Build a FinOps agent using Amazon Bedrock AgentCore

Managing costs across multiple AWS accounts often requires finance teams to query data from several sources to get a complete view of spending and optimization opportunities. In this post, you learn how to build a FinOps agent using Amazon Bedrock AgentCore that helps your finance team manage AWS costs across multiple accounts. This conversational agent consolidates data from AWS Cost Explorer, AWS Budgets, and AWS Compute Optimizer into a single interface, so your team can ask questions like “What are my top cost drivers this month?” and receive immediate answers.

You learn to set up the architecture, deploy the solution using AWS Cloud Development Kit (AWS CDK), and interact with your cost data through natural language queries. The solution uses AgentCore, Anthropic Claude Sonnet 4.5, the Strands Agent SDK, and the Model Context Protocol (MCP). You will have conversation memory that retains 30 days of context, so you can ask follow-up questions without repeating information. Over 20 specialized tools cover the full spectrum of cost management, from analysis to optimization, alleviating the need to manually navigate multiple AWS consoles.

Naturally, language interaction makes cost data accessible to team members across your organization. This solution consists of two main components: the authentication and frontend layer and the Amazon Bedrock AgentCore Runtime with tools and memory. Amazon Cognito manages user authentication while the AgentCore Runtime processes cost management queries. The authentication and frontend layer uses AWS Amplify to host the web application interface and Amazon Cognito for user authentication.

The custom agent for FinOps is hosted on AgentCore Runtime and built with the Strands Agent that integrates with Amazon Bedrock to access a Large Language Model (LLM). Amazon Bedrock AgentCore Gateway manages tool invocations and routes requests to backend services using AWS Identity and Access Management (IAM) authentication. MCP Servers are hosted on AgentCore Runtime to provide access to AWS Billing and Cost Management tools. AgentCore Memory maintains conversation history for up to 30 days of context retention.

AgentCore Identity manages the OAuth 2.0 credential lifecycle for secure communication between the Gateway and MCP server runtimes. It stores the Amazon Cognito M2M client credentials as an OAuth credential provider and issues tokens on behalf of the Gateway when it needs to authenticate with the MCP runtimes. With these components in place, the following section examines how they work together in the complete architecture.