Docs/Infrastructure/AWS Integration

AWS Integration

How SkyKoi uses EC2, IAM, Bedrock, and security groups to run your agent.

SkyKoi uses AWS as its infrastructure backbone. Each user's agent runs on a dedicated EC2 instance with IAM-scoped access to AWS Bedrock for AI model inference.

Service Map

•EC2 — Dedicated t3.small instances (Ubuntu 22.04) for each user. Provisioned via user-data script.
•IAM — Instance profile skykoi-tenant-agent-profile grants Bedrock access without API keys.
•AWS Bedrock — Claude Opus 4.6 model inference (amazon-bedrock/us.anthropic.claude-opus-4-6-v1). No Anthropic API key needed.
•Security Groups — Network access control with ports 22, 80, 443, 8080, 18789 open.
•VPC — Network isolation for all tenant instances.

Agent AWS Access

The Koi running on the EC2 instance has access to the AWS CLI v2 (installed during provisioning) via the instance's IAM role. This means the agent can manage AWS resources through natural language:

•Launch and manage EC2 instances
•Create and configure S3 buckets
•Deploy Lambda functions
•Manage RDS databases
•Deploy CloudFormation stacks
•Configure Route 53 DNS
•Monitor CloudWatch metrics and alarms

⚠️Agent AWS access is scoped by the IAM instance profile. The default profile provides Bedrock access. Additional AWS permissions depend on your plan and can be customized for Enterprise customers.

Data Persistence

All data lives locally on the EC2 instance:

•Workspace — /home/ubuntu/koi/ (AGENTS.md, SOUL.md, memory files, etc.)
•Config — /home/ubuntu/.skykoi/skykoi.json
•Sessions — JSONL transcripts stored locally
•No S3 sync — Workspace data stays on the instance (S3 backup is on the roadmap)

Previous← Instance Isolation

NextDeployment Model →