About This Architecture

Cross-account ECS to Bedrock architecture routes user traffic through an Application Load Balancer to Fargate tasks in a multi-AZ VPC, which assume an IAM role to access Amazon Bedrock in a separate AWS account via STS AssumeRole. The design isolates workload and AI model access into distinct accounts, enforcing least-privilege IAM policies and improving security posture. This pattern demonstrates best practices for multi-account AWS deployments where compute and generative AI services require strict access boundaries. Fork this diagram on Diagrams.so to customize subnets, security groups, or IAM policies for your organization's cross-account strategy. The NAT Gateway enables outbound connectivity from private Fargate tasks while CloudWatch provides centralized observability across both accounts.

People also ask

How do I set up ECS Fargate tasks to access Amazon Bedrock in a separate AWS account securely?

This diagram shows a cross-account architecture where ECS Fargate tasks in Account A assume an IAM role via STS AssumeRole to access Amazon Bedrock in Account B. The ALB distributes traffic across multi-AZ private subnets, NAT Gateway enables outbound connectivity, and IAM policies enforce least-privilege access to Bedrock models while CloudWatch logs all activity.