本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
亚马逊 Bedrock Studio 基于身份的策略示例
以下是 Amazon Bedrock Studio 的示例政策。
管理工作空间
要创建和管理 Amazon Bedrock Studio 工作空间以及管理工作空间成员,您需要以下IAM权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datazone:CreateDomain", "datazone:ListDomains", "datazone:GetDomain", "datazone:UpdateDomain", "datazone:ListProjects", "datazone:ListTagsForResource", "datazone:UntagResource", "datazone:TagResource", "datazone:SearchUserProfiles", "datazone:SearchGroupProfiles", "datazone:UpdateGroupProfile", "datazone:UpdateUserProfile", "datazone:CreateUserProfile", "datazone:CreateGroupProfile", "datazone:PutEnvironmentBlueprintConfiguration", "datazone:ListEnvironmentBlueprints", "datazone:ListEnvironmentBlueprintConfigurations", "datazone:DeleteDomain" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:passedToService": "datazone.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:CreateGrant", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncrypt*", "kms:RetireGrant" ], "Resource": "kms key for domain" }, { "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicyVersion" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListProfiles", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListInstances", "sso:CreateApplication", "sso:DeleteApplication", "sso:PutApplicationAssignmentConfiguration", "sso:PutApplicationGrant", "sso:PutApplicationAuthenticationMethod" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "bedrock:ListFoundationModels", "bedrock:ListProvisionedModelThroughputs", "bedrock:ListModelCustomizationJobs", "bedrock:ListCustomModels", "bedrock:ListTagsForResource", "bedrock:ListGuardrails", "bedrock:ListAgents", "bedrock:ListKnowledgeBases", "bedrock:GetFoundationModelAvailability" ], "Resource": "*" } ] }
权限边界
此策略是权限边界。权限边界设置基于身份的策略可以向委托人授予的最大权限。IAM您不应自行使用和附加 Amazon Bedrock Studio 权限边界策略。Amazon Bedrock Studio 权限边界策略只能附加到亚马逊 Bedrock Studio 托管的角色。有关权限边界的更多信息,请参阅《IAM用户指南》中的IAM实体的权限边界。
当您创建 Amazon Bedrock Studio 项目、应用程序和组件时,Amazon Bedrock Studio 会将此权限边界应用于创建这些资源时生成的IAM角色。
Amazon Bedrock Studio 使用AmazonDataZoneBedrockPermissionsBoundary托管策略来限制其所关联的预配置IAM委托人的权限。委托人可以采取亚马逊 DataZone 可以代表 Amazon Bedrock Studio 用户担任的用户角色的形式,然后执行诸如读取和写入 Amazon S3 对象或调用 Amazon Bedrock 代理之类的操作。
该AmazonDataZoneBedrockPermissionsBoundary政策授予亚马逊 Bedrock Studio 对亚马逊 S3、Amazon Bedrock、Amazon S OpenSearch erverless 等服务的读写权限。 AWS Lambda该策略还向使用这些服务所需的某些基础设施资源授予读写权限,例如 Secr AWS ets Manager 密钥、Amazon CloudWatch 日志组和 AWS KMS
密钥。
此策略由以下几组权限组成。
s3— 允许对由 Amazon Bedrock Studio 管理的 Amazon S3 存储桶中的对象进行读写权限。bedrock— 允许使用由 Amazon Bedrock Studio 管理的 Amazon Bedrock 代理、知识库和护栏。aoss— 允许API访问由亚马逊 OpenSearch Bedrock Studio 管理的亚马逊无服务器馆藏。lambda— 允许调用由 Amazon B AWS edrock Studio 管理的 Lambda 函数。secretsmanager— 允许读取和写入由 Amazon Bedrock Studio 管理的 Secrets Manager 机密。AWSlogs— 提供对由亚马逊 Bedrock Studio 管理的亚马逊 CloudWatch 日志的写入权限。kms— 授予使用AWSKMS密钥加密亚马逊 Bedrock Studio 数据的权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessS3Buckets", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListBucketVersions", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion" ], "Resource": "arn:aws:s3:::br-studio-${aws:PrincipalAccount}-*", "Condition": { "StringEquals": { "s3:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AccessOssCollections", "Effect": "Allow", "Action": "aoss:APIAccessAll", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "InvokeBedrockModels", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:RetrieveAndGenerate" ], "Resource": "*" }, { "Sid": "AccessBedrockResources", "Effect": "Allow", "Action": [ "bedrock:InvokeAgent", "bedrock:Retrieve", "bedrock:StartIngestionJob", "bedrock:GetIngestionJob", "bedrock:ListIngestionJobs", "bedrock:ApplyGuardrail", "bedrock:ListPrompts", "bedrock:GetPrompt", "bedrock:CreatePrompt", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:InvokeFlow", "bedrock:ListTagsForResource", "bedrock:TagResource", "bedrock:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "InvokeBedrockFlows", "Effect": "Allow", "Action": "bedrock:InvokeFlow", "Resource": "arn:aws:bedrock:*:*:flow/*/alias/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "WriteLogs", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "InvokeLambdaFunctions", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:*:*:function:br-studio-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "AccessSecretsManagerSecrets", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "UseCustomerManagedKmsKey", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/EnableBedrock": "true" } } } ] }
