Identity-based policy examples for Amazon Bedrock Studio
The following are example policies for Amazon Bedrock Studio.
Manage workspaces
To create and manage Amazon Bedrock Studio workspaces and manage workspace members, you need the following IAM permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datazone:CreateDomain", "datazone:ListDomains", "datazone:GetDomain", "datazone:UpdateDomain", "datazone:ListProjects", "datazone:ListTagsForResource", "datazone:UntagResource", "datazone:TagResource", "datazone:SearchUserProfiles", "datazone:SearchGroupProfiles", "datazone:UpdateGroupProfile", "datazone:UpdateUserProfile", "datazone:CreateUserProfile", "datazone:CreateGroupProfile", "datazone:PutEnvironmentBlueprintConfiguration", "datazone:ListEnvironmentBlueprints", "datazone:ListEnvironmentBlueprintConfigurations", "datazone:DeleteDomain" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:passedToService": "datazone.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:CreateGrant", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncrypt*", "kms:RetireGrant" ], "Resource": "kms key for domain" }, { "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicyVersion" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListProfiles", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListInstances", "sso:CreateApplication", "sso:DeleteApplication", "sso:PutApplicationAssignmentConfiguration", "sso:PutApplicationGrant", "sso:PutApplicationAuthenticationMethod" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "bedrock:ListFoundationModels", "bedrock:ListProvisionedModelThroughputs", "bedrock:ListModelCustomizationJobs", "bedrock:ListCustomModels", "bedrock:ListTagsForResource", "bedrock:ListGuardrails", "bedrock:ListAgents", "bedrock:ListKnowledgeBases", "bedrock:GetFoundationModelAvailability" ], "Resource": "*" } ] }
Permission boundaries
This policy is a permissions boundary. A permissions boundary sets the maximum permissions that an identity-based policy can grant to an IAM principal. You should not use and attach Amazon Bedrock Studio permissions boundary policies on your own. Amazon Bedrock Studio permissions boundary policies should only be attached to Amazon Bedrock Studio managed roles. For more information on permissions boundaries, see Permissions boundaries for IAM entities in the IAM User Guide.
When you create Amazon Bedrock Studio projects, apps, and components, Amazon Bedrock Studio applies this permissions boundary to the IAM roles produced when creating those resources.
Amazon Bedrock Studio uses the AmazonDataZoneBedrockPermissionsBoundary managed
policy to limit permissions of the provisioned IAM principal it is attached to.
Principals might take the form of the user roles that Amazon DataZone can assume on
behalf of Amazon Bedrock Studio users, and then conduct actions such as reading and
writing Amazon S3 objects or invoking Amazon Bedrock agents.
The AmazonDataZoneBedrockPermissionsBoundary policy grants read and write access
for Amazon Bedrock Studio to services such as Amazon S3, Amazon Bedrock, Amazon
OpenSearch Serverless, and AWS Lambda. The policy also gives read and write
permissions to some infrastructure resources that are required to use these services
such as AWS Secrets Manager secrets, Amazon CloudWatch log groups, and AWS KMS
keys.
This policy consists of the following sets of permissions.
s3– Allows read and write access to objects in Amazon S3 buckets that are managed by Amazon Bedrock Studio.bedrock– Grants the ability to use Amazon Bedrock agents, knowledge bases, and guardrails that are managed by Amazon Bedrock Studio.aoss– Allows API access to Amazon OpenSearch Serverless collections that are managed by Amazon Bedrock Studio.lambda– Grants the ability to invoke AWS Lambda functions that are managed by Amazon Bedrock Studio.secretsmanager– Allows read and write access to AWS Secrets Manager secrets that are managed by Amazon Bedrock Studio.logs– Provides write access to Amazon CloudWatch Logs that are managed by Amazon Bedrock Studio.kms– Grants access to use AWS KMS keys for encrypting Amazon Bedrock Studio data.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessS3Buckets", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListBucketVersions", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion" ], "Resource": "arn:aws:s3:::br-studio-${aws:PrincipalAccount}-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AccessOpenSearchCollections", "Effect": "Allow", "Action": "aoss:APIAccessAll", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "InvokeBedrockModels", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "arn:aws:bedrock:*::foundation-model/*" }, { "Sid": "AccessBedrockResources", "Effect": "Allow", "Action": [ "bedrock:InvokeAgent", "bedrock:Retrieve", "bedrock:StartIngestionJob", "bedrock:GetIngestionJob", "bedrock:ListIngestionJobs", "bedrock:ApplyGuardrail", "bedrock:ListPrompts", "bedrock:GetPrompt", "bedrock:CreatePrompt", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:InvokeFlow", "bedrock:ListTagsForResource", "bedrock:TagResource", "bedrock:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "RetrieveAndGenerate", "Effect": "Allow", "Action": "bedrock:RetrieveAndGenerate", "Resource": "*" }, { "Sid": "WriteLogs", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "InvokeLambdaFunctions", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:*:*:function:br-studio-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "AccessSecretsManagerSecrets", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "UseKmsKeyWithBedrock", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/EnableBedrock": "true" }, "Null": { "kms:EncryptionContext:aws:bedrock:arn": "false" } } }, { "Sid": "UseKmsKeyWithAwsServices", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/EnableBedrock": "true" }, "StringLike": { "kms:ViaService": [ "s3.*.amazonaws.com", "secretsmanager.*.amazonaws.com" ] } } }, { "Sid": "GetDataZoneEnvCfnStacks", "Effect": "Allow", "Action": [ "cloudformation:GetTemplate", "cloudformation:DescribeStacks" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone-Env-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } } ] }
