Trust relationship Permissions to access training and validation files and to write output files in S3

Create a service role for model customization

To use a custom role for model customization instead of the one Amazon Bedrock automatically creates, create an IAM role and attach the following permissions by following the steps at Creating a role to delegate permissions to an AWS service.

Trust relationship
Permissions to access your training and validation data in S3 and to write your output data to S3
(Optional) If you encrypt any of the following resources with a KMS key, permissions to decrypt the key (see Encryption of model customization jobs and artifacts)
- A model customization job or the resulting custom model
- The training, validation, or output data for the model customization job

Topics

Trust relationship
Permissions to access training and validation files and to write output files in S3

Trust relationship

The following policy allows Amazon Bedrock to assume this role and carry out the model customization job. The following shows an example policy you can use.

You can optionally restrict the scope of the permission for cross-service confused deputy prevention by using one or more global condition context keys with the Condition field. For more information, see AWS global condition context keys.

Set the aws:SourceAccount value to your account ID.
(Optional) Use the ArnEquals or ArnLike condition to restrict the scope to specific model customization jobs in your account ID.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "account-id"
                },
                "ArnEquals": {
                    "aws:SourceArn": "arn:aws:bedrock:us-east-1:account-id:model-customization-job/*"
                }
            }
        }
    ] 
}

Permissions to access training and validation files and to write output files in S3

Attach the following policy to allow the role to access your training and validation data and the bucket to which to write your output data. Replace the values in the Resource list with your actual bucket names.

To restrict access to a specific folder in a bucket, add an s3:prefix condition key with your folder path. You can follow the User policy example in Example 2: Getting a list of objects in a bucket with a specific prefix


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::training-bucket",
                "arn:aws:s3:::training-bucket/*",
                "arn:aws:s3:::validation-bucket",
                "arn:aws:s3:::validation-bucket/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::output-bucket",
                "arn:aws:s3:::output-bucket/*"
            ]
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Batch inference service role

Model import service role