Bedrock AgentCore: agents in production on AWS
The managed building blocks to run real agents: runtime, tools, memory, identity and observability.
6 min read
Building an agent that works in a notebook is easy. Putting that agent into production — with session isolation, secure credentials, persistent memory, and traceability — is where most projects stall. Amazon Bedrock AgentCore is AWS's answer to that problem: a set of managed building blocks that covers exactly what Module 3 taught, without you having to operate the infrastructure.
Reference architecture — Amazon Bedrock AgentCore
Flow of an agent request from client to response, passing through every AgentCore block.
- Runtime · Execução serverless · isolada por sessão
- Gateway · Expõe tools via MCP
- Memory · Curto e longo prazo
- Identity · Credenciais e authz · das ferramentas
- Observability · Traços, logs e evals
- Modelo Foundation · Claude / Titan / etc.
- Browser Tool · Navegação web gerenciada
- Code Interpreter · Execução de código isolada
- APIs / Serviços · externas
- Knowledge Base · RAG gerenciado
Runtime and Gateway: where the agent loop actually runs
The AgentCore Runtime is the agent's execution environment — serverless, isolated per session. Each session gets its own sandbox: no shared state between users, no containers to manage or manual scaling. You bring your agent code (any framework: LangGraph, Strands Agents, plain code) and the Runtime handles the lifecycle.
The AgentCore Gateway is what connects the model to the outside world using the MCP protocol from lesson 14. Instead of building an MCP server from scratch, the Gateway exposes your tools as managed MCP endpoints. The model calls a tool, the Gateway routes to the correct implementation, returns the result — and the ReAct loop from lesson 11 continues.
The separation between Runtime and Gateway is intentional: Runtime thinks, Gateway acts. This means you can swap the agent framework without touching the tools, and you can add tools without redeploying the agent. It's the same decoupling principle we apply in event-driven architecture — just applied to the agent's cognitive loop.
Memory and Identity: what keeps the agent coherent and secure
In lesson 12 we saw that agents need two types of memory: short-term (what happened in this conversation) and long-term (what the agent should remember across sessions). AgentCore Memory implements exactly that. Short-term memory is the current session's message history, managed automatically. Long-term memory is a persistent store the agent can query and update — useful for user preferences, past decisions, or ongoing project context.
AgentCore Identity solves a problem every architect faces: how does the agent authenticate to the tools it calls? Without a dedicated block, you end up with hardcoded credentials, overly permissive IAM roles, or a homegrown secrets management system. Identity centralizes this: each tool call passes through an authorization layer that validates whether that agent, in that session, has permission to call that resource. It's the least-privilege principle from lesson 10 applied at runtime.
The Memory + Identity combination is what separates a production agent from a prototype. A prototype forgets everything and has unrestricted access. A production agent remembers what matters and only accesses what it needs.
Observability, Browser and Code Interpreter: completing the picture
AgentCore Observability delivers what lesson 9 asked for: visibility into what the agent is doing. Each step of the ReAct loop — which tool was called, what the response was, how long it took, what the model's reasoning was — becomes a structured trace. You can answer questions like: why did the agent make that decision? At which step did it hallucinate? Which tool is the latency bottleneck? Without this, debugging an agent in production means working in the dark.
The managed tools close the loop. The Browser Tool gives the agent the ability to browse the web in an isolated, auditable way — without you provisioning browser instances, dealing with Playwright in production, or exposing your network. The Code Interpreter does the same for code execution: the model generates Python, the Code Interpreter runs it in a sandbox, returns the result. Both arrive via the Gateway like any other MCP tool.
The architectural point here is consistency: all capabilities — external tools, browser, code, RAG — reach the model through the same protocol. The agent doesn't know whether it's calling your Lambda or the managed Browser Tool. This simplifies design and makes it easy to swap implementations without rewriting the agent.
In practice, AgentCore isn't about adopting a new service — it's about not having to build six different services. Every team that puts agents into production ends up reinventing: session isolation, tool credential management, memory storage, MCP server, trace collection, code execution sandbox. AgentCore delivers these blocks ready-made and integrated. My recommendation: start with Runtime + Observability. Without visibility, you'll spend more time debugging than building. Add Memory and Identity when the agent needs persistence and calls resources with access control. Gateway and the managed tools come in when tools get complex enough to justify the protocol.
The six blocks and what each one solves
AgentCore — each block and its role
Tap a concept, then its definition.
How to adopt AgentCore progressively
- 1
1. Start with Runtime + existing model
Package your current agent (LangGraph, Strands, or custom code) in the Runtime. Validate session isolation and latency before adding other blocks.
- 2
2. Enable Observability immediately
Turn on traces before any load testing. You'll need them to understand agent behavior from day one in production.
- 3
3. Migrate tools to the Gateway
Register your existing tools as MCP endpoints in the Gateway. Test that the model still calls correctly — the interface changes, the behavior should not.
- 4
4. Add Identity for each tool with resource access
For each tool that accesses a database, external API, or AWS service, configure the authorization policy in Identity. Review permissions with the least-privilege principle.
- 5
5. Enable Memory when the agent needs persistence
Don't enable long-term memory by default — it has cost and complexity. Enable it when the use case requires continuity across sessions (personal assistants, project agents).
AgentCore vs. building the blocks yourself
| Block | Build yourself | AgentCore | |
|---|---|---|---|
| Session isolation | Container per session, manual orchestration | Managed, serverless, automatic | — |
| MCP server | Implement, host, version yourself | Managed Gateway, tool registration via API | — |
| Tool credentials | Secrets Manager + custom IAM per tool | Centralized Identity with per-session policies | — |
| Loop traces | Manual instrumentation with X-Ray or OTEL | Automatic structured traces per step | — |
| Browser / Code sandbox | Playwright on EC2 or Fargate, custom sandbox | Managed tools via MCP Gateway | — |
Frequently asked questions
Do I need to use AgentCore with Amazon Bedrock Agents (the previous agent service)?
No. AgentCore is a set of infrastructure blocks you use with any agent framework — LangGraph, Strands Agents, custom code. It doesn't replace Bedrock Agents; both can coexist, but they are different products with different philosophies.
Does the Gateway only work with MCP, or can I also expose tools via OpenAPI?
The Gateway uses MCP as the primary protocol, which is the standard we covered in lesson 14. For tools based on existing REST APIs, you can create an MCP wrapper that calls your API — the Gateway doesn't require you to rewrite implementations.
Is AgentCore Memory's long-term memory a vector store?
AgentCore Memory abstracts the storage — you don't need to choose and operate a vector store directly for agent memory. For RAG over documents, lesson 18 covers Knowledge Bases, which is the dedicated service for that.
What language does the Code Interpreter execute?
Python is the primary supported language, covering the vast majority of data analysis, calculation, and automation use cases that models generate. The environment is isolated per execution — no persistent state between calls.
My read on AgentCore
AgentCore is the right answer to the right question: how not to reinvent agent infrastructure every time you start a project. The blocks are well-scoped, MCP as the backbone is a solid choice, and the integration with the Bedrock ecosystem (models, Knowledge Bases, guardrails) is natural. The risk is the same as any managed service: you trade control for convenience. For most enterprise projects, that's the right trade-off. For those who need deep customization at every layer, building on AWS primitives is still a valid option — but the maintenance cost is real and grows over time.