Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Set up security configurations for your knowledge base

Focus mode
Set up security configurations for your knowledge base - Amazon Bedrock

After you've created a knowledge base, you might have to set up the following security configurations:

Set up data access policies for your knowledge base

If you're using a custom role, set up security configurations for your newly created knowledge base. If you let Amazon Bedrock create a service role for you, you can skip this step. Follow the steps in the tab corresponding to the database that you set up.

Amazon OpenSearch Serverless

To restrict access to the Amazon OpenSearch Serverless collection to the knowledge base service role, create a data access policy. You can do so in the following ways:

Use the following data access policy, specifying the Amazon OpenSearch Serverless collection and your service role:

[ { "Description": "${data access policy description}", "Rules": [ { "Resource": [ "index/${collection_name}/*" ], "Permission": [ "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::${account-id}:role/${kb-service-role}" ] } ]
Pinecone, Redis Enterprise Cloud or MongoDB Atlas

To integrate a Pinecone, Redis Enterprise Cloud, MongoDB Atlas vector index, attach the following identity-based policy to your knowledge base service role to allow it to access the AWS Secrets Manager secret for the vector index.

{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "bedrock:AssociateThirdPartyKnowledgeBase" ], "Resource": "*", "Condition": { "StringEquals": { "bedrock:ThirdPartyKnowledgeBaseCredentialsSecretArn": "arn:aws:iam::${region}:${account-id}:secret:${secret-id}" } } }] }

To restrict access to the Amazon OpenSearch Serverless collection to the knowledge base service role, create a data access policy. You can do so in the following ways:

Use the following data access policy, specifying the Amazon OpenSearch Serverless collection and your service role:

[ { "Description": "${data access policy description}", "Rules": [ { "Resource": [ "index/${collection_name}/*" ], "Permission": [ "aoss:DescribeIndex", "aoss:ReadDocument", "aoss:WriteDocument" ], "ResourceType": "index" } ], "Principal": [ "arn:aws:iam::${account-id}:role/${kb-service-role}" ] } ]

Set up network access policies for your Amazon OpenSearch Serverless knowledge base

If you use a private Amazon OpenSearch Serverless collection for your knowledge base, it can only be accessed through an AWS PrivateLink VPC endpoint. You can create a private Amazon OpenSearch Serverless collection when you set up your Amazon OpenSearch Serverless vector collection or you can make an existing Amazon OpenSearch Serverless collection (including one that the Amazon Bedrock console created for you) private when you configure its network access policy.

The following resources in the Amazon OpenSearch Service Developer Guide will help you understand the setup required for a private Amazon OpenSearch Serverless collections:

To allow an Amazon Bedrock knowledge base to access a private Amazon OpenSearch Serverless collection, you must edit the network access policy for the Amazon OpenSearch Serverless collection to allow Amazon Bedrock as a source service. Choose the tab for your preferred method, and then follow the steps:

Console
  1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/.

  2. From the left navigation pane, select Collections. Then choose your collection.

  3. In the Network section, select the Associated Policy.

  4. Choose Edit.

  5. For Select policy definition method, do one of the following:

    • Leave Select policy definition method as Visual editor and configure the following settings in the Rule 1 section:

      1. (Optional) In the Rule name field, enter a name for the network access rule.

      2. Under Access collections from, select Private (recommended).

      3. Select AWS service private access. In the text box, enter bedrock.amazonaws.com.

      4. Unselect Enable access to OpenSearch Dashboards.

    • Choose JSON and paste the following policy in the JSON editor.

      [ { "AllowFromPublic": false, "Description":"${network access policy description}", "Rules":[ { "ResourceType": "collection", "Resource":[ "collection/${collection-id}" ] } ], "SourceServices":[ "bedrock.amazonaws.com" ] } ]
  6. Choose Update.

API

To edit the network access policy for your Amazon OpenSearch Serverless collection, do the following:

  1. Send a GetSecurityPolicy request with an OpenSearch Serverless endpoint. Specify the name of the policy and specify the type as network. Note the policyVersion in the response.

  2. Send a UpdateSecurityPolicy request with an OpenSearch Serverless endpoint. Minimally, specify the following fields:

    Field Description
    name The name of the policy
    policyVersion The policyVersion returned to you from the GetSecurityPolicy response.
    type The type of security policy. Specify network.
    policy The policy to use. Specify the following JSON object
    [ { "AllowFromPublic": false, "Description":"${network access policy description}", "Rules":[ { "ResourceType": "collection", "Resource":[ "collection/${collection-id}" ] } ], "SourceServices":[ "bedrock.amazonaws.com" ] } ]

For an AWS CLI example, see Creating data access policies (AWS CLI).

  1. Open the Amazon OpenSearch Service console at https://console.aws.amazon.com/aos/.

  2. From the left navigation pane, select Collections. Then choose your collection.

  3. In the Network section, select the Associated Policy.

  4. Choose Edit.

  5. For Select policy definition method, do one of the following:

    • Leave Select policy definition method as Visual editor and configure the following settings in the Rule 1 section:

      1. (Optional) In the Rule name field, enter a name for the network access rule.

      2. Under Access collections from, select Private (recommended).

      3. Select AWS service private access. In the text box, enter bedrock.amazonaws.com.

      4. Unselect Enable access to OpenSearch Dashboards.

    • Choose JSON and paste the following policy in the JSON editor.

      [ { "AllowFromPublic": false, "Description":"${network access policy description}", "Rules":[ { "ResourceType": "collection", "Resource":[ "collection/${collection-id}" ] } ], "SourceServices":[ "bedrock.amazonaws.com" ] } ]
  6. Choose Update.

  • Use the Amazon OpenSearch Service console by following the steps at Creating network policies (console). Instead of creating a network policy, note the Associated policy in the Network subsection of the collection details.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.