After you've created a knowledge base, you might have to set up the following security configurations:
Topics
Set up data access policies for your knowledge base
If you're using a custom role, set up security configurations for your newly created knowledge base. If you let Amazon Bedrock create a service role for you, you can skip this step. Follow the steps in the tab corresponding to the database that you set up.
To restrict access to the Amazon OpenSearch Serverless collection to the knowledge base service role, create a data access policy. You can do so in the following ways:
-
Use the Amazon OpenSearch Service console by following the steps at Creating data access policies (console) in the Amazon OpenSearch Service Developer Guide.
-
Use the AWS API by sending a CreateAccessPolicy request with an OpenSearch Serverless endpoint. For an AWS CLI example, see Creating data access policies (AWS CLI).
Use the following data access policy, specifying the Amazon OpenSearch Serverless collection and your service role:
[
{
"Description": "${data access policy description}
",
"Rules": [
{
"Resource": [
"index/${collection_name}
/*"
],
"Permission": [
"aoss:DescribeIndex",
"aoss:ReadDocument",
"aoss:WriteDocument"
],
"ResourceType": "index"
}
],
"Principal": [
"arn:aws:iam::${account-id}
:role/${kb-service-role}
"
]
}
]
Set up network access policies for your Amazon OpenSearch Serverless knowledge base
If you use a private Amazon OpenSearch Serverless collection for your knowledge base, it can only be accessed through an AWS PrivateLink VPC endpoint. You can create a private Amazon OpenSearch Serverless collection when you set up your Amazon OpenSearch Serverless vector collection or you can make an existing Amazon OpenSearch Serverless collection (including one that the Amazon Bedrock console created for you) private when you configure its network access policy.
The following resources in the Amazon OpenSearch Service Developer Guide will help you understand the setup required for a private Amazon OpenSearch Serverless collections:
-
For more information about setting up a VPC endpoint for a private Amazon OpenSearch Serverless collection, see Access Amazon OpenSearch Serverless using an interface endpoint (AWS PrivateLink).
-
For more information about network access policies in Amazon OpenSearch Serverless, see Network access for Amazon OpenSearch Serverless.
To allow an Amazon Bedrock knowledge base to access a private Amazon OpenSearch Serverless collection, you must edit the network access policy for the Amazon OpenSearch Serverless collection to allow Amazon Bedrock as a source service. Choose the tab for your preferred method, and then follow the steps:
-
Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/
. -
From the left navigation pane, select Collections. Then choose your collection.
-
In the Network section, select the Associated Policy.
-
Choose Edit.
-
For Select policy definition method, do one of the following:
-
Leave Select policy definition method as Visual editor and configure the following settings in the Rule 1 section:
-
(Optional) In the Rule name field, enter a name for the network access rule.
-
Under Access collections from, select Private (recommended).
-
Select AWS service private access. In the text box, enter
bedrock.amazonaws.com
. -
Unselect Enable access to OpenSearch Dashboards.
-
-
Choose JSON and paste the following policy in the JSON editor.
[ { "AllowFromPublic": false, "Description":"
${network access policy description}
", "Rules":[ { "ResourceType": "collection", "Resource":[ "collection/${collection-id}
" ] } ], "SourceServices":[ "bedrock.amazonaws.com" ] } ]
-
-
Choose Update.
-
Use the Amazon OpenSearch Service console by following the steps at Creating network policies (console). Instead of creating a network policy, note the Associated policy in the Network subsection of the collection details.