(Example) Restrict data access to your Amazon S3 data using VPC - Amazon Bedrock

(Example) Restrict data access to your Amazon S3 data using VPC

You can use a VPC to restrict access to data in your Amazon S3 buckets. For further security, you can configure your VPC with no internet access and create an endpoint for it with AWS PrivateLink. You can also restrict access by attaching resource-based policies to the VPC endpoint or to the S3 bucket.

Create an Amazon S3 VPC Endpoint

If you configure your VPC with no internet access, you need to create an Amazon S3 VPC endpoint to allow your model customization jobs to access the S3 buckets that store your training and validation data and that will store the model artifacts.

Create the S3 VPC endpoint by following the steps at Create a gateway endpoint for Amazon S3.

Note

If you don't use the default DNS settings for your VPC, you need to ensure that the URLs for the locations of the data in your training jobs resolve by configuring the endpoint route tables. For information about VPC endpoint route tables, see Routing for Gateway endpoints.

(Optional) Use IAM policies to restrict access to your S3 files

You can use resource-based policies to more tightly control access to your S3 files. You can use any combination of the following types of resource-based policies.

  • Endpoint policies – You can attach endpoint policies to your VPC endpoint to restrict access through the VPC endpoint. The default endpoint policy allows full access to Amazon S3 for any user or service in your VPC. While creating or after you create the endpoint, you can optionally attach a resource-based policy to the endpoint to add restrictions, such as only allowing the endpoint to access a specific bucket or only allowing a specific IAM role to access the endpoint. For examples, see Edit the VPC endpoint policy.

    The following is an example policy you can attach to your VPC endpoint to only allow it to access the bucket that you specify.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictAccessToTrainingBucket", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*" ] } ] }
  • Bucket policies – You can attach a bucket policy to an S3 bucket to restrict access to it. To create a bucket policy, follow the steps at Using bucket policies. To restrict access to traffic that comes from your VPC, you can use condition keys to specify the VPC itself, a VPC endpoint, or the IP address of the VPC. You can use the aws:sourceVpc, aws:sourceVpce, or aws:VpcSourceIp condition keys.

    The following is an example policy you can attach to an S3 bucket to deny all traffic to the bucket unless it comes from your VPC.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RestrictAccessToOutputBucket", "Effect": "Deny", "Principal": "*", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*" ], "Condition": { "StringNotEquals": { "aws:sourceVpc": "your-vpc-id" } } } ] }

    For more examples, see Control access using bucket policies.