Set up permissions to use guardrails
To set up a role with permissions for guardrails, create an IAM role and attach the following permissions by following the steps at Creating a role to delegate permissions to an AWS service.
If you are using guardrails with an agent, attach the permissions to a service role with permissions to create and manage agents. You can set up this role in the console or create a custom role by following the steps at Create a service role for Agents for Amazon Bedrock.
-
Permissions to invoke guardrails with foundation models
-
Permissions to create and manage guardrails
-
(Optional) Permissions to decrypt your customer-managed AWS KMS key for the guardrail
Permissions to create and manage guardrails
Append the following statement to the Statement field in the policy
for your role to use guardrails.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAndManageGuardrails", "Effect": "Allow", "Action": [ "bedrock:CreateGuardrail", "bedrock:CreateGuardrailVersion", "bedrock:DeleteGuardrail", "bedrock:GetGuardrail", "bedrock:ListGuardrails", "bedrock:UpdateGuardrail" ], "Resource": "*" } ] }
Permissions to invoke guardrails
Append the following statement to the Statement field in the policy
for the role to allow for model inference and to invoke guardrails.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "InvokeFoundationModel", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": [ "arn:aws:bedrock:region::foundation-model/*" ] }, { "Sid": "ApplyGuardrail", "Effect": "Allow", "Action": [ "bedrock:ApplyGuardrail" ], "Resource": [ "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" ] } ] }
(Optional) Create a customer managed key for your guardrail
Any user with CreateKey permissions can create customer managed keys using either the AWS Key Management Service (AWS KMS) console or the CreateKey operation. Make sure to create a symmetric encryption key. After you create your key, set up the following permissions.
-
Follow the steps at Creating a key policy to create a resource-based policy for your KMS key. Add the following policy statements to grant permissions to guardrails users and guardrails creators. Replace each
rolewith the role that you want to allow to carry out the specified actions.{ "Version": "2012-10-17", "Id": "KMS Key Policy", "Statement": [ { "Sid": "PermissionsForGuardrailsCreators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:user/role" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant" ], "Resource": "*" }, { "Sid": "PermissionsForGuardrailsUusers", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account-id:user/role" }, "Action": "kms:Decrypt", "Resource": "*" } } -
Attach the following identity-based policy to a role to allow it to create and manage guardrails. Replace the
key-idwith the ID of the KMS key that you created.{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow role to create and manage guardrails", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" "kms:CreateGrant" ], "Resource": "arn:aws:kms:region:account-id:key/key-id" } ] } -
Attach the following identity-based policy to a role to allow it to use the guardrail you encrypted during model inference or while invoking an agent. Replace the
key-idwith the ID of the KMS key that you created.{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow role to use an encrypted guardrail during model inference", "Effect": "Allow", "Action": [ "kms:Decrypt", ], "Resource": "arn:aws:kms:region:account-id:key/key-id" } ] }
