Add lambda agentcore invocation tutorial

[didhd]

Amazon Bedrock AgentCore Samples Pull Request

Important

1. We strictly follow a issue-first approach, please first open an issue relating to this Pull Request.
2. Once this Pull Request is ready for review please attach review ready label to it. Only PRs with review ready will be reviewed.

Issue number: N/A

Concise description of the PR

Add Lambda AgentCore invocation tutorial with CloudWatch observability to the observability examples.

This PR adds a complete tutorial demonstrating how to invoke Strands agents hosted on Amazon Bedrock AgentCore Runtime from AWS Lambda functions with full CloudWatch observability enabled.

Changes include:

• Complete Lambda AgentCore invocation tutorial in 05-Lambda-AgentCore-invocation directory
• Lambda function code for invoking AgentCore Runtime agents (lambda_agentcore_invoker.py)
• Dockerfile for Lambda container deployment
• Comprehensive Jupyter notebook with step-by-step tutorial (agentcore_observability_lambda.ipynb)
• README.md with architecture, prerequisites, usage, and cleanup documentation
• Updated parent README.md to include this tutorial in the project structure

User experience

Before this change:

• Users had no example of how to invoke AgentCore Runtime agents from Lambda functions
• No guidance on integrating Lambda with AgentCore Runtime and CloudWatch observability
• Missing example of using multiple MCP servers in a Lambda-invoked agent

After this change:

• Users can learn how to build serverless architectures with Lambda and AgentCore Runtime
• Complete working example with Lambda function, MCP agent, and Dockerfile
• Step-by-step tutorial showing X-Ray tracing and CloudWatch GenAI Observability integration
• Clear documentation of architecture, setup, and usage patterns

Checklist

• I have reviewed the contributing guidelines
• Add your name to CONTRIBUTORS.md
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Are you uploading a dataset?
• Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
• I agree to resolve any issues created for this example in the future.
• I have performed a self-review of this change
• Changes have been tested
• Changes are documented

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

[review-notebook-app]

Check out this pull request on 

See visual diffs & provide feedback on Jupyter Notebooks.

---

Powered by ReviewNB

[github-actions]

Latest scan for commit: f7db7ce | Updated: 2025-10-16 02:57:32 UTC

Security Scan Results

Scan Metadata

• Project: ASH
• Scan executed: 2025-10-16T02:57:21+00:00
• ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

• Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
• Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
• High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
• Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
• Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
• Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

• Time: Duration taken by each scanner to complete its analysis
• Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

• PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
• FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
• MISSING: Scanner could not run because required dependencies/tools are not installed or available
• SKIPPED: Scanner was intentionally disabled or excluded from this scan
• ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

• CRITICAL: Only Critical severity findings cause scanner to fail
• HIGH: High and Critical severity findings cause scanner to fail
• MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
• LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
• ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

• (g) = global: Set in the global_settings section of ASH configuration
• (c) = config: Set in the individual scanner configuration section
• (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

• All statistics are calculated from the final aggregated SARIF report
• Suppressed findings are counted separately and do not contribute to actionable findings
• Scanner status is determined by comparing actionable findings to the threshold

Scanner	S	C	H	M	L	I	Time	Action	Result	Thresh
bandit	0	0	0	0	0	0	686ms	0	PASSED	MED (g)
cdk-nag	0	0	0	0	0	0	26.7s	0	PASSED	MED (g)
cfn-nag	0	0	0	0	0	0	7ms	0	PASSED	MED (g)
checkov	0	0	0	0	0	0	4.0s	0	PASSED	MED (g)
detect-secrets	0	0	0	0	0	0	653ms	0	PASSED	MED (g)
grype	0	0	0	0	0	0	29.8s	0	PASSED	MED (g)
npm-audit	0	0	0	0	0	0	171ms	0	PASSED	MED (g)
opengrep	0	0	0	0	0	0	<1ms	0	SKIPPED	MED (g)
semgrep	0	0	0	0	0	0	13.0s	0	PASSED	MED (g)
syft	0	0	0	0	0	0	2.1s	0	PASSED	MED (g)

[mvangara10]

Please clear the [Python Code Quality / python-lint] check.

[mvangara10]

F401 json imported but unused

[mvangara10]

aws-opentelemetry-distro==0.12.1

[mvangara10]

1. We need to call out to skip running Transaction search if it is already enabled on the account.
2. Please scope down the agentcore_policy_document

[mvangara10]

Rule ID: CKV_DOCKER_2
Location: 01-tutorials/06-AgentCore-observability/05-Lambda-AgentCore-invocation/Dockerfile:1-41

Please clear the security finding

[mvangara10]

01-tutorials/06-AgentCore-observability/05-Lambda-AgentCore-invocation/lambda_agentcore_invoker.py:26:15: F541 f-string without any placeholders

[mxiamxia]

To display Lambda Invoker Node in Trace view, another separate step needs to be set up to enable Active Tracing for Lambda function.

https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html#services-xray-api

[mxiamxia]

NVM. Found it is configured as part of Lambda deployment.

[mxiamxia]

Has this setup been tested? Does AWS Lambda appear in the Trace view? It seems the Application Signals Lambda Layer need to be installed to propagate the trace context from Lambda to AgentCore and preserve trace continuity, but this step appears to be missing from the setup.

[didhd]

@mvangara10 @mxiamxia Thanks for the detailed feedback! I've addressed all the comments and pushed an update. Regarding the Application Signals Lambda Layer question - I have X-Ray Active Tracing configured but didn't add the Layer. Let me know if that's needed for full Gen AI Observability integration and I'll add it. Please let me know if I missed anything or if there are any other concerns. Thanks again for the thorough review!