The aws:bedrock/agentcoreBrowser:AgentcoreBrowser resource, part of the Pulumi AWS provider, provisions a Bedrock AgentCore Browser that gives AI agents web browsing capabilities for navigating websites and extracting information. This guide focuses on three capabilities: public and VPC network modes, session recording to S3, and IAM role configuration.
Browsers may reference VPC infrastructure, S3 buckets for recording, and IAM roles for execution permissions. The examples are intentionally small. Combine them with your own networking, storage, and IAM configuration.
Create a browser with public network access
AI agents that need to browse public websites start with a browser configured for public internet access.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.bedrock.AgentcoreBrowser("example", {
name: "example-browser",
description: "Browser for web data extraction",
networkConfiguration: {
networkMode: "PUBLIC",
},
});
import pulumi
import pulumi_aws as aws
example = aws.bedrock.AgentcoreBrowser("example",
name="example-browser",
description="Browser for web data extraction",
network_configuration={
"network_mode": "PUBLIC",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/bedrock"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bedrock.NewAgentcoreBrowser(ctx, "example", &bedrock.AgentcoreBrowserArgs{
Name: pulumi.String("example-browser"),
Description: pulumi.String("Browser for web data extraction"),
NetworkConfiguration: &bedrock.AgentcoreBrowserNetworkConfigurationArgs{
NetworkMode: pulumi.String("PUBLIC"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Bedrock.AgentcoreBrowser("example", new()
{
Name = "example-browser",
Description = "Browser for web data extraction",
NetworkConfiguration = new Aws.Bedrock.Inputs.AgentcoreBrowserNetworkConfigurationArgs
{
NetworkMode = "PUBLIC",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.bedrock.AgentcoreBrowser;
import com.pulumi.aws.bedrock.AgentcoreBrowserArgs;
import com.pulumi.aws.bedrock.inputs.AgentcoreBrowserNetworkConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new AgentcoreBrowser("example", AgentcoreBrowserArgs.builder()
.name("example-browser")
.description("Browser for web data extraction")
.networkConfiguration(AgentcoreBrowserNetworkConfigurationArgs.builder()
.networkMode("PUBLIC")
.build())
.build());
}
}
resources:
example:
type: aws:bedrock:AgentcoreBrowser
properties:
name: example-browser
description: Browser for web data extraction
networkConfiguration:
networkMode: PUBLIC
The networkConfiguration property controls how the browser accesses the internet. Setting networkMode to “PUBLIC” allows the browser to reach any public website. The name property identifies the browser resource.
Connect to internal resources through VPC networking
Agents that need to access internal web applications or services behind firewalls require VPC configuration.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const vpcExample = new aws.bedrock.AgentcoreBrowser("vpc_example", {
name: "vpc-browser",
description: "Browser with VPC configuration",
networkConfiguration: {
networkMode: "VPC",
vpcConfig: {
securityGroups: ["sg-12345678"],
subnets: [
"subnet-12345678",
"subnet-87654321",
],
},
},
});
import pulumi
import pulumi_aws as aws
vpc_example = aws.bedrock.AgentcoreBrowser("vpc_example",
name="vpc-browser",
description="Browser with VPC configuration",
network_configuration={
"network_mode": "VPC",
"vpc_config": {
"security_groups": ["sg-12345678"],
"subnets": [
"subnet-12345678",
"subnet-87654321",
],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/bedrock"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bedrock.NewAgentcoreBrowser(ctx, "vpc_example", &bedrock.AgentcoreBrowserArgs{
Name: pulumi.String("vpc-browser"),
Description: pulumi.String("Browser with VPC configuration"),
NetworkConfiguration: &bedrock.AgentcoreBrowserNetworkConfigurationArgs{
NetworkMode: pulumi.String("VPC"),
VpcConfig: &bedrock.AgentcoreBrowserNetworkConfigurationVpcConfigArgs{
SecurityGroups: pulumi.StringArray{
pulumi.String("sg-12345678"),
},
Subnets: pulumi.StringArray{
pulumi.String("subnet-12345678"),
pulumi.String("subnet-87654321"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var vpcExample = new Aws.Bedrock.AgentcoreBrowser("vpc_example", new()
{
Name = "vpc-browser",
Description = "Browser with VPC configuration",
NetworkConfiguration = new Aws.Bedrock.Inputs.AgentcoreBrowserNetworkConfigurationArgs
{
NetworkMode = "VPC",
VpcConfig = new Aws.Bedrock.Inputs.AgentcoreBrowserNetworkConfigurationVpcConfigArgs
{
SecurityGroups = new[]
{
"sg-12345678",
},
Subnets = new[]
{
"subnet-12345678",
"subnet-87654321",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.bedrock.AgentcoreBrowser;
import com.pulumi.aws.bedrock.AgentcoreBrowserArgs;
import com.pulumi.aws.bedrock.inputs.AgentcoreBrowserNetworkConfigurationArgs;
import com.pulumi.aws.bedrock.inputs.AgentcoreBrowserNetworkConfigurationVpcConfigArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var vpcExample = new AgentcoreBrowser("vpcExample", AgentcoreBrowserArgs.builder()
.name("vpc-browser")
.description("Browser with VPC configuration")
.networkConfiguration(AgentcoreBrowserNetworkConfigurationArgs.builder()
.networkMode("VPC")
.vpcConfig(AgentcoreBrowserNetworkConfigurationVpcConfigArgs.builder()
.securityGroups("sg-12345678")
.subnets(
"subnet-12345678",
"subnet-87654321")
.build())
.build())
.build());
}
}
resources:
vpcExample:
type: aws:bedrock:AgentcoreBrowser
name: vpc_example
properties:
name: vpc-browser
description: Browser with VPC configuration
networkConfiguration:
networkMode: VPC
vpcConfig:
securityGroups:
- sg-12345678
subnets:
- subnet-12345678
- subnet-87654321
When networkMode is set to “VPC”, the vpcConfig property specifies which subnets and security groups the browser uses. This routes browser traffic through your private network, enabling access to internal services. The security groups control which resources the browser can reach.
Record browser sessions to S3 for audit and analysis
Organizations that need to audit agent behavior or analyze browsing patterns can enable session recording.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const assumeRole = aws.iam.getPolicyDocument({
statements: [{
effect: "Allow",
actions: ["sts:AssumeRole"],
principals: [{
type: "Service",
identifiers: ["bedrock-agentcore.amazonaws.com"],
}],
}],
});
const example = new aws.iam.Role("example", {
name: "bedrock-agentcore-browser-role",
assumeRolePolicy: assumeRole.then(assumeRole => assumeRole.json),
});
const recording = new aws.s3.Bucket("recording", {bucket: "browser-recording-bucket"});
const exampleAgentcoreBrowser = new aws.bedrock.AgentcoreBrowser("example", {
name: "example-browser",
description: "Browser with recording enabled",
executionRoleArn: example.arn,
networkConfiguration: {
networkMode: "PUBLIC",
},
recording: {
enabled: true,
s3Location: {
bucket: recording.bucket,
prefix: "browser-sessions/",
},
},
});
import pulumi
import pulumi_aws as aws
assume_role = aws.iam.get_policy_document(statements=[{
"effect": "Allow",
"actions": ["sts:AssumeRole"],
"principals": [{
"type": "Service",
"identifiers": ["bedrock-agentcore.amazonaws.com"],
}],
}])
example = aws.iam.Role("example",
name="bedrock-agentcore-browser-role",
assume_role_policy=assume_role.json)
recording = aws.s3.Bucket("recording", bucket="browser-recording-bucket")
example_agentcore_browser = aws.bedrock.AgentcoreBrowser("example",
name="example-browser",
description="Browser with recording enabled",
execution_role_arn=example.arn,
network_configuration={
"network_mode": "PUBLIC",
},
recording={
"enabled": True,
"s3_location": {
"bucket": recording.bucket,
"prefix": "browser-sessions/",
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/bedrock"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
assumeRole, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"sts:AssumeRole",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "Service",
Identifiers: []string{
"bedrock-agentcore.amazonaws.com",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
example, err := iam.NewRole(ctx, "example", &iam.RoleArgs{
Name: pulumi.String("bedrock-agentcore-browser-role"),
AssumeRolePolicy: pulumi.String(assumeRole.Json),
})
if err != nil {
return err
}
recording, err := s3.NewBucket(ctx, "recording", &s3.BucketArgs{
Bucket: pulumi.String("browser-recording-bucket"),
})
if err != nil {
return err
}
_, err = bedrock.NewAgentcoreBrowser(ctx, "example", &bedrock.AgentcoreBrowserArgs{
Name: pulumi.String("example-browser"),
Description: pulumi.String("Browser with recording enabled"),
ExecutionRoleArn: example.Arn,
NetworkConfiguration: &bedrock.AgentcoreBrowserNetworkConfigurationArgs{
NetworkMode: pulumi.String("PUBLIC"),
},
Recording: &bedrock.AgentcoreBrowserRecordingArgs{
Enabled: pulumi.Bool(true),
S3Location: &bedrock.AgentcoreBrowserRecordingS3LocationArgs{
Bucket: recording.Bucket,
Prefix: pulumi.String("browser-sessions/"),
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var assumeRole = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Effect = "Allow",
Actions = new[]
{
"sts:AssumeRole",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "Service",
Identifiers = new[]
{
"bedrock-agentcore.amazonaws.com",
},
},
},
},
},
});
var example = new Aws.Iam.Role("example", new()
{
Name = "bedrock-agentcore-browser-role",
AssumeRolePolicy = assumeRole.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
});
var recording = new Aws.S3.Bucket("recording", new()
{
BucketName = "browser-recording-bucket",
});
var exampleAgentcoreBrowser = new Aws.Bedrock.AgentcoreBrowser("example", new()
{
Name = "example-browser",
Description = "Browser with recording enabled",
ExecutionRoleArn = example.Arn,
NetworkConfiguration = new Aws.Bedrock.Inputs.AgentcoreBrowserNetworkConfigurationArgs
{
NetworkMode = "PUBLIC",
},
Recording = new Aws.Bedrock.Inputs.AgentcoreBrowserRecordingArgs
{
Enabled = true,
S3Location = new Aws.Bedrock.Inputs.AgentcoreBrowserRecordingS3LocationArgs
{
Bucket = recording.BucketName,
Prefix = "browser-sessions/",
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.iam.Role;
import com.pulumi.aws.iam.RoleArgs;
import com.pulumi.aws.s3.Bucket;
import com.pulumi.aws.s3.BucketArgs;
import com.pulumi.aws.bedrock.AgentcoreBrowser;
import com.pulumi.aws.bedrock.AgentcoreBrowserArgs;
import com.pulumi.aws.bedrock.inputs.AgentcoreBrowserNetworkConfigurationArgs;
import com.pulumi.aws.bedrock.inputs.AgentcoreBrowserRecordingArgs;
import com.pulumi.aws.bedrock.inputs.AgentcoreBrowserRecordingS3LocationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var assumeRole = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.effect("Allow")
.actions("sts:AssumeRole")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("Service")
.identifiers("bedrock-agentcore.amazonaws.com")
.build())
.build())
.build());
var example = new Role("example", RoleArgs.builder()
.name("bedrock-agentcore-browser-role")
.assumeRolePolicy(assumeRole.json())
.build());
var recording = new Bucket("recording", BucketArgs.builder()
.bucket("browser-recording-bucket")
.build());
var exampleAgentcoreBrowser = new AgentcoreBrowser("exampleAgentcoreBrowser", AgentcoreBrowserArgs.builder()
.name("example-browser")
.description("Browser with recording enabled")
.executionRoleArn(example.arn())
.networkConfiguration(AgentcoreBrowserNetworkConfigurationArgs.builder()
.networkMode("PUBLIC")
.build())
.recording(AgentcoreBrowserRecordingArgs.builder()
.enabled(true)
.s3Location(AgentcoreBrowserRecordingS3LocationArgs.builder()
.bucket(recording.bucket())
.prefix("browser-sessions/")
.build())
.build())
.build());
}
}
resources:
example:
type: aws:iam:Role
properties:
name: bedrock-agentcore-browser-role
assumeRolePolicy: ${assumeRole.json}
recording:
type: aws:s3:Bucket
properties:
bucket: browser-recording-bucket
exampleAgentcoreBrowser:
type: aws:bedrock:AgentcoreBrowser
name: example
properties:
name: example-browser
description: Browser with recording enabled
executionRoleArn: ${example.arn}
networkConfiguration:
networkMode: PUBLIC
recording:
enabled: true
s3Location:
bucket: ${recording.bucket}
prefix: browser-sessions/
variables:
assumeRole:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- effect: Allow
actions:
- sts:AssumeRole
principals:
- type: Service
identifiers:
- bedrock-agentcore.amazonaws.com
The recording property captures browser activity and stores it in S3. Set enabled to true and specify an s3Location with a bucket and optional prefix. The executionRoleArn grants the browser permissions to write session data to S3. The IAM role must have a trust policy allowing bedrock-agentcore.amazonaws.com to assume it.
Beyond these examples
These snippets focus on specific browser-level features: network configuration (public and VPC modes), session recording to S3, and IAM role attachment. They’re intentionally minimal rather than full agent deployments.
The examples may reference pre-existing infrastructure such as VPC subnets and security groups (for VPC mode), S3 buckets (for recording), and IAM roles with appropriate trust policies. They focus on configuring the browser rather than provisioning everything around it.
To keep things focused, common browser patterns are omitted, including:
- Tags for organization and cost tracking
- Custom timeouts for resource operations
- Region-specific deployment configuration
These omissions are intentional: the goal is to illustrate how each browser feature is wired, not provide drop-in agent modules. See the Bedrock AgentCore Browser resource reference for all available configuration options.
Let's configure AWS Bedrock Agent Browser
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Getting Started & Basics
What is Bedrock AgentCore Browser?
A resource that provides AI agents with web browsing capabilities, allowing them to navigate websites, extract information, and interact with web content in a controlled environment.
What's required to create a browser?
You need a
name and networkConfiguration with a networkMode (either PUBLIC or VPC). The region is also required but defaults to your provider configuration.Network Configuration
What network modes are available?
Two modes: PUBLIC for internet access, and VPC for private network access. VPC mode requires
vpcConfig with securityGroups and subnets.When should I use VPC configuration?
Use VPC mode when your browser needs to access resources in a private network. Configure
vpcConfig with security groups and subnets to control network access.IAM & Permissions
What IAM principal should I use for the execution role?
Use
bedrock-agentcore.amazonaws.com as the service principal in your assume role policy.Do I need an execution role?
The
executionRoleArn is optional. Provide it when your browser needs specific IAM permissions for its operations.Recording & Monitoring
How do I enable session recording?
Set
recording.enabled to true and configure recording.s3Location with a bucket and optional prefix for storing session recordings.How do I import an existing browser?
Use
pulumi import with the browser ID in the format BROWSER1234567890.Using a different cloud?
Explore analytics guides for other cloud providers: