Prerequisites for prompt management - Amazon Bedrock

Prerequisites for prompt management

For a role to use prompt management, you need to allow it to perform a certain set of API actions. Review the following prerequisites and fulfill the ones that apply to your use case:

  1. If your role has the AmazonBedrockFullAccess AWS managed policy attached, you can skip this section. Otherwise, follow the steps at Update the permissions policy for a role and attach the following policy to a role to provide permissions to perform actions related to Prompt management:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "PromptManagementPermissions", "Effect": "Allow", "Action": [ "bedrock:CreatePrompt", "bedrock:UpdatePrompt", "bedrock:GetPrompt", "bedrock:ListPrompts", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:OptimizePrompt", "bedrock:GetFoundationModel", "bedrock:ListFoundationModels", "bedrock:GetInferenceProfile", "bedrock:ListInferenceProfiles", "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:RenderPrompt", "bedrock:TagResource", "bedrock:UntagResource", "bedrock:ListTagsForResource" ], "Resource": * } ] }

    To further restrict permissions, you can omit actions, or you can specify resources and condition keys by which to filter permissions. For more information about actions, resources, and condition keys, see the following topics in the Service Authorization Reference:

    Note
  2. If you plan to encrypt your prompt with a customer managed key rather than using an AWS managed key (for more information, see AWS KMS keys), create the following policies:

    1. Follow the steps at Creating a key policy and attach the following key policy to a KMS key to allow Amazon Bedrock encrypt and decrypt a prompt with the key, replacing the values as necessary. The policy contains optional condition keys (see Condition keys for Amazon Bedrock and AWS global condition context keys) in the Condition field that we recommend you use as a security best practice.

      { "Sid": "EncryptFlowKMS", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock-prompts:arn": "arn:${partition}:bedrock:${region}:${account-id}:prompt/${prompt-id}" } } }
    2. Follow the steps at Update the permissions policy for a role and attach the following policy to the prompt management role, replacing the values as necessary, to allow it to generate and decrypt the customer managed key for a prompt. The policy contains optional condition keys (see Condition keys for Amazon Bedrock and AWS global condition context keys) in the Condition field that we recommend you use as a security best practice.

      { "Sid": "KMSPermissions", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:${region}:${account-id}:key/${key-id}" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${account-id}" } } }