In this post, I’ll walk you through how I built ATS Buddy, an AI assistant powered by AWS Bedrock, developed for the AWS AI Agent Global Hackathon .

The inspiration came from a frustration many job seekers share: with over 75% of resumes filtered out by ATS systems before reaching a recruiter, countless qualified candidates are overlooked daily. ATS Buddy addresses this challenge while also tackling a critical concern — the privacy of sensitive resume data.

To solve this, I designed ATS Buddy with a privacy-first architecture, ensuring PII redaction and strict data lifecycle management. The goal was simple: help candidates get noticed while protecting their personal information.

👉 Try the live demo .

Setup

I used KIRO , an AI IDE for rapid prototyping to production. After joining the waitlist and obtaining an invite code, I started building ATS Buddy.

For each specification, KIRO automatically generates requirements.md, design.md, and tasks.md. The updated UI now also shows usage stats conveniently in the corner.

ats-buddy-kiro-ide

High-Level Architecture

Here’s the high-level architecture diagram of ATS Buddy:

ats-buddy-architecture

AWS Managed Multi-AZ High Availability

AWS automatically distributes the application across multiple physically isolated data centers (Availability Zones) within a region:

ats-buddy-aws-managed-multi-az-ha

Infrastructure As Code

All infrastructure is defined with AWS SAM (Serverless Application Model). A detailed DEPLOYMENT_GUIDE.md is included in the project repository.

Prerequisites

  1. Install the AWS CLI .
aws --version
# aws-cli/2.30.5 Python/3.13.7 Windows/11 exe/AMD64
  1. Configure IAM user access keys following Manage Access Keys for IAM Users:
aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]:
# Default output format [None]:
  1. Install the AWS SAM CLI for deploying serverless applications via IaC.

Key Components

The ATS Buddy infrastructure is defined using AWS SAM, which extends CloudFormation with serverless-specific syntax. Let me walk you through the critical components that make this application work.

1. Storage Layer: S3 Buckets

  • ResumesBucket: Temporary storage, auto-deletes after 24h
  • ReportsBucket: Secure report storage with presigned URL access
  • WebUIBucket: Hosts the static web app
LifecycleConfiguration:
  Rules:
    - Id: DeleteOldResumes
      Status: Enabled
      ExpirationInDays: 1
      NoncurrentVersionExpirationInDays: 1

2. Privacy-First Design: PII Redaction Pipeline

This is ATS Buddy’s most innovative feature: resumes are sanitized before processing.

  • S3 Access Point → PIIRedaction Lambda (Comprehend) → Object Lambda Access Point

This ensures no raw PII ever reaches downstream functions.

PIIRedactionObjectLambdaAccessPoint:
  Type: AWS::S3ObjectLambda::AccessPoint
  Properties:
    Name: !Sub "pii-redacted-resumes-${Environment}"
    ObjectLambdaConfiguration:
      SupportingAccessPoint: !Sub "${ResumesBucketAccessPoint.Arn}"
      TransformationConfigurations:
        - Actions:
            - GetObject
          ContentTransformation:
            AwsLambda:
              FunctionArn: !GetAtt PIIRedactionFunction.Arn
ats-buddy-pii-redaction-lambda

3. Processing Layer: Lambda Functions

This is the heart of ATS Buddy. It orchestrates the entire workflow:

  • Upload via API Gateway
  • Extract text with Textract
  • Read redacted data only
  • Analyze with Bedrock (Nova Lite)
  • Generate ATS reports
ats-buddy-system-architecture

The function is configured with 512MB memory and a 5-minute timeout to handle large resumes and complex AI processing.

Environment:
  Variables:
    RESUMES_BUCKET: !Ref ResumesBucket
    REPORTS_BUCKET: !Ref ReportsBucket
    RESUME_CACHE_TABLE: !Ref ResumeCacheTable
    PII_REDACTED_ACCESS_POINT: !GetAtt PIIRedactionObjectLambdaAccessPoint.Arn
ats-buddy-lambda

4. Caching Layer: DynamoDB

Resumes are hashed and cached for 24h using TTL, reducing costs and re-processing.

ResumeCacheTable:
  Type: AWS::DynamoDB::Table
  Properties:
    TableName: !Sub "ats-buddy-resume-cache-${Environment}"
    BillingMode: PAY_PER_REQUEST
    TimeToLiveSpecification:
      AttributeName: ttl
      Enabled: true
ats-buddy-dynamodb

5. API Layer: API Gateway

RESTful endpoints power the web UI with CORS support.

  • POST /analyze: Upload and analyze a resume
  • POST /enhance: Generate an enhanced version based on analysis
  • OPTIONS endpoints: Handle CORS preflight requests
Cors:
  AllowMethods: "'GET,POST,PUT,DELETE,OPTIONS'"
  AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Requested-With'"
  AllowOrigin: "'*'"
ats-buddy-api-gateway

6. Security and IAM

Each Lambda follows least-privilege policies, tightly scoped to their role (e.g., redaction function cannot access DynamoDB).

  • ATSBuddyLambdaRole: Grants access to S3 (both regular and Object Lambda access points), Textract for document processing, Bedrock for AI analysis, and DynamoDB for caching.
  • PIIRedactionLambdaRole: Limited to only S3 Object Lambda operations and Amazon Comprehend for PII detection. This function can’t access any other AWS resources, minimizing the attack surface.
Policies:
  - PolicyName: ComprehendAccess
    PolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Effect: Allow
          Action:
            - comprehend:DetectPiiEntities
            - comprehend:ContainsPiiEntities
          Resource: "*"

Deployment

Deploy with:

cd infra

sam validate
# template.yaml is a valid SAM Template

sam build
# Build Succeeded
#
# Built Artifacts  : .aws-sam\build
# Built Template   : .aws-sam\build\template.yaml
# 
# Commands you can use next
# =========================
# [*] Validate SAM template: sam validate
# [*] Invoke Function: sam local invoke
# [*] Test Function in the Cloud: sam sync --stack-name {{stack-name}} --watch
# [*] Deploy: sam deploy --guided

sam deploy --guided
ats-buddy-sam-deploy-guided

Web UI

The web UI is deployed on S3 and delivered securely via CloudFront, ensuring fast, HTTPS-enabled access worldwide.

File Structure

This is the file structure:

web-ui/
├── index.html          # Main HTML page
├── script.js           # JavaScript functionality
└── styles.css          # CSS styles and responsive design

For any modification, simply update these files and redeploy the web UI bucket with s3 sync command.

cd web-ui/

aws s3 sync ./ s3://${WebUIBucket}
# upload: ./styles.css to s3://ats-buddy-web-ui-dev-123456789/styles.css
# upload: ./script.js to s3://ats-buddy-web-ui-dev-123456789/script.js
# upload: ./index.html to s3://ats-buddy-web-ui-dev-123456789/index.html

This is the screenshot of the live demo:

ats-buddy-static-html

In Action

Let’s download our sample John Tan Resume and try it out! For this example, we’ll use this sample Job Description:

Job Title: Software Engineer

Location: Singapore

Job Description:
We are seeking an experienced Software Engineer to join our dynamic team to build robust web and cloud-based applications. The candidate should be passionate about designing scalable systems and delivering high-quality, maintainable code.

Responsibilities:
- Develop, test, and maintain scalable web applications and REST APIs
- Collaborate with cross-functional teams to design and implement new features
- Participate in code reviews and mentor junior engineers
- Troubleshoot, debug, and optimize application performance
- Stay up-to-date with emerging technologies and propose improvements

Requirements:
- Bachelor’s degree in Computer Science, Information Technology, or related field
- 3+ years of experience in software development
- Proficiency in Python, JavaScript (React/Node.js), or Java
- Experience with cloud services (AWS or GCP) and containerization (Docker, Kubernetes)
- Strong knowledge of database systems (SQL/NoSQL)
- Familiarity with DevOps practices and CI/CD pipelines
- Excellent problem-solving and communication skills

Preferred:
- Experience with Agile methodologies
- Open source contributions or personal projects

Apply by sending your resume and cover letter to hr@samplecompany.com.

After clicking on the Analyze button, ATS Buddy will process the resume and generate a report. Here’s what you see:

ats-buddy-analyze-resume

This is the sample Analyis results:

ats-buddy-analysis-results

You may choose to download the reports as a HTML or Markdown report. Let’s click on Generate Enhanced Resume button and here you go, a cover letter with the enhanced resume in markdown format!

ats-buddy-enhanced-resume

CONCLUSION

The ATS Buddy POC is now complete and demo-ready:

✅ End-to-end resume analysis
✅ Privacy-first design (PII redaction)
✅ AI-powered insights with Bedrock
✅ Smart caching + cost optimization
✅ Fully documented + deployable

🔗 Source Code: https://github.com/seehiong/ats-buddy