コンプライアンス証拠収集のためのAI駆動システム構築
AWSはAmazon BedrockとAmazon Nova 2 Liteモデルを活用したブラウザ拡張機能を開発し、コンプライアンス監査の証拠収集プロセスを自動化するシステムを構築した。
キーポイント
コンプライアンス監査の自動化ソリューション
手作業によるスクリーンショット収集を自動化し、監査ワークフローを効率化するシステムを構築した。
AIを活用したインテリジェントなワークフロー設計
Amazon Nova 2 Liteモデルがコンプライアンス文書を分析し、実行可能なワークフローJSONを生成する。
ブラウザ自動化による柔軟な対応
APIアクセスが不要で、あらゆるWebアプリケーションに対応し、UI変更にも適応できる。
AWSサービスを活用した完全なインフラストラクチャ
Amazon S3での証拠保存、Amazon SESでのレポート配信、AWS Lambdaなどのサーバーレスアーキテクチャを採用している。
AWS CloudFormationによるインフラデプロイ
統一されたCloudFormationテンプレートを使用して、Chrome、Firefox、または両方のブラウザ拡張機能をサポートする完全なAWSインフラストラクチャをデプロイする。AdminEmailとUserEmailのパラメータを設定する必要がある。
ブラウザ拡張機能の設定手順
ChromeとFirefoxの拡張機能をそれぞれのフォルダでnpm installとnpm run buildでビルドし、ブラウザの開発者モードでdistフォルダを読み込んでインストールする。
影響分析・編集コメントを表示
影響分析
この記事は、AIを実務プロセスに統合する具体的な応用例を示しており、特に規制対応が求められる業界での作業効率化に貢献する可能性がある。AWSのサービスを組み合わせたエンドツーエンドのソリューションとして、クラウドネイティブな企業の実装参考になる。
編集コメント
AWSの自社サービスを活用した実用的なAI応用例として、技術ブログとしては具体的な実装内容が示されており参考価値が高いが、営業色も感じられる内容。
cd sample-ai-powered-compliance-evidence-collectorChrome、Firefox、またはその両方のブラウザをサポートする完全なAWSインフラストラクチャをデプロイする、統一されたAWS CloudFormationテンプレートを提供しています。AdminEmailパラメータには、Amazon SESが生成したレポートを送信するメールアドレスを、UserEmailパラメータには、一時的なAmazon Cognitoパスワードとコンプライアンスレポートの両方を受け取るメールアドレスを指定する必要があります。
BrowserTypeパラメータを使用して、サポートするブラウザ拡張機能を選択できます:
Chrome– Chrome拡張機能のみ用に構成Firefox– Firefox拡張機能のみ用に構成Both– ChromeとFirefoxの両方の拡張機能用に構成(デフォルト)
aws cloudformation create-stack \
--stack-name evidence-collector \
--template-body file://deployment/evidence-collector-cfn.yaml \
--parameters \
ParameterKey=BrowserType,ParameterValue=Both \
ParameterKey=AdminEmail,ParameterValue=admin@example.com \
ParameterKey=UserEmail,ParameterValue=user@example.com \
ParameterKey=BucketName,ParameterValue=my-evidence-bucket \
--capabilities CAPABILITY_IAM \
--region us-east-1このテンプレートは以下を作成します:
- 強力なパスワードポリシーを備えたAmazon Cognitoユーザープール
- ロールベースの権限でAWSサービスにアクセスするためのAmazon Cognitoアイデンティティプール
- 暗号化、バージョニング、パブリックアクセスブロックを備えたAmazon S3バケット
- Amazon Bedrock、Amazon S3、Amazon SESへのアクセスのための最小権限ポリシーを備えたIAMロール
- 初期システムプロンプトをAmazon S3にアップロードするAWS Lambda関数
- 一時パスワードを含むメール招待状を送信する初期ユーザー
デプロイ後、CloudFormationの出力はブラウザ拡張機能を構成するために必要な値を提供します:
EvidenceBucketNameIdentityPoolIdRegionUserPoolClientIdUserPoolId
この情報をブラウザ拡張機能に入力して、一度限りのセットアップを行います。CloudFormation画面の出力は、次の画像のように表示されます。
ブラウザ拡張機能の構成
Chromeの場合:
以前にクローンしたGitHubリポジトリ内のChrome拡張機能フォルダにローカルで移動するには、以下の手順に従います。
cd chrome-extensionnpm installnpm run build
これにより、chrome-extensionフォルダ内にdistフォルダが作成されます。その後、Chromeブラウザ内で以下の手順を続行します。
- Chromeブラウザに移動します。
- アドレスバーに
chrome://extensionsと入力して移動します。 - 開発者モードを有効にします(右上隅のトグル)。
- パッケージ化されていない拡張機能を読み込むボタンを選択します。
chrome-extension/distフォルダに移動して選択します。
拡張機能をインストールした後、次の画像に示すように、CloudFormationテンプレートからの出力を入力して構成できます。
Firefoxの場合:
以前にクローンしたGitHubリポジトリ内のFirefox拡張機能フォルダにローカルで移動するには、以下の手順に従います。
cd firefox-extensionnpm installnpm run build
これにより、firefox-extensionフォルダ内にdistフォルダが作成されます。
原文を表示
Compliance audits require comprehensive evidence trails, often involving hundreds of screenshots across multiple systems. Your compliance teams likely spend hours manually navigating through GitHub repositories, AWS consoles, and internal applications, capturing screenshots at each step. This manual process is time-consuming, error-prone, and difficult to reproduce consistently across audit cycles. This post demonstrates how we automated audit workflows using Amazon Bedrock and browser automation.
In this post, we show you how to build a similar system for your organization. You will learn the architecture decisions, implementation details, and deployment process that can help you automate your own compliance workflows. We built a browser extension that automates this evidence collection process using Amazon Bedrock with the Amazon Nova 2 Lite model. Your extension will execute pre-defined compliance workflows, automatically capture timestamped screenshots, and store organized evidence in Amazon Simple Storage Service (Amazon S3). It can also analyze compliance documents and generate new workflows using natural language processing (NLP).
You will learn how we architected this solution, integrated Amazon Nova 2 Lite for intelligent automation, and implemented browser automation tools that handle the complexity of modern web applications. We cover the technical implementation details, deployment process, and real-world usage patterns.
Solution overview
We chose browser automation combined with AI for several key reasons: it works with any web application without requiring API access, it captures visual evidence that auditors need, and it can adapt to UI changes through intelligent automation.
The solution uses a browser extension for Chrome and Firefox as the primary interface, providing three main capabilities: an evidence collector, an AI-powered workflow designer, and report delivery. The evidence collector executes pre-defined workflows, navigating through web applications and capturing timestamped screenshots in an Amazon S3 bucket. The AI-powered workflow designer communicates with Amazon Bedrock using the Amazon Nova 2 Lite model. When you upload a compliance text document, Amazon Nova 2 Lite analyzes it and generates executable workflow JSON that the extension can run. For report delivery, after a workflow completes, Amazon Simple Email Service (Amazon SES) generates and sends a compliance report to a specified email address.
On the infrastructure side, two AWS Lambda functions support the solution: one uploads initial system prompts to the S3 bucket during deployment, and another handles bucket cleanup. For authentication and authorization, the extension uses Amazon Cognito to manage user sign-in. Cognito works with AWS Security Token Service (AWS STS) and AWS Identity and Access Management (IAM) to provide the extension with scoped, least-privilege credentials for accessing Amazon Bedrock, Amazon S3, and Amazon SES. AWS encrypts evidence at rest, organizes it by date and workflow, and includes comprehensive audit logs.
##
Architecture
Now that you understand what the system does, let’s examine how it’s structured. The browser extension will follow a modular architecture with four distinct layers:
###
A. UI Layer
The side panel provides the primary interface with three components. The chat interface allows for natural language interaction with Amazon Nova 2 Lite for compliance questions and one-time automation. The workflow management panel lists available workflows, shows execution status, and provides edit capabilities. The authentication UI handles Amazon Cognito login and configuration management. The following image shows the UI and its capabilities.
###
B. AI Agent Layer
Amazon Nova 2 Lite serves as the intelligence layer with three operational modes:
- Chat mode: For example, ask ad-hoc questions, and it will answer compliance questions and execute browser automation tools based on natural language commands. This is most useful when you need quick evidence collection without creating a full workflow.
- Designer mode (used for creating new workflows): Analyzes uploaded .txt documents to extract workflow steps and generate automation scripts. Use this when you have compliance documentation and need to create repeatable workflows.
- Report generation mode (used after workflow completion): Analyzes captured screenshots after workflow completion to generate a comprehensive compliance report that includes evidence summaries, findings, and compliance status assessments. Amazon SES then emails the completed report to your specified email address.
C. Workflow Engine
The workflow execution engine processes JSON-defined workflows step by step. JSON is a text format for defining step-by-step instructions. Don’t worry about the technical details yet, we show you how the AI can generate these automatically. The engine handles navigation, waits for page loads, captures screenshots with context, and manages user confirmation steps for manual actions like authentication. The engine includes an intelligent error recovery that uses Amazon Nova 2 Lite to suggest alternatives when steps fail.
The workflow designer analyzes compliance documents using Amazon Nova 2 Lite, extracts required evidence points, and generates workflow JSON. You can test workflows before saving, edit existing workflows, and manage workflow versions in Amazon S3.
D. Storage and Services
Amazon S3 stores evidence with a structured folder hierarchy organizing screenshots, compliance documents, AI prompts, workflows with backups, chat logs, and generated reports as shown in the following example:
evidence-collector-bucket-{AccountId}-{Region}/
|
|--- evidence/
|--- README.txt → Explains the evidence folder structure and organization
|--- YYYY/MM/DD/
|--- screenshot-*.png → Captured screenshots during workflow execution for compliance evidence
|
|--- workflow-documents/
|--- README.txt → Explains the workflow documents folder purpose
|--- {timestamp}-{filename}.txt → User-uploaded compliance documents analyzed by AI to generate workflows
|
|--- config/
|--- prompts/
| |--- compliance-assistant-prompt.txt → Defines AI assistant's compliance knowledge and response guidelines
| |--- workflow-designer-prompt.txt → Instructs AI on generating workflows from compliance documents
| |--- report-analysis-prompt.txt → Guides AI in analyzing workflow execution results for reports
| |
| |--- workflows/
|--- README.txt → Explains the workflows folder and backup strategy
|--- user-workflows.json → Current active workflows available to users
|--- backups/
|--- user-workflows-{timestamp}.json → Timestamped backup created before each workflow update
|
|--- chat-logs/
|--- README.txt → Explains the chat logs folder purpose
|--- chat-log-{timestamp}.json → Conversation logs between users and AI for audit trail
|
|--- reports/
|--- README.txt → Explains the reports folder structure and organization
|--- YYYY/MM/DD/
|--- report-{workflow-name}-{timestamp}.html → Generated HTML evidence report documenting workflow executionAI-powered workflow designer
The following image shows what happens in the frontend and which AWS services you interact with.
The workflow designer solves a key challenge: creating workflows from compliance documents quickly and accurately. You can upload a text file containing compliance requirements, and Amazon Nova 2 Lite analyzes it to generate executable workflows.
The process works in three steps: (1) Document upload – Upload a text file containing compliance requirements, (2) AI analysis – Amazon Nova 2 Lite extracts required evidence points, identifies systems to check, and determines automation opportunities, and (3) Workflow generation – The AI generates complete workflow JSON with navigation steps, screenshot points, and user confirmation steps where needed.
For example, given a document stating, “*To take the evidence we need to take some screenshots from GitHub.com. After logging in, go to repo “https://github.com/aws-samples”. Verify branch protection is enabled on main branch with required reviews. Take a screenshot after logging in and then again after verification steps.*” Nova 2 Lite analyzes the document and generates the following workflow:
{
"workflows": [
{
"name": "GitHub Branch Protection Verification",
"description": "Verify branch protection is enabled on the main branch with required reviews",
"steps": [
{
"action": "navigate",
"url": "https://github.com",
"description": "Navigate to GitHub homepage"
},
{
"action": "wait_for_user",
"description": "Please log in with your GitHub credentials, then click Continue"
},
{
"action": "screenshot",
"description": "Capture the page after login for evidence"
},
{
"action": "navigate",
"url": "https://github.com/YOUR_REPO”,
"description": "Navigate to the repository where you want to verify branch protection"
},
{
"action": "click",
"element": "Settings",
"description": "Click on the Settings tab"
},
{
"action": "click",
"element": "Branches",
"description": "Click on the Branches option under Settings"
},
{
"action": "screenshot",
"description": "Capture the branch protection settings page for evidence"
}
]
}
]
}The workflow designer includes a test mode where you can execute the generated workflow immediately to verify that it works correctly. If steps need adjustment, the edit mode allows JSON modifications with syntax highlighting and validation.
Prerequisites
Before you begin, verify that you have:
- An active AWS account with appropriate permissions
- Access to Amazon Bedrock, S3, SES, Cognito, IAM.
- AWS Command Line Interface (AWS CLI) (v2.x) configured with credentials
- Chrome (version 88 or later) or Firefox (version 147.0.2 or later) browser
Deployment and setup
Clone the GitHub repository and navigate to the project directory for the specific browser that you’re using. The main directory contains chrome-extension and firefox-extension folders.
git clone https://github.com/aws-samples/sample-ai-powered-compliance-evidence-collector
cd sample-ai-powered-compliance-evidence-collectorWe provide a unified AWS CloudFormation template that deploys the complete AWS infrastructure with support for Chrome, Firefox, or both browsers. You must update AdminEmail with the email address that Amazon SES uses to send the generated reports and UserEmail with the email address that receives both the temporary Amazon Cognito password and the compliance report.
You can use the BrowserType parameter to select which browser extensions to support:
- Chrome – configured for Chrome extension only
- Firefox – configured for Firefox extension only
- Both – configured for both Chrome and Firefox extensions (default)
aws cloudformation create-stack \
--stack-name evidence-collector \
--template-body file://deployment/evidence-collector-cfn.yaml \
--parameters \
ParameterKey=BrowserType,ParameterValue=Both \
ParameterKey=AdminEmail,ParameterValue=admin@example.com \
ParameterKey=UserEmail,ParameterValue=user@example.com \
ParameterKey=BucketName,ParameterValue=my-evidence-bucket \
--capabilities CAPABILITY_IAM \
--region us-east-1
The template creates:
- Amazon Cognito User Pool with strong password policy
- Amazon Cognito Identity Pool for AWS service access with role-based permissions
- S3 Bucket with encryption, versioning, and public access blocking
- IAM Roles with least-privilege policies for Amazon Bedrock, S3, and SES access
- AWS Lambda function that uploads initial system prompts to S3
- Initial User with email invitation containing temporary password
After deployment, the CloudFormation outputs provide values needed to configure the browser extension:
- EvidenceBucketName
- IdentityPoolId
- Region
- UserPoolClientId
- UserPoolId
You will input this data into the browser extension for a one-time setup. The output of the CloudFormation screen will be as shown in the following image.
Browser extension configuration
For Chrome:
Navigate to the chrome extension folder locally in the GitHub repo you cloned earlier by following these steps
- cd chrome-extension
- npm install
- npm run build
This will create a dist folder within the chrome-extension folder, then you will continue the steps within the Chrome browser.
- Go to the Chrome browser.
- Navigate to chrome://extensions in the address bar.
- Enable Developer mode (toggle in the top-right corner).
- Select the Load unpacked button.
- Navigate to and select the chrome-extension/dist folder.
After you have the extension installed, you can insert the output from the CloudFormation template to configure it as shown in the following image.
For Firefox:
Navigate to the Firefox extension folder locally in the GitHub repo you cloned earlier by following these steps
- cd firefox-extension
- npm install
- npm run build
This will create a dist folder within t
関連記事
今日のまとめ
AI日報で今日の重要ニュースをまとめ読み