New serverless pattern - strands-agentcore-lambda

[humem001]

Serverless AI agent pattern using Strands Agents SDK, AWS Bedrock, and AgentCore Gateway with Lambda interceptors for multi-tenant JWT authentication and tool execution via MCP protocol.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[marcojahn]

Hello @humem001,
Thanks for the submission — strong pattern overall. Well-architected, good security posture (per-function IAM, least-privilege), and thorough documentation.

Please fix

1. AWS naming conventions in README.md:
   • "AWS Bedrock" → "Amazon Bedrock" (Amazon-branded, not AWS-branded)
   • "Cognito" → "Amazon Cognito" on first reference

Suggested improvements

• Folder structure — ~10 loose scripts at root level alongside organized src/, tests/, infrastructure/. Recommend moving to a scripts/ directory.
• IaC tooling — Raw CFN + 6-script packaging pipeline. Consider SAM (sam build && sam deploy replaces the whole pipeline). If AgentCore resources lack SAM support, a one-liner in the README explaining the choice would help.
• Security — CloudWatchLogsFullAccess on the Gateway role is broader than needed. Scope to an inline policy with logs:CreateLogGroup/CreateLogStream/PutLogEvents.
• Portability — Hardcoded us-east-1 in create_cognito_user.py and test_e2e_flow.py. Read from AWS_REGION env var or stack outputs instead.
• Performance — Gateway URL is cached at instance level in AgentProcessor, but the class is re-instantiated per invocation. Move cache to module level for cross-invocation benefit.

[humem001]

Hi @marcojahn thanks for feedback.

AWS Bedrock → Amazon Bedrock and bare Cognito → Amazon Cognito throughout README
Security:

CloudWatchLogsFullAccess managed policy replaced with scoped inline policy (logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents) on AgentCore log group only
Performance:

Gateway URL cache moved from instance-level (self._gateway_url) to module-level (_gateway_url_cache) in agent_processor.py — now persists across Lambda invocations in warm containers
Portability:

Hardcoded us-east-1 in create_cognito_user.py and test_e2e_flow.py replaced with os.environ.get("AWS_DEFAULT_REGION") or os.environ.get("AWS_REGION") or "us-east-1"
Folder structure:

All 9 loose root scripts moved to scripts/ directory
All path references updated in scripts and README
IaC explanation:

Added note in README explaining why raw CloudFormation is used instead of SAM (AgentCore resources not supported by SAM)
Why raw CloudFormation instead of SAM? AWS SAM does not currently support AgentCore Gateway and GatewayTarget resource types. CloudFormation is used directly with a thin Python wrapper (infrastructure/deploy_stack.py) for stack management, and separate packaging scripts for Lambda code deployment.

Ready for re-review.