为 Amazon Bedrock Studio 创建配置角色 - Amazon Bedrock
信任关系管理 Amazon Bedrock Studio 用户资源的权限

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Amazon Bedrock Studio 创建配置角色

亚马逊 Bedrock Studio 处于亚马逊 Bedrock 的预览版,可能会发生变化。

要允许 Amazon Bedrock Studio 在用户账户中创建资源,例如护栏组件,您需要创建一个配置角色。

要使用 Amazon Bedrock Studio 的配置IAM角色,请按照创建角色向 AWS 服务委派权限中的步骤创建一个角色并附加以下权限

信任关系

以下政策允许亚马逊 Bedrock 担任此角色,并让 Amazon Bedrock Studio 管理用户账户中的 Bedrock Studio 资源。

  • aws:SourceAccount 值设置为您的账户 ID。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "datazone.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account ID"
        }
      }
    }
  ]
}

管理 Amazon Bedrock Studio 用户资源的权限

Amazon Bedrock Studio 配置角色的默认策略。该政策允许委托人使用亚马逊和在 Amazon Bedrock Studio 中创建、更新 DataZone 和 AWS CloudFormation删除 AWS 资源。

此策略由以下几组权限组成。

  • cloudformation — 允许委托人创建和管理 CloudFormation 堆栈,以便在亚马逊环境中配置 Amazon Bedrock Studio 资源。 DataZone

  • iam — 允许委托人创建、管理和传递具有权限边界的 A mazon Bedrock Studio 使用的IAM AWS CloudFormation角色。

  • s3 — 允许委托人使用为 Amazon Bedrock Studio 创建和管理 Amazon S3 存储桶。 AWS CloudFormation

  • aoss — 允许委托人使用为亚马逊 Bedrock Studio 创建和管理亚马逊 OpenSearch 无服务器馆藏。 AWS CloudFormation

  • 基石 — 允许委托人创建和管理用于 Amazon Bedrock Studio 的 Amazon Bedrock 代理、知识库、护栏、提示和流程。 AWS CloudFormation

  • lambda — 允许委托人使用创建、管理和调用 Amazon Bedrock Studio 的 AWS Lambda 函数。 AWS CloudFormation

  • 日志 — 允许委托人使用 AWS CloudFormation创建和管理 Amazon Bedrock Studio 的亚马逊 CloudWatch 日志组。

  • secretsmanager — 允许委托人使用创建和管理亚马逊 Bedrock Studio 的 AWS Secrets Manager 密钥。 AWS CloudFormation

  • km s — 授予访问权限,以便使用 AWS KMS 专为 Amazon Bedrock 使用的客户管理的密钥加密已配置的资源。 AWS CloudFormation

由于此策略的规模,您需要将该策略作为内联策略进行附加。有关说明,请参阅 步骤 2:创建权限边界、服务角色和配置角色

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "CreateStacks",
      "Effect": "Allow",
      "Action": [
        "cloudformation:CreateStack",
        "cloudformation:TagResource"
      ],
      "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*",
      "Condition": {
        "ForAnyValue:StringEquals": {
          "aws:TagKeys": "AmazonDataZoneEnvironment"
        },
        "Null": {
          "aws:ResourceTag/AmazonDataZoneEnvironment": "false"
        }
      }
    },
    {
      "Sid": "ManageStacks",
      "Effect": "Allow",
      "Action": [
        "cloudformation:DescribeStacks",
        "cloudformation:DescribeStackEvents",
        "cloudformation:UpdateStack",
        "cloudformation:DeleteStack"
      ],
      "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*"
    },
    {
      "Sid": "DenyOtherActionsNotViaCloudFormation",
      "Effect": "Deny",
      "NotAction": [
        "cloudformation:DescribeStacks",
        "cloudformation:DescribeStackEvents",
        "cloudformation:CreateStack",
        "cloudformation:UpdateStack",
        "cloudformation:DeleteStack",
        "cloudformation:TagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotEqualsIfExists": {
          "aws:CalledViaFirst": "cloudformation.amazonaws.com"
        }
      }
    },
    {
      "Sid": "ListResources",
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles",
        "s3:ListAllMyBuckets",
        "aoss:ListCollections",
        "aoss:BatchGetCollection",
        "aoss:ListAccessPolicies",
        "aoss:ListSecurityPolicies",
        "aoss:ListTagsForResource",
        "bedrock:ListAgents",
        "bedrock:ListKnowledgeBases",
        "bedrock:ListGuardrails",
        "bedrock:ListPrompts",
        "bedrock:ListFlows",
        "bedrock:ListTagsForResource",
        "lambda:ListFunctions",
        "logs:DescribeLogGroups",
        "secretsmanager:ListSecrets"
      ],
      "Resource": "*"
    },
    {
      "Sid": "GetRoles",
      "Effect": "Allow",
      "Action": "iam:GetRole",
      "Resource": [
        "arn:aws:iam::*:role/DataZoneBedrockProject*",
        "arn:aws:iam::*:role/AmazonBedrockExecution*",
        "arn:aws:iam::*:role/BedrockStudio*"
      ]
    },
    {
      "Sid": "CreateRoles",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:PutRolePolicy",
        "iam:AttachRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy"
      ],
      "Resource": [
        "arn:aws:iam::*:role/DataZoneBedrockProject*",
        "arn:aws:iam::*:role/AmazonBedrockExecution*",
        "arn:aws:iam::*:role/BedrockStudio*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AmazonBedrockManaged": "true"
        }
      }
    },
    {
      "Sid": "ManageRoles",
      "Effect": "Allow",
      "Action": [
        "iam:UpdateRole",
        "iam:DeleteRole",
        "iam:ListRolePolicies",
        "iam:GetRolePolicy",
        "iam:ListAttachedRolePolicies"
      ],
      "Resource": [
        "arn:aws:iam::*:role/DataZoneBedrockProject*",
        "arn:aws:iam::*:role/AmazonBedrockExecution*",
        "arn:aws:iam::*:role/BedrockStudio*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AmazonBedrockManaged": "true"
        }
      }
    },
    {
      "Sid": "PassRoleToBedrockService",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": [
        "arn:aws:iam::*:role/AmazonBedrockExecution*",
        "arn:aws:iam::*:role/BedrockStudio*"
      ],
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "bedrock.amazonaws.com"
        }
      }
    },
    {
      "Sid": "PassRoleToLambdaService",
      "Effect": "Allow",
      "Action": "iam:PassRole",
      "Resource": "arn:aws:iam::*:role/BedrockStudio*",
      "Condition": {
        "StringEquals": {
          "iam:PassedToService": "lambda.amazonaws.com"
        }
      }
    },
    {
      "Sid": "CreateRoleForOpenSearchServerless",
      "Effect": "Allow",
      "Action": "iam:CreateServiceLinkedRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "iam:AWSServiceName": "observability.aoss.amazonaws.com"
        }
      }
    },
    {
      "Sid": "GetDataZoneBlueprintCfnTemplates",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "*",
      "Condition": {
        "StringNotEquals": {
          "s3:ResourceAccount": "${aws:PrincipalAccount}"
        }
      }
    },
    {
      "Sid": "CreateAndAccessS3Buckets",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy",
        "s3:PutBucketTagging",
        "s3:PutBucketCORS",
        "s3:PutBucketLogging",
        "s3:PutBucketVersioning",
        "s3:PutBucketPublicAccessBlock",
        "s3:PutEncryptionConfiguration",
        "s3:PutLifecycleConfiguration",
        "s3:GetObject",
        "s3:GetObjectVersion"
      ],
      "Resource": "arn:aws:s3:::br-studio-*"
    },
    {
      "Sid": "ManageOssAccessPolicies",
      "Effect": "Allow",
      "Action": [
        "aoss:GetAccessPolicy",
        "aoss:CreateAccessPolicy",
        "aoss:DeleteAccessPolicy",
        "aoss:UpdateAccessPolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringLikeIfExists": {
          "aoss:collection": "br-studio-*",
          "aoss:index": "br-studio-*"
        }
      }
    },
    {
      "Sid": "ManageOssSecurityPolicies",
      "Effect": "Allow",
      "Action": [
        "aoss:GetSecurityPolicy",
        "aoss:CreateSecurityPolicy",
        "aoss:DeleteSecurityPolicy",
        "aoss:UpdateSecurityPolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringLikeIfExists": {
          "aoss:collection": "br-studio-*"
        }
      }
    },
    {
      "Sid": "ManageOssCollections",
      "Effect": "Allow",
      "Action": [
        "aoss:CreateCollection",
        "aoss:UpdateCollection",
        "aoss:DeleteCollection"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AmazonBedrockManaged": "true"
        }
      }
    },
    {
      "Sid": "GetBedrockResources",
      "Effect": "Allow",
      "Action": [
        "bedrock:GetAgent",
        "bedrock:GetKnowledgeBase",
        "bedrock:GetGuardrail",
        "bedrock:GetPrompt",
        "bedrock:GetFlow",
        "bedrock:GetFlowAlias"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ManageBedrockResources",
      "Effect": "Allow",
      "Action": [
        "bedrock:CreateAgent",
        "bedrock:UpdateAgent",
        "bedrock:PrepareAgent",
        "bedrock:DeleteAgent",
        "bedrock:ListAgentAliases",
        "bedrock:GetAgentAlias",
        "bedrock:CreateAgentAlias",
        "bedrock:UpdateAgentAlias",
        "bedrock:DeleteAgentAlias",
        "bedrock:ListAgentActionGroups",
        "bedrock:GetAgentActionGroup",
        "bedrock:CreateAgentActionGroup",
        "bedrock:UpdateAgentActionGroup",
        "bedrock:DeleteAgentActionGroup",
        "bedrock:ListAgentKnowledgeBases",
        "bedrock:GetAgentKnowledgeBase",
        "bedrock:AssociateAgentKnowledgeBase",
        "bedrock:DisassociateAgentKnowledgeBase",
        "bedrock:UpdateAgentKnowledgeBase",
        "bedrock:CreateKnowledgeBase",
        "bedrock:UpdateKnowledgeBase",
        "bedrock:DeleteKnowledgeBase",
        "bedrock:ListDataSources",
        "bedrock:GetDataSource",
        "bedrock:CreateDataSource",
        "bedrock:UpdateDataSource",
        "bedrock:DeleteDataSource",
        "bedrock:CreateGuardrail",
        "bedrock:UpdateGuardrail",
        "bedrock:DeleteGuardrail",
        "bedrock:CreateGuardrailVersion",
        "bedrock:CreatePrompt",
        "bedrock:UpdatePrompt",
        "bedrock:DeletePrompt",
        "bedrock:CreatePromptVersion",
        "bedrock:CreateFlow",
        "bedrock:UpdateFlow",
        "bedrock:PrepareFlow",
        "bedrock:DeleteFlow",
        "bedrock:ListFlowAliases",
        "bedrock:GetFlowAlias",
        "bedrock:CreateFlowAlias",
        "bedrock:UpdateFlowAlias",
        "bedrock:DeleteFlowAlias",
        "bedrock:ListFlowVersions",
        "bedrock:GetFlowVersion",
        "bedrock:CreateFlowVersion",
        "bedrock:DeleteFlowVersion"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AmazonBedrockManaged": "true"
        }
      }
    },
    {
      "Sid": "TagBedrockAgentAliases",
      "Effect": "Allow",
      "Action": "bedrock:TagResource",
      "Resource": "arn:aws:bedrock:*:*:agent-alias/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/AmazonBedrockManaged": "true"
        }
      }
    },
    {
      "Sid": "TagBedrockFlowAliases",
      "Effect": "Allow",
      "Action": "bedrock:TagResource",
      "Resource": "arn:aws:bedrock:*:*:flow/*/alias/*",
      "Condition": {
        "Null": {
          "aws:RequestTag/AmazonDataZoneEnvironment": "false"
        }
      }
    },
    {
      "Sid": "CreateFunctions",
      "Effect": "Allow",
      "Action": [
        "lambda:GetFunction",
        "lambda:CreateFunction",
        "lambda:InvokeFunction",
        "lambda:DeleteFunction",
        "lambda:UpdateFunctionCode",
        "lambda:GetFunctionConfiguration",
        "lambda:UpdateFunctionConfiguration",
        "lambda:ListVersionsByFunction",
        "lambda:PublishVersion",
        "lambda:GetPolicy",
        "lambda:AddPermission",
        "lambda:RemovePermission",
        "lambda:ListTags"
      ],
      "Resource": "arn:aws:lambda:*:*:function:br-studio-*"
    },
    {
      "Sid": "ManageLogGroups",
      "Effect": "Allow",
      "Action": [
        "logs:CreateLogGroup",
        "logs:DeleteLogGroup",
        "logs:PutRetentionPolicy",
        "logs:DeleteRetentionPolicy",
        "logs:GetDataProtectionPolicy",
        "logs:PutDataProtectionPolicy",
        "logs:DeleteDataProtectionPolicy",
        "logs:AssociateKmsKey",
        "logs:DisassociateKmsKey",
        "logs:ListTagsLogGroup",
        "logs:ListTagsForResource"
      ],
      "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*"
    },
    {
      "Sid": "GetRandomPasswordForSecret",
      "Effect": "Allow",
      "Action": "secretsmanager:GetRandomPassword",
      "Resource": "*"
    },
    {
      "Sid": "ManageSecrets",
      "Effect": "Allow",
      "Action": [
        "secretsmanager:CreateSecret",
        "secretsmanager:DescribeSecret",
        "secretsmanager:UpdateSecret",
        "secretsmanager:DeleteSecret",
        "secretsmanager:GetResourcePolicy",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:DeleteResourcePolicy"
      ],
      "Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*"
    },
    {
      "Sid": "UseCustomerManagedKmsKey",
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:CreateGrant",
        "kms:RetireGrant"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/EnableBedrock": "true"
        }
      }
    },
    {
      "Sid": "TagResources",
      "Effect": "Allow",
      "Action": [
        "iam:TagRole",
        "iam:UntagRole",
        "aoss:TagResource",
        "aoss:UntagResource",
        "bedrock:TagResource",
        "bedrock:UntagResource",
        "lambda:TagResource",
        "lambda:UntagResource",
        "logs:TagLogGroup",
        "logs:UntagLogGroup",
        "logs:TagResource",
        "logs:UntagResource",
        "secretsmanager:TagResource",
        "secretsmanager:UntagResource"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AmazonBedrockManaged": "true"
        }
      }
    }
  ]
}