記事公開日
What is Kiro Powers? Part 2: Verifying Automated AWS Infrastructure Building via CDK
Key Takeaways
In this article, we verify the IaC generation capabilities of the AI assistant "Kiro Powers" during the implementation phase. We explain the process of how a sophisticated configuration plan, compliant with the AWS Well-Architected Framework, is instantly generated from an abstract prompt like "secure, low-cost, and easy to operate," accompanied by actual AWS CDK code. We will share practical tips for building secure infrastructure while significantly reducing engineering design effort.
- Automated Design Based on AWS Best Practices:
Kiro automatically outputs enterprise-level security settings, such as IAM policy control using ABAC (Attribute-Based Access Control) and "PRIVATE_ISOLATED" subnet configurations that block external communication. - Cost Optimization through 3 VPC Endpoints:
Eliminating expensive NAT Gateways, the design adopts private communication via three VPC endpoints: SSM, EC2 Messages, and SSM Messages. This balances high security with a significant reduction in monthly fixed infrastructure costs. - Automated Visualization of Operational Audit Trails:
The environment includes definitions to automatically forward Session Manager operation logs to CloudWatch Logs, demonstrating a practical approach to achieving thorough evidence management while minimizing operational overhead.
Introduction
Hello, I'm Okada from the DX Solution Sales Division.
In my previous post, I verified "How requirement definitions and designs change when using the Spec function with and without Kiro Powers."
This time, we move into the implementation phase. Let's verify what kind of IaC code Powers can generate for us.
Even if we only provide a vague instruction like: "Make it possible to log in safely to an EC2 instance in an AWS private subnet. Use a method that is as cheap as possible and easy to operate,"Will it write IaC that follows the AWS Well-Architected Framework?
Let's see it in action.
Verification
As before, we confirm that the "Build AWS infrastructure with CDK and CloudFormation" skill is installed in Powers.
This skill leverages the latest documentation, best practices, and code samples to build AWS infrastructure compliant with the AWS Well-Architected Framework using CDK or CloudFormation.
Since we completed the design document in the last stage, I instructed it to proceed to the implementation phase. Let's look at the generated CDK code.
① Security: Access Control via ABAC
First, let's focus on security.
The IAM policy is set to allow access only when the "operator's attributes" match the "instance's tags."
When a user tries to log in, the IAM policy checks if the user's permissions align with the instance's tags.
This prevents accidents, such as "someone with development environment permissions mistakenly operating a production instance."
② Reliability: Private Communication via VPC Endpoints
Next is reliability.
By creating VPC Endpoints (InterfaceVpcEndpoint), instances within the VPC can communicate with AWS services solely through the internal network without going through an Internet Gateway.
Since data does not leave the network, security is enhanced, and the environment becomes less susceptible to communication failures via the internet.
*To use Session Manager, three endpoints are required: SSM, EC2 Messages, and SSM Messages. The following example shows the SSM endpoint configuration.
③ Operational Excellence: Logging All Operations
What about operational efficiency?
In the Session Manager settings (CfnDocument below), it is defined to transfer session content to CloudWatch Logs.
This saves an audit log of who changed what and when.
In the event of a failure or bug, the cause can be identified simply by tracing the logs, enabling visualization and improving operational efficiency.
④ Cost Optimization: Eliminating NAT Gateway
Finally, cost optimization.
The configuration uses PRIVATE_ISOLATED subnets, which are suitable for high-security workloads that require no external communication.
By replacing expensive NAT Gateways (fixed costs) with relatively inexpensive VPC endpoints, monthly infrastructure maintenance costs are significantly reduced.
Conclusion
Through this verification, the utility of Powers was confirmed. Even from abstract instructions, we found it could instantly generate IaC code that reflects best practices aligned with the AWS Well-Architected Framework.
As mentioned, I only gave the abstract instruction: "Make it possible to log in safely to an EC2 instance in an AWS private subnet. Use a method that is as cheap as possible and easy to operate."
I see great potential in this as a tool that can significantly reduce the time spent on consideration and creation in infrastructure design.
In the next "Build AWS Environment" Part 3, I want to deploy the generated code and verify it. I'll check if we can actually build the environment using the code produced!
** We aim to become Japan's #1 resource for Kiro! Our mission is to evangelize this technology by empowering end-users with top-tier education and technical support. **
If you have requests like "I want to know more about this service" or need help with "AWS environment construction and migration," please feel free to contact us via our inquiry form. For complex inquiries, our sales representatives will contact you directly. Also, please check out the links below!
<QES Related Solutions/Blogs>
<The AWS Security Promotion Consortium, in which QES participates, has released a white paper>
*Amazon Web Services, the "Powered by Amazon Web Services" logo, and other AWS trademarks used in this blog are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.
