In this post, I’ll walk you through how I built ATS Buddy, an AI assistant powered by AWS Bedrock, developed for the AWS AI Agent Global Hackathon .
The inspiration came from a frustration many job seekers share: with over 75% of resumes filtered out by ATS systems before reaching a recruiter, countless qualified candidates are overlooked daily. ATS Buddy addresses this challenge while also tackling a critical concern — the privacy of sensitive resume data.
To solve this, I designed ATS Buddy with a privacy-first architecture, ensuring PII redaction and strict data lifecycle management. The goal was simple: help candidates get noticed while protecting their personal information.
👉 Try the live demo .
Setup
I used KIRO , an AI IDE for rapid prototyping to production. After joining the waitlist and obtaining an invite code, I started building ATS Buddy.
For each specification, KIRO automatically generates requirements.md
, design.md
, and tasks.md
. The updated UI now also shows usage stats conveniently in the corner.

High-Level Architecture
Here’s the high-level architecture diagram of ATS Buddy:

AWS AI/ML Pipeline Architecture
ATS Buddy combines Textract, Comprehend, and Bedrock into a privacy-first AI pipeline:

- Textract → Extract text from PDFs
- Comprehend → Detect & redact PII
- Bedrock (Nova Lite) → AI-driven ATS analysis
- S3/DynamoDB → Storage + caching with lifecycle management
Infrastructure As Code
All infrastructure is defined with AWS SAM (Serverless Application Model). A detailed DEPLOYMENT_GUIDE.md
is included in the project repository.
Prerequisites
- Install the AWS CLI .
aws --version
# aws-cli/2.30.5 Python/3.13.7 Windows/11 exe/AMD64
- Configure IAM user access keys following Manage Access Keys for IAM Users:
aws configure
# AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE
# AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
# Default region name [None]:
# Default output format [None]:
- Install the AWS SAM CLI for deploying serverless applications via IaC.
Key Components
The ATS Buddy infrastructure is defined using AWS SAM, which extends CloudFormation with serverless-specific syntax. Let me walk you through the critical components that make this application work.
1. Storage Layer: S3 Buckets
- ResumesBucket: Temporary storage, auto-deletes after 24h
- ReportsBucket: Secure report storage with presigned URL access
- WebUIBucket: Hosts the static web app
LifecycleConfiguration:
Rules:
- Id: DeleteOldResumes
Status: Enabled
ExpirationInDays: 1
NoncurrentVersionExpirationInDays: 1
2. Privacy-First Design: PII Redaction Pipeline
This is ATS Buddy’s most innovative feature: resumes are sanitized before processing.
- S3 Access Point → PIIRedaction Lambda (Comprehend) → Object Lambda Access Point
This ensures no raw PII ever reaches downstream functions.
PIIRedactionObjectLambdaAccessPoint:
Type: AWS::S3ObjectLambda::AccessPoint
Properties:
Name: !Sub "pii-redacted-resumes-${Environment}"
ObjectLambdaConfiguration:
SupportingAccessPoint: !Sub "${ResumesBucketAccessPoint.Arn}"
TransformationConfigurations:
- Actions:
- GetObject
ContentTransformation:
AwsLambda:
FunctionArn: !GetAtt PIIRedactionFunction.Arn

3. Processing Layer: Lambda Functions
This is the heart of ATS Buddy. It orchestrates the entire workflow:
- Upload via API Gateway
- Extract text with Textract
- Read redacted data only
- Analyze with Bedrock (Nova Lite)
- Generate ATS reports

The function is configured with 512MB memory and a 5-minute timeout to handle large resumes and complex AI processing.
Environment:
Variables:
RESUMES_BUCKET: !Ref ResumesBucket
REPORTS_BUCKET: !Ref ReportsBucket
RESUME_CACHE_TABLE: !Ref ResumeCacheTable
PII_REDACTED_ACCESS_POINT: !GetAtt PIIRedactionObjectLambdaAccessPoint.Arn

4. Caching Layer: DynamoDB
Resumes are hashed and cached for 24h using TTL, reducing costs and re-processing.
ResumeCacheTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: !Sub "ats-buddy-resume-cache-${Environment}"
BillingMode: PAY_PER_REQUEST
TimeToLiveSpecification:
AttributeName: ttl
Enabled: true

5. API Layer: API Gateway
RESTful endpoints power the web UI with CORS support.
- POST /analyze: Upload and analyze a resume
- POST /enhance: Generate an enhanced version based on analysis
- OPTIONS endpoints: Handle CORS preflight requests
Cors:
AllowMethods: "'GET,POST,PUT,DELETE,OPTIONS'"
AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Requested-With'"
AllowOrigin: "'*'"

6. Security and IAM
Each Lambda follows least-privilege policies, tightly scoped to their role (e.g., redaction function cannot access DynamoDB).
- ATSBuddyLambdaRole: Grants access to S3 (both regular and Object Lambda access points), Textract for document processing, Bedrock for AI analysis, and DynamoDB for caching.
- PIIRedactionLambdaRole: Limited to only S3 Object Lambda operations and Amazon Comprehend for PII detection. This function can’t access any other AWS resources, minimizing the attack surface.
Policies:
- PolicyName: ComprehendAccess
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- comprehend:DetectPiiEntities
- comprehend:ContainsPiiEntities
Resource: "*"
Deployment
Deploy with:
cd infra
sam validate
# template.yaml is a valid SAM Template
sam build
# Build Succeeded
#
# Built Artifacts : .aws-sam\build
# Built Template : .aws-sam\build\template.yaml
#
# Commands you can use next
# =========================
# [*] Validate SAM template: sam validate
# [*] Invoke Function: sam local invoke
# [*] Test Function in the Cloud: sam sync --stack-name {{stack-name}} --watch
# [*] Deploy: sam deploy --guided
sam deploy --guided

Web UI
The web UI (HTML, CSS, JS) is hosted on S3. Although HTTP-only, it’s CloudFront-ready for HTTPS and CDN.
File Structure
This is the file structure:
web-ui/
├── index.html # Main HTML page
├── script.js # JavaScript functionality
└── styles.css # CSS styles and responsive design
For any modification, simply update these files and redeploy the web UI bucket with s3 sync command.
cd web-ui/
aws s3 sync ./ s3://${WebUIBucket}
# upload: ./styles.css to s3://ats-buddy-web-ui-dev-123456789/styles.css
# upload: ./script.js to s3://ats-buddy-web-ui-dev-123456789/script.js
# upload: ./index.html to s3://ats-buddy-web-ui-dev-123456789/index.html
This is the screenshot of the live demo:

In Action
Let’s download our sample John Tan Resume and try it out! For this example, we’ll use this sample Job Description:
Job Title: Software Engineer
Location: Singapore
Job Description:
We are seeking an experienced Software Engineer to join our dynamic team to build robust web and cloud-based applications. The candidate should be passionate about designing scalable systems and delivering high-quality, maintainable code.
Responsibilities:
- Develop, test, and maintain scalable web applications and REST APIs
- Collaborate with cross-functional teams to design and implement new features
- Participate in code reviews and mentor junior engineers
- Troubleshoot, debug, and optimize application performance
- Stay up-to-date with emerging technologies and propose improvements
Requirements:
- Bachelor’s degree in Computer Science, Information Technology, or related field
- 3+ years of experience in software development
- Proficiency in Python, JavaScript (React/Node.js), or Java
- Experience with cloud services (AWS or GCP) and containerization (Docker, Kubernetes)
- Strong knowledge of database systems (SQL/NoSQL)
- Familiarity with DevOps practices and CI/CD pipelines
- Excellent problem-solving and communication skills
Preferred:
- Experience with Agile methodologies
- Open source contributions or personal projects
Apply by sending your resume and cover letter to hr@samplecompany.com.
After clicking on the Analyze button, ATS Buddy will process the resume and generate a report. Here’s what you see:

This is the sample Analyis results:

You may choose to download the reports as a HTML or Markdown report. Let’s click on Generate Enhanced Resume button and here you go, a cover letter with the enhanced resume in markdown format!

CONCLUSION
The ATS Buddy POC is now complete and demo-ready:
✅ End-to-end resume analysis
✅ Privacy-first design (PII redaction)
✅ AI-powered insights with Bedrock
✅ Smart caching + cost optimization
✅ Fully documented + deployable
🔗 Source Code: https://github.com/seehiong/ats-buddy