Amazon Bedrock in SageMaker Unified Studio KMS Permissions

KMS Key Policy — Amazon DataZone domain key and the Tooling blueprint Key: manually set the following key policy to the domain key and the Tooling blueprint key.

AmazonSageMakerDomainExecution role — inline Policy: manually attach the following to the AmazonSageMakerDomainExecution role or any role that is used for domain execution role in IAM console.

AmazonSageMakerProvisioning-<domainAccountId> role - inline Policy: manually attach the following to the AmazonSageMakerProvisioning-<domainAccountId> role or the role that is used as the provisioning role in the IAM console.

JSON


{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "KmsDescribeKeyPermissions",
            "Effect": "Allow",
            "Action": "kms:DescribeKey",
            "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
        },
        {
            "Sid": "ToolingBlueprintS3BucketKmsPermissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*.amazonaws.com"
                }
            }
        },
        {
            "Sid": "LambdaFunctionKmsPermissions",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:Decrypt",
                "kms:Encrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "lambda.*.amazonaws.com"
                },
                "ArnLike": {
                    "kms:EncryptionContext:aws:lambda:FunctionArn": "arn:aws:lambda:*:*:function:amazon-bedrock*"
                }
            }
        },
        {
            "Sid": "SecretsManagerKmsPermissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "secretsmanager.*.amazonaws.com"
                },
                "ArnLike": {
                    "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:*:*:secret:amazon-bedrock*"
                }
            }
        },
        {
            "Sid": "BedrockKmsPermissions",
            "Effect": "Allow",
            "Action": [
                "kms:CreateGrant",
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "bedrock.*.amazonaws.com"
                },
                "ForAnyValue:StringLike": {
                    "kms:EncryptionContextKeys": "aws:bedrock*:arn"
                }
            }
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

KMS Permissions for resources provisioned by Amazon SageMaker Unified Studio

Authorization in Amazon SageMaker Unified Studio