Protect model customization jobs using a VPC - Amazon Bedrock

Protect model customization jobs using a VPC

When you run a model customization job, the job accesses your Amazon S3 bucket to download the input data and to upload job metrics. To control access to your data, we recommend that you use a virtual private cloud (VPC) with Amazon VPC. You can further protect your data by configuring your VPC so that your data isn't available over the internet and instead creating a VPC interface endpoint with AWS PrivateLink to establish a private connection to your data. For more information about how Amazon VPC and AWS PrivateLink integrate with Amazon Bedrock, see Protect your data using Amazon VPC and AWS PrivateLink.

Carry out the following steps to configure and use a VPC for the training, validation, and output data for your model customization jobs.

Set up a VPC

You can use a default VPC for your model customization data or create a new VPC by following the guidance at Get started with Amazon VPC and Create a VPC.

When you create your VPC, we recommend that you use the default DNS settings for your endpoint route table, so that standard Amazon S3 URLs (for example, resolve.

Create an Amazon S3 VPC Endpoint

If you configure your VPC with no internet access, you need to create an Amazon S3 VPC endpoint to allow your model customization jobs to access the S3 buckets that store your training and validation data and that will store the model artifacts.

Create the S3 VPC endpoint by following the steps at Create a gateway endpoint for Amazon S3.


If you don't use the default DNS settings for your VPC, you need to ensure that the URLs for the locations of the data in your training jobs resolve by configuring the endpoint route tables. For information about VPC endpoint route tables, see Routing for Gateway endpoints.

(Optional) Use IAM policies to restrict access to your S3 files

You can use resource-based policies to more tightly control access to your S3 files. You can use any combination of the following types of resource-based policies.

  • Endpoint policies – Endpoint policies restrict access through the VPC endpoint. The default endpoint policy allows full access to Amazon S3 for any user or service in your VPC. While creating or after you create the endpoint, you can optionally attach a resource-based policy to the endpoint to add restrictions, such as only allowing the endpoint to access a specific bucket or only allowing a specific IAM role to access the endpoint. For examples, see Edit the VPC endpoint policy.

    The following is an example policy you can attach to your VPC endpoint to only allow it to access the bucket containing your training data.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictAccessToTrainingBucket", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::training-bucket", "arn:aws:s3:::training-bucket/*" ] } ] }
  • Bucket policies – Bucket policies restrict access to S3 buckets. You can use a bucket policy to restrict access to traffic that comes from your VPC. To attach a bucket policy, follow the steps at Using bucket policies and use the aws:sourceVpc, aws:sourceVpce, or aws:VpcSourceIp condition keys. For examples, see Control access using bucket policies.

    The following is an example policy you can attach to the S3 bucket that will contain your output data to deny all traffic to the bucket unless it comes from your VPC.

    { "Version": "2012-10-17", "Statement": [{ "Sid": "RestrictAccessToOutputBucket", "Effect": "Deny", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::output-bucket", "arn:aws:s3:::output-bucket/*" ], "Condition": { "StringNotEquals": { "aws:sourceVpc": "your-vpc-id" } } } ] }

Attach VPC permissions to a model customization role

After you finish setting up your VPC and endpoint, you need to attach the following permissions to your model customization IAM role. Modify this policy to allow access to only the VPC resources that your job needs. Replace the subnet-ids and security-group-id with the values from your VPC.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", ], "Resource":[ "arn:aws:ec2:region:account-id:network-interface/*" ], "Condition": { "StringEquals": { "aws:RequestTag/BedrockManaged": ["true"] }, "ArnEquals": { "aws:RequestTag/BedrockModelCustomizationJobArn": ["arn:aws:bedrock:region:account-id:model-customization-job/*"] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", ], "Resource":[ "arn:aws:ec2:region:account-id:subnet/subnet-id", "arn:aws:ec2:region:account-id:subnet/subnet-id2", "arn:aws:ec2:region:account-id:security-group/security-group-id" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DeleteNetworkInterfacePermission", ], "Resource": "*", "Condition": { "ArnEquals": { "ec2:Subnet": [ "arn:aws:ec2:region:account-id:subnet/subnet-id", "arn:aws:ec2:region:account-id:subnet/subnet-id2" ], "ec2:ResourceTag/BedrockModelCustomizationJobArn": ["arn:aws:bedrock:region:account-id:model-customization-job/*"] }, "StringEquals": { "ec2:ResourceTag/BedrockManaged": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws:ec2:region:account-id:network-interface/*", "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateNetworkInterface" ] }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "BedrockManaged", "BedrockModelCustomizationJobArn" ] } } ] }

Add the VPC configuration when submitting a model customization job

After you configure the VPC and the required roles and permissions as described in the previous sections, you can create a model customization job that uses this VPC.

When you specify the VPC subnets and security groups for a job, Amazon Bedrock creates elastic network interfaces (ENIs) that are associated with your security groups in one of the subnets. ENIs allow the Amazon Bedrock job to connect to resources in your VPC. For information about ENIs, see Elastic Network Interfaces in the Amazon VPC User Guide. Amazon Bedrock tags ENIs that it creates with BedrockManaged and BedrockModelCusomizationJobArn tags.

We recommend that you provide at least one subnet in each Availability Zone.

You can use security groups to establish rules for controlling Amazon Bedrock access to your VPC resources.

You can configure the VPC to use in either the console or through the API. Select the tab corresponding to your method of choice and follow the steps.


For the Amazon Bedrock console, you specify VPC subnets and security groups in the optional VPC settings section when you create the model customization job. For more information about configuring jobs, see Submit a model customization job.


For a job that includes VPC configuration, the console can't automatically create a service role for you. Follow the guidance at Create a service role for model customization to create a custom role.


When you submit a CreateModelCustomizationJob request, you can include a VpcConfig as a request parameter to specify the VPC subnets and security groups to use, as in the following example.

"VpcConfig": { "SecurityGroupIds": [ "sg-0123456789abcdef0" ], "Subnets": [ "subnet-0123456789abcdef0", "subnet-0123456789abcdef1", "subnet-0123456789abcdef2" ] }