As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
O Amazon Bedrock Studio está em uma versão prévia do Amazon Bedrock e está sujeito a alterações. |
Para permitir que o Amazon Bedrock Studio crie recursos em uma conta de usuário, como um componente de barreira de proteção, é necessário criar um perfil de provisionamento.
Para usar uma função de provisionamento para o Amazon Bedrock Studio, crie uma função do IAM e anexe as seguintes permissões seguindo as etapas em Criar uma função para delegar permissões a um serviço. AWS
Relação de confiança
A política a seguir permite que o Amazon Bedrock assuma esse perfil e permita que o Amazon Bedrock Studio gerencie os recursos do Amazon Bedrock Studio na conta de um usuário.
-
Defina o valor
aws:SourceAccountpara o ID da conta.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "account ID"
}
}
}
]
}Permissões para gerenciar recursos de usuário do Amazon Bedrock Studio
Política padrão para o perfil de provisionamento do Amazon Bedrock Studio. Essa política permite que o diretor crie, atualize e exclua AWS recursos no Amazon Bedrock Studio usando Amazon DataZone e. AWS CloudFormation
Essa política consiste nos conjuntos de permissões a seguir.
-
cloudformation — permite que o diretor crie e gerencie CloudFormation pilhas para provisionar recursos do Amazon Bedrock Studio como parte dos ambientes da Amazon. DataZone
-
iam: permite que a entidade principal crie, gerencie e passe perfis do IAM com um limite de permissões para o Amazon Bedrock Studio usando o AWS CloudFormation.
-
s3 — Permite que o diretor crie e gerencie buckets do Amazon S3 para uso do Amazon Bedrock Studio. AWS CloudFormation
-
aoss — Permite que o diretor crie e gerencie OpenSearch coleções Amazon Serverless para uso do Amazon Bedrock Studio. AWS CloudFormation
-
bedrock — Permite que o diretor crie e gerencie agentes, bases de conhecimento, grades de proteção, solicitações e fluxos do Amazon Bedrock para usar o Amazon Bedrock Studio. AWS CloudFormation
-
lambda — Permite que o diretor crie, gerencie e invoque AWS Lambda funções para o Amazon Bedrock Studio usando. AWS CloudFormation
-
logs — Permite que o diretor crie e gerencie grupos de CloudWatch registros da Amazon para usar AWS CloudFormation o Amazon Bedrock Studio.
-
secretsmanager — Permite que o diretor crie e gerencie AWS Secrets Manager segredos para o Amazon Bedrock Studio usando. AWS CloudFormation
-
kms — Concede acesso AWS KMS para criptografar recursos provisionados com uma chave gerenciada pelo cliente destinada ao uso do Amazon Bedrock. AWS CloudFormation
Devido ao tamanho dessa política, você precisa anexar a política como uma política em linha. Para obter instruções, consulte Etapa 2: criar limite de permissões, perfil de serviço e perfil de provisionamento.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateStacks",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:TagResource"
],
"Resource": "arn:aws:cloudformation:*:*:stack/DataZone*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "AmazonDataZoneEnvironment"
},
"Null": {
"aws:ResourceTag/AmazonDataZoneEnvironment": "false"
}
}
},
{
"Sid": "ManageStacks",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/DataZone*"
},
{
"Sid": "DenyOtherActionsNotViaCloudFormation",
"Effect": "Deny",
"NotAction": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:TagResource"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:CalledViaFirst": "cloudformation.amazonaws.com"
}
}
},
{
"Sid": "ListResources",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"s3:ListAllMyBuckets",
"aoss:ListCollections",
"aoss:BatchGetCollection",
"aoss:ListAccessPolicies",
"aoss:ListSecurityPolicies",
"aoss:ListTagsForResource",
"bedrock:ListAgents",
"bedrock:ListKnowledgeBases",
"bedrock:ListGuardrails",
"bedrock:ListPrompts",
"bedrock:ListFlows",
"bedrock:ListTagsForResource",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "GetRoles",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": [
"arn:aws:iam::*:role/DataZoneBedrockProject*",
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
]
},
{
"Sid": "CreateRoles",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/DataZoneBedrockProject*",
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "ManageRoles",
"Effect": "Allow",
"Action": [
"iam:UpdateRole",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/DataZoneBedrockProject*",
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "PassRoleToBedrockService",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock.amazonaws.com"
}
}
},
{
"Sid": "PassRoleToLambdaService",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/BedrockStudio*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Sid": "CreateRoleForOpenSearchServerless",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "observability.aoss.amazonaws.com"
}
}
},
{
"Sid": "GetDataZoneBlueprintCfnTemplates",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CreateAndAccessS3Buckets",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::br-studio-*"
},
{
"Sid": "ManageOssAccessPolicies",
"Effect": "Allow",
"Action": [
"aoss:GetAccessPolicy",
"aoss:CreateAccessPolicy",
"aoss:DeleteAccessPolicy",
"aoss:UpdateAccessPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"aoss:collection": "br-studio-*",
"aoss:index": "br-studio-*"
}
}
},
{
"Sid": "ManageOssSecurityPolicies",
"Effect": "Allow",
"Action": [
"aoss:GetSecurityPolicy",
"aoss:CreateSecurityPolicy",
"aoss:DeleteSecurityPolicy",
"aoss:UpdateSecurityPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"aoss:collection": "br-studio-*"
}
}
},
{
"Sid": "ManageOssCollections",
"Effect": "Allow",
"Action": [
"aoss:CreateCollection",
"aoss:UpdateCollection",
"aoss:DeleteCollection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "GetBedrockResources",
"Effect": "Allow",
"Action": [
"bedrock:GetAgent",
"bedrock:GetKnowledgeBase",
"bedrock:GetGuardrail",
"bedrock:GetPrompt",
"bedrock:GetFlow",
"bedrock:GetFlowAlias"
],
"Resource": "*"
},
{
"Sid": "ManageBedrockResources",
"Effect": "Allow",
"Action": [
"bedrock:CreateAgent",
"bedrock:UpdateAgent",
"bedrock:PrepareAgent",
"bedrock:DeleteAgent",
"bedrock:ListAgentAliases",
"bedrock:GetAgentAlias",
"bedrock:CreateAgentAlias",
"bedrock:UpdateAgentAlias",
"bedrock:DeleteAgentAlias",
"bedrock:ListAgentActionGroups",
"bedrock:GetAgentActionGroup",
"bedrock:CreateAgentActionGroup",
"bedrock:UpdateAgentActionGroup",
"bedrock:DeleteAgentActionGroup",
"bedrock:ListAgentKnowledgeBases",
"bedrock:GetAgentKnowledgeBase",
"bedrock:AssociateAgentKnowledgeBase",
"bedrock:DisassociateAgentKnowledgeBase",
"bedrock:UpdateAgentKnowledgeBase",
"bedrock:CreateKnowledgeBase",
"bedrock:UpdateKnowledgeBase",
"bedrock:DeleteKnowledgeBase",
"bedrock:ListDataSources",
"bedrock:GetDataSource",
"bedrock:CreateDataSource",
"bedrock:UpdateDataSource",
"bedrock:DeleteDataSource",
"bedrock:CreateGuardrail",
"bedrock:UpdateGuardrail",
"bedrock:DeleteGuardrail",
"bedrock:CreateGuardrailVersion",
"bedrock:CreatePrompt",
"bedrock:UpdatePrompt",
"bedrock:DeletePrompt",
"bedrock:CreatePromptVersion",
"bedrock:CreateFlow",
"bedrock:UpdateFlow",
"bedrock:PrepareFlow",
"bedrock:DeleteFlow",
"bedrock:ListFlowAliases",
"bedrock:GetFlowAlias",
"bedrock:CreateFlowAlias",
"bedrock:UpdateFlowAlias",
"bedrock:DeleteFlowAlias",
"bedrock:ListFlowVersions",
"bedrock:GetFlowVersion",
"bedrock:CreateFlowVersion",
"bedrock:DeleteFlowVersion"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "TagBedrockAgentAliases",
"Effect": "Allow",
"Action": "bedrock:TagResource",
"Resource": "arn:aws:bedrock:*:*:agent-alias/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "TagBedrockFlowAliases",
"Effect": "Allow",
"Action": "bedrock:TagResource",
"Resource": "arn:aws:bedrock:*:*:flow/*/alias/*",
"Condition": {
"Null": {
"aws:RequestTag/AmazonDataZoneEnvironment": "false"
}
}
},
{
"Sid": "CreateFunctions",
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:GetPolicy",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:ListTags"
],
"Resource": "arn:aws:lambda:*:*:function:br-studio-*"
},
{
"Sid": "ManageLogGroups",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteRetentionPolicy",
"logs:GetDataProtectionPolicy",
"logs:PutDataProtectionPolicy",
"logs:DeleteDataProtectionPolicy",
"logs:AssociateKmsKey",
"logs:DisassociateKmsKey",
"logs:ListTagsLogGroup",
"logs:ListTagsForResource"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*"
},
{
"Sid": "GetRandomPasswordForSecret",
"Effect": "Allow",
"Action": "secretsmanager:GetRandomPassword",
"Resource": "*"
},
{
"Sid": "ManageSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*"
},
{
"Sid": "UseCustomerManagedKmsKey",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateGrant",
"kms:RetireGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/EnableBedrock": "true"
}
}
},
{
"Sid": "TagResources",
"Effect": "Allow",
"Action": [
"iam:TagRole",
"iam:UntagRole",
"aoss:TagResource",
"aoss:UntagResource",
"bedrock:TagResource",
"bedrock:UntagResource",
"lambda:TagResource",
"lambda:UntagResource",
"logs:TagLogGroup",
"logs:UntagLogGroup",
"logs:TagResource",
"logs:UntagResource",
"secretsmanager:TagResource",
"secretsmanager:UntagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
}
]
}
