json-override

Example Production Deployment

./bin.sh \
  --disable-self-register \
  --ipv4-ranges "203.0.113.0/24" \
  --allowed-signup-email-domains "mycompany.com" \
  --bedrock-region "us-west-2" \
  --enable-lambda-snapstart \
  --version "v3.0.0"

Deployment Outputs

After successful deployment, you’ll receive:
Frontend URL
string
CloudFront distribution URL for accessing the application
CloudFront URL
string
Direct CloudFront domain (without custom domain)
Backend API URL
string
API Gateway endpoint for backend services
User Pool ID
string
Amazon Cognito User Pool ID for user management
User Pool Client ID
string
Cognito App Client ID for authentication

Troubleshooting

If the Frontend URL doesn’t appear or Bedrock Chat doesn’t work:
  1. Check CloudFormation console for stack errors
  2. Try deploying a specific stable version: --version "v3.0.0"
  3. Check CodeBuild logs in CloudWatch
Common causes:
  • Insufficient permissions in your AWS account
  • Service quotas exceeded (e.g., VPC, Lambda functions)
  • Region doesn’t support OpenSearch Serverless
  • Bedrock model access not enabled
If self-registration is disabled or email domain restrictions are active:
  1. Go to Amazon Cognito console
  2. Find your User Pool (ID in CloudFormation outputs)
  3. Manually create users under “Users” tab
Ensure you’ve enabled model access in the Bedrock console:
  1. Navigate to Amazon Bedrock
  2. Go to “Model access” in the left sidebar
  3. Request access for desired models
  4. Wait for access to be granted (usually instant)

Next Steps

Configure Authentication

Set up external identity providers (Google, OIDC)

Security Settings

Configure WAF rules, IP restrictions, and access controls

Create Custom Bots

Build your first bot with custom knowledge

User Management

Set up user groups and permissions

Clean Up

To remove all resources: 
# Access CloudFormation console
# Delete stacks in this order:
# 1. BedrockChatStack
# 2. FrontendWafStack (in us-east-1 region)
# 3. CodeBuildForDeploy
Deleting stacks will remove all data including conversations, bots, and knowledge bases. Export any important data before deletion.

Build docs developers (and LLMs) love

Get started for freeTalk to us