Skip to content

Build the Image Processing Pipeline

In this lab you will use your AI coding agent to build a complete, end-to-end image processing pipeline. When an image is uploaded to S3, a Lambda function will automatically invoke Amazon Rekognition to detect labels and store the results in DynamoDB. This exercise combines everything you've practiced across the workshop — API calls, IAM configuration, event-driven architecture, and error handling.

Overview

Your goal is to give your agent a single, comprehensive prompt and observe how it plans and executes a multi-service architecture. The pipeline uses S3 event notifications to trigger a Lambda function, which calls Rekognition and writes results to a pre-existing DynamoDB table. You'll also configure proper error handling with a dead letter queue.

What You'll Learn

  • How to prompt your agent to build event-driven, multi-service architectures in a single pass
  • How the agent handles IAM roles with cross-service permissions (S3, Lambda, Rekognition, DynamoDB, SQS)
  • How to validate an end-to-end pipeline by uploading a test image

Instructions

Explore

Give your agent the full scenario in one prompt. Observe how it breaks down the problem, creates resources in the correct order, and wires everything together.

Desired outcome: An image uploaded to s3://agent-toolkit-workshop-{participant_id}/capstone/ triggers a Lambda function that calls Rekognition DetectLabels and stores the results in the pre-existing DynamoDB table capstone-image-labels-{participant_id}.

Info

Hint 1: The DynamoDB table capstone-image-labels-{participant_id} already exists (it was pre-deployed with the workshop infrastructure). Your agent only needs to create the Lambda function, its IAM role, the S3 event notification, and the dead letter queue.

Info

Hint 2: The S3 event notification must be filtered to the capstone/ prefix — this ensures only images uploaded to that path trigger the pipeline, not other workshop uploads.

Info

Hint 3: After deployment, test by uploading any JPEG or PNG image to the capstone/ prefix. Then check the DynamoDB table for items — you should see entries with detected labels and confidence scores.

Step-by-Step Walkthrough
  1. Open your AI coding agent and enter this prompt:

Build me an image processing pipeline: an S3 bucket event notification on my existing bucket "agent-toolkit-workshop-{participant_id}" triggers a Lambda function when objects are uploaded under the "capstone/" prefix. The Lambda function calls Rekognition DetectLabels (max 10 labels, min 70% confidence) on the uploaded image, then stores the results in the existing DynamoDB table "capstone-image-labels-{participant_id}" with the S3 object key as partition key (ImageId) and each label name as sort key (Label), plus Confidence and ProcessedAt fields. Configure proper IAM permissions, error handling that logs failures and writes an error record to DynamoDB, and a dead letter queue (SQS) for unhandled exceptions. Deploy everything in us-east-1.

  1. Watch how your agent plans the deployment. It should create:
  2. An IAM execution role for the Lambda with permissions for S3 GetObject, Rekognition DetectLabels, DynamoDB PutItem, SQS SendMessage, and CloudWatch Logs
  3. A Lambda function with the image processing logic
  4. An SQS dead letter queue
  5. An S3 event notification configuration filtered to capstone/ prefix with .jpg/.png suffixes

  6. A Lambda resource policy allowing S3 to invoke it

  7. Once the agent finishes deploying, test the pipeline:

Upload a test image to s3://agent-toolkit-workshop-{participant_id}/capstone/test-image.jpg and then check the DynamoDB table capstone-image-labels-{participant_id} for the results.

If you don't have a sample image handy, ask your agent:

Download a sample image from a public URL and upload it to my S3 bucket under the capstone/ prefix to test the pipeline.

  1. Verify the results in DynamoDB. You should see items like:
  2. ImageId: capstone/test-image.jpg, Label: Nature, Confidence: 98.5, ProcessedAt: 2024-...

  3. ImageId: capstone/test-image.jpg, Label: Outdoors, Confidence: 95.2, ProcessedAt: 2024-...

  4. Check error handling by asking your agent:

Upload a text file (not an image) to s3://agent-toolkit-workshop-{participant_id}/capstone/not-an-image.txt and check both CloudWatch Logs and the DynamoDB table for the error record.

Validation

Your progress is tracked on the CloudWatch dashboard. Module 6 completion requires:

  • ✅ S3 event notification configured for PutObject on the workshop bucket
  • ✅ A Lambda function matching capstone-processor* or image-processor* exists
  • ✅ The DynamoDB table capstone-image-labels-{participant_id} contains at least 1 item

To run validation manually, ask your agent:

Check if my S3 bucket has an event notification configured, if a Lambda function with "capstone" or "image-processor" in the name exists, and if the DynamoDB table "capstone-image-labels-{participant_id}" has any items.

Agent-Specific Tips

Claude Code excels at multi-service deployments in a single conversation turn. It will typically create the IAM role first, then the Lambda, then wire up the S3 notification.

If the agent tries to create the DynamoDB table, remind it:

The DynamoDB table already exists — don't create a new one. Just write to capstone-image-labels-{participant_id}.

For debugging Lambda execution issues, ask:

Check the CloudWatch Logs for my capstone Lambda function and show me recent log entries.

Kiro can break this into a spec-driven workflow. You could create a spec for the pipeline first, then have Kiro implement each component. However, for this exercise the single-prompt approach demonstrates the agent's ability to handle complex multi-step tasks autonomously.

If the deployment runs into permission issues, Kiro can inspect the IAM role and suggest fixes. Ask:

Check the execution role for my capstone Lambda — does it have all the permissions it needs for S3, Rekognition, DynamoDB, and SQS?

Cursor handles multi-service deployments through its agent mode. Ensure you're in Agent mode for the full MCP tool set to be available.

If Cursor generates CloudFormation or CDK code instead of deploying directly, you can either: - Let it deploy the template - Or ask it to create resources directly via API calls

Deploy these resources directly using AWS API calls, not through CloudFormation.

Codex will plan and execute the multi-service pipeline. It may ask for confirmation before creating resources — confirm to proceed.

:::alert{type="info"} If Codex splits the deployment across multiple steps, let it complete each step before proceeding. The S3 notification configuration requires the Lambda function to exist first.

For testing, ask Codex to verify the end-to-end flow:

Upload a sample image, wait 10 seconds, then query DynamoDB to show me the detected labels.

:::