Cross Partition Inference from AWS GovCloud (US)

A sample implementation demonstrating secure cross partition access to Amazon Bedrock from AWS GovCloud (US) workloads. This repository provides reusable library components and a reference architecture for organizations looking to access AI models in Standard AWS Regions from GovCloud applications.

⚠️ Important: This sample is intended for informational and educational purposes only. The approach detailed here may not be suitable for all organizations and/or compliance programs. It is important to evaluate this solution against the compliance requirements of your organization and any applicable regulatory obligations you may have. This codebase has not been hardened for production use.

📖 Companion Blog Post: Unlocking AI models in Standard AWS Regions from AWS GovCloud (US): Cross-partition access with Amazon Bedrock

What This Sample Demonstrates

This repository showcases:

• ✅ Cross-partition credential management using service-specific credentials with limited blast radius
• ✅ Secure credential storage in AWS Secrets Manager with automatic rotation
• ✅ Reusable library components (src/lib/) that work in Lambda, EC2, containers, or standalone scripts
• ✅ Internet-based connectivity (simplest approach for getting started)
• ✅ Sample patterns for authentication, error handling, and credential rotation

What This Sample Does NOT Demonstrate

• ❌ VPN or Direct Connect network patterns (see blog post for these options)
• ❌ Comprehensive monitoring and alerting infrastructure
• ❌ High-availability architecture across multiple regions
• ❌ Comprehensive edge case handling for all scenarios

This is an educational sample designed to help you understand the patterns and build your own solution tailored to your specific requirements.

Architecture

┌─────────────────────────────────────┐
│   AWS GovCloud (US)                 │
│                                     │
│  ┌──────────────┐                  │
│  │  Web UI      │                  │
│  └──────┬───────┘                  │
│         │                           │
│  ┌──────▼────────────────────┐     │
│  │  API Gateway              │     │
│  └──────┬────────────────────┘     │
│         │                           │
│  ┌──────▼────────────────────┐     │
│  │  Lambda Function          │     │
│  │  - Uses lib/ components   │     │
│  │  - Retrieves credentials  │     │
│  │  - Invokes Bedrock        │     │
│  └──────┬────────────────────┘     │
│         │                           │
│  ┌──────▼────────────────────┐     │
│  │  Secrets Manager          │     │
│  │  (Service-Specific Creds) │     │
│  └───────────────────────────┘     │
│                                     │
└─────────────────┬───────────────────┘
                  │
                  │ HTTPS over Internet
                  │ (TLS 1.2+)
                  │
┌─────────────────▼───────────────────┐
│   Standard AWS (us-east-1)          │
│                                     │
│  ┌───────────────────────────────┐  │
│  │  Amazon Bedrock               │  │
│  │  (Claude, Titan, etc.)        │  │
│  └───────────────────────────────┘  │
│                                     │
│  ┌───────────────────────────────┐  │
│  │  IAM User                     │  │
│  │  (Service-Specific Creds)    │  │
│  │  - Bedrock access only        │  │
│  └───────────────────────────────┘  │
│                                     │
└─────────────────────────────────────┘

Quick Start

Prerequisites

• AWS CLI v2 configured with profiles for both GovCloud and Commercial partitions
• Python 3.12+
• Node.js 18+ (for AWS CDK)
• AWS CDK CLI: npm install -g aws-cdk

Deploy in 3 Steps

# 1. Clone the repository
git clone https://github.com/aws-samples/cross-partition-inference
cd cross-partition-inference

# 2. Deploy infrastructure
.\scripts\deploy.ps1

# 3. Test the deployment
# Open the Frontend URL from deployment outputs

That's it! The deployment script handles:

• CDK bootstrapping
• Infrastructure deployment to both partitions
• Credential creation and storage
• Rotation setup

See DEPLOYMENT_GUIDE.md for detailed instructions.

Reusable Library Components

The heart of this sample is the src/lib/ directory, which contains framework-agnostic Python modules you can copy and use in your own projects.

bedrock_client.py - Bedrock API Client

Simple, reusable client for invoking Bedrock models:

from lib.bedrock_client import BedrockClient

# Use service-specific credentials (bearer token auth handled automatically)
client = BedrockClient(
    service_credential_id="your-service-specific-credential-id",
    service_credential_password="your-service-specific-credential-password",
    region="us-east-1"
)

response = client.invoke_model(
    prompt="Explain quantum computing in simple terms",
    model_id="us.anthropic.claude-sonnet-4-5-20250929-v1:0"
)

print(response['content'])

Note: Service-specific credentials use bearer token authentication, which BedrockClient handles automatically.

credential_manager.py - Secrets Manager Integration

Retrieve and validate credentials from AWS Secrets Manager:

from lib.credential_manager import CredentialManager

manager = CredentialManager("my-secret", "us-gov-west-1")
credentials = manager.get_credentials()

# Check if rotation needed
needs_rotation, message, age = manager.needs_rotation(max_age_days=90)

rotation_lambda.py - Credential Rotation

Sample implementation of automatic credential rotation using AWS Secrets Manager. Located at src/lambda/rotation_lambda.py, this demonstrates:

• AWS Secrets Manager 4-step rotation pattern (create → set → test → finish)
• Service-specific credential lifecycle management
• Bearer token validation during rotation
• Handling the AWS 2-credential-per-service limit

See src/lib/README.md for details on the rotation pattern.

Integration Examples

See the examples/ directory for complete integration patterns:

• standalone_bedrock_call.py - Use in scripts or cron jobs
• lambda_integration.py - AWS Lambda integration

Each example is fully documented and ready to run.

Key Features

🔐 Security

• Service-specific credentials with bearer token authentication (handled automatically by lib/)
• Encrypted credential storage in AWS Secrets Manager with automatic rotation
• TLS 1.2+ for all cross-partition traffic
• Least privilege IAM and US-only regional routing

See SECURITY_CONTROLS.md for full details.

📦 Framework-Agnostic Design

The lib/ components work anywhere Python runs:

• ✅ AWS Lambda functions
• ✅ EC2 instances
• ✅ ECS/EKS containers
• ✅ Local development scripts
• ✅ CI/CD pipelines

No framework lock-in - just pure Python with boto3.

🔄 Automatic Credential Rotation

Built-in credential rotation ensures security compliance:

• Rotates automatically
• Zero downtime during rotation
• Monitors credential age
• Alerts on rotation failures

Project Structure

cross-partition-bedrock-access/
├── src/
│   ├── lib/                    # 📦 Reusable components (copy these!)
│   │   ├── bedrock_client.py
│   │   ├── credential_manager.py
│   │   └── README.md
│   ├── lambda/                 # Lambda integration
│   │   ├── main.py            # Backend API handler
│   │   └── rotation_lambda.py # Credential rotation (reference implementation)
│   ├── frontend/               # Demo web UI
│   └── frontend-lambda/        # Frontend serving
│
├── infrastructure/             # AWS CDK infrastructure code
│   ├── app.py
│   └── stacks/
│
├── examples/                   # 📚 Integration examples
│   ├── standalone_bedrock_call.py
│   ├── lambda_integration.py
│   └── README.md
│
├── config/                     # Configuration
│   └── app-config.json
│
├── scripts/
│   ├── deploy.ps1             # Deployment script
│   └── cleanup-deployment.ps1 # Cleanup script
│
└── docs/                       # Documentation
    ├── DEPLOYMENT_GUIDE.md
    ├── USAGE_GUIDE.md
    ├── ARCHITECTURE.md
    └── SECURITY_CONTROLS.md

Usage

Using the Deployed Demo

After deployment, you can:

1. Access the Web UI - Open the Frontend URL from deployment outputs
2. Test via API - Use the API Gateway URL directly
3. View Logs - Check CloudWatch Logs for request traces

Integrating into Your Application

1. Copy the lib/ directory to your project:

   cp -r src/lib/ your-project/lib/

2. Install dependencies:

   pip install boto3

3. Use in your code:

   from lib.bedrock_client import BedrockClient
   from lib.credential_manager import CredentialManager
   
   # Your integration code here

See examples/README.md for detailed integration patterns.

Security

For details on service-specific credentials, bearer token authentication, regional routing, and audit logging, see SECURITY_CONTROLS.md.

Cost Estimate

Running this sample incurs AWS charges:

GovCloud:

• Lambda: ~$0.20/month (free tier eligible)
• API Gateway: ~$3.50/million requests
• Secrets Manager: ~$0.40/month per secret
• S3: ~$0.023/GB/month

Commercial:

• Bedrock: Pay per token (varies by model)
• IAM: No charge

Estimated monthly cost: $5-10 (excluding Bedrock usage)

Cleanup

To avoid ongoing charges:

.\scripts\cleanup-deployment.ps1 -Force

This removes all deployed resources from both partitions.

Documentation

• Deployment Guide - Detailed deployment instructions
• Usage Guide - How to use the deployed demo
• lib/ README - API documentation for reusable components
• Examples README - Integration pattern examples

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Support

This is a sample repository for educational purposes. For issues or questions:

1. Check the documentation
2. Review the examples
3. Open an issue on GitHub

For AWS support, please contact AWS Support through your AWS account.

Authors

• Vin Minichino - vinmin@amazon.com

Contributors

Additional Resources

• Amazon Bedrock Documentation
• AWS GovCloud (US) User Guide
• AWS Service-Specific Credentials
• Blog Post: Cross-Partition Bedrock Access