控制對 Amazon Bedrock Marketplace 模型的存取 - Amazon Bedrock

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

控制對 Amazon Bedrock Marketplace 模型的存取

您可以使用 Amazon Bedrock 完整存取政策,為 SageMaker AI 提供許可。若要防止使用者存取特定 Bedrock Marketplace 模型,同時維持對所有其他模型的存取,請使用拒絕政策。下列政策示範如何拒絕存取特定模型。

拒絕存取特定模型:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MarketplaceModelDeny",
            "Effect": "Deny",
            "Action": [
                "sagemaker:*",
                "bedrock:*"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:endpoint/*",
                "arn:aws:sagemaker:*:*:endpoint-config/*",
                "arn:aws:sagemaker:*:*:model/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/sagemaker-studio:hub-content-arn": "arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/<model-id-to-deny>/*"
                }
            }
        }
    ]
}
重要

此政策明確拒絕存取指定的模型,同時允許存取所有其他 Bedrock Marketplace 模型 (假設具有其他必要的許可。

僅允許存取特定模型

若要限制使用者僅存取特定的 Bedrock Marketplace 模型,請使用允許政策搭配明確的模型規格。下列政策示範如何僅允許存取特定模型:

JSON
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MarketplaceModelAllow",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateEndpoint",
                "sagemaker:CreateEndpointConfig",
                "sagemaker:CreateModel",
                "sagemaker:DeleteEndpoint",
                "sagemaker:UpdateEndpoint"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:endpoint/*",
                "arn:aws:sagemaker:*:*:endpoint-config/*",
                "arn:aws:sagemaker:*:*:model/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:CalledViaLast": "bedrock.amazonaws.com",
                    "aws:ResourceTag/sagemaker-sdk:bedrock": "compatible"
                },
                "StringLike": {
                    "aws:ResourceTag/sagemaker-studio:hub-content-arn": "arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/<model-id-to-allow>/*"
                }
            }
        },
        {
            "Sid": "BedrockEndpointTaggingOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:AddTags",
                "sagemaker:DeleteTags"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:endpoint/*",
                "arn:aws:sagemaker:*:*:endpoint-config/*",
                "arn:aws:sagemaker:*:*:model/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/sagemaker-studio:hub-content-arn": "arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/<model-id-to-allow>/*"
                }
            }
        }
    ]
}

此政策僅允許存取指定的模型,並拒絕存取所有其他模型。如果將您的政策從 基礎建立AmazonBedrockFullAccess,這應該取代 MarketplaceModelEndpointMutatingAPIsBedrockEndpointTaggingOperations陳述式。