本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Bedrock Studio 在 Amazon Bedrock 中为预览版,未来可能发生变化。 |
要允许 Amazon Bedrock Studio 在用户账户中创建资源,例如防护机制组件,您需要创建一个预调配角色。
要使用 Amazon Bedrock Studio 的配置角色,请创建一个 IAM 角色并按照创建向 AWS 服务委派权限的角色中的步骤附加以下权限。
信任关系
以下策略允许 Amazon Bedrock 承担此角色,并允许 Amazon Bedrock Studio 管理用户账户中的 Bedrock Studio 资源。
-
将
aws:SourceAccount值设置为您的账户 ID。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "datazone.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "account ID"
}
}
}
]
}用于管理 Amazon Bedrock Studio 用户资源的权限
Amazon Bedrock Studio 预调配角色的默认策略。该政策允许委托人使用亚马逊和在 Amazon Bedrock Studio 中创建、更新 DataZone 和 AWS CloudFormation删除 AWS 资源。
此策略由以下权限集组成。
-
cloudformation — 允许委托人创建和管理 CloudFormation 堆栈,以便在亚马逊环境中配置 Amazon Bedrock Studio 资源。 DataZone
-
iam – 允许主体使用 AWS CloudFormation为 Amazon Bedrock Studio 创建、管理和传递具有权限边界的 IAM 角色。
-
s3 — 允许委托人使用为 Amazon Bedrock Studio 创建和管理 Amazon S3 存储桶。 AWS CloudFormation
-
aoss — 允许委托人使用为亚马逊 Bedrock Studio 创建和管理亚马逊 OpenSearch 无服务器馆藏。 AWS CloudFormation
-
基石 — 允许委托人创建和管理用于 Amazon Bedrock Studio 的 Amazon Bedrock 代理、知识库、护栏、提示和流程。 AWS CloudFormation
-
lambda — 允许委托人使用创建、管理和调用 Amazon Bedrock Studio 的 AWS Lambda 函数。 AWS CloudFormation
-
日志 — 允许委托人使用 AWS CloudFormation创建和管理 Amazon Bedrock Studio 的亚马逊 CloudWatch 日志组。
-
secretsmanager — 允许委托人使用创建和管理亚马逊 Bedrock Studio 的 AWS Secrets Manager 密钥。 AWS CloudFormation
-
km s — 授予访问权限,以便使用 AWS KMS 专为 Amazon Bedrock 使用的客户管理的密钥加密已配置的资源。 AWS CloudFormation
由于此策略的规模,您需要将该策略作为内联策略进行附加。有关说明,请参阅 步骤 2:创建权限边界、服务角色和预调配角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateStacks",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:TagResource"
],
"Resource": "arn:aws:cloudformation:*:*:stack/DataZone*",
"Condition": {
"ForAnyValue:StringEquals": {
"aws:TagKeys": "AmazonDataZoneEnvironment"
},
"Null": {
"aws:ResourceTag/AmazonDataZoneEnvironment": "false"
}
}
},
{
"Sid": "ManageStacks",
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:*:*:stack/DataZone*"
},
{
"Sid": "DenyOtherActionsNotViaCloudFormation",
"Effect": "Deny",
"NotAction": [
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack",
"cloudformation:TagResource"
],
"Resource": "*",
"Condition": {
"StringNotEqualsIfExists": {
"aws:CalledViaFirst": "cloudformation.amazonaws.com"
}
}
},
{
"Sid": "ListResources",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"s3:ListAllMyBuckets",
"aoss:ListCollections",
"aoss:BatchGetCollection",
"aoss:ListAccessPolicies",
"aoss:ListSecurityPolicies",
"aoss:ListTagsForResource",
"bedrock:ListAgents",
"bedrock:ListKnowledgeBases",
"bedrock:ListGuardrails",
"bedrock:ListPrompts",
"bedrock:ListFlows",
"bedrock:ListTagsForResource",
"lambda:ListFunctions",
"logs:DescribeLogGroups",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "GetRoles",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": [
"arn:aws:iam::*:role/DataZoneBedrockProject*",
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
]
},
{
"Sid": "CreateRoles",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:AttachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/DataZoneBedrockProject*",
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "ManageRoles",
"Effect": "Allow",
"Action": [
"iam:UpdateRole",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies"
],
"Resource": [
"arn:aws:iam::*:role/DataZoneBedrockProject*",
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "PassRoleToBedrockService",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::*:role/AmazonBedrockExecution*",
"arn:aws:iam::*:role/BedrockStudio*"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock.amazonaws.com"
}
}
},
{
"Sid": "PassRoleToLambdaService",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::*:role/BedrockStudio*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "lambda.amazonaws.com"
}
}
},
{
"Sid": "CreateRoleForOpenSearchServerless",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "observability.aoss.amazonaws.com"
}
}
},
{
"Sid": "GetDataZoneBlueprintCfnTemplates",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"s3:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "CreateAndAccessS3Buckets",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketPolicy",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
"s3:PutBucketTagging",
"s3:PutBucketCORS",
"s3:PutBucketLogging",
"s3:PutBucketVersioning",
"s3:PutBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::br-studio-*"
},
{
"Sid": "ManageOssAccessPolicies",
"Effect": "Allow",
"Action": [
"aoss:GetAccessPolicy",
"aoss:CreateAccessPolicy",
"aoss:DeleteAccessPolicy",
"aoss:UpdateAccessPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"aoss:collection": "br-studio-*",
"aoss:index": "br-studio-*"
}
}
},
{
"Sid": "ManageOssSecurityPolicies",
"Effect": "Allow",
"Action": [
"aoss:GetSecurityPolicy",
"aoss:CreateSecurityPolicy",
"aoss:DeleteSecurityPolicy",
"aoss:UpdateSecurityPolicy"
],
"Resource": "*",
"Condition": {
"StringLikeIfExists": {
"aoss:collection": "br-studio-*"
}
}
},
{
"Sid": "ManageOssCollections",
"Effect": "Allow",
"Action": [
"aoss:CreateCollection",
"aoss:UpdateCollection",
"aoss:DeleteCollection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "GetBedrockResources",
"Effect": "Allow",
"Action": [
"bedrock:GetAgent",
"bedrock:GetKnowledgeBase",
"bedrock:GetGuardrail",
"bedrock:GetPrompt",
"bedrock:GetFlow",
"bedrock:GetFlowAlias"
],
"Resource": "*"
},
{
"Sid": "ManageBedrockResources",
"Effect": "Allow",
"Action": [
"bedrock:CreateAgent",
"bedrock:UpdateAgent",
"bedrock:PrepareAgent",
"bedrock:DeleteAgent",
"bedrock:ListAgentAliases",
"bedrock:GetAgentAlias",
"bedrock:CreateAgentAlias",
"bedrock:UpdateAgentAlias",
"bedrock:DeleteAgentAlias",
"bedrock:ListAgentActionGroups",
"bedrock:GetAgentActionGroup",
"bedrock:CreateAgentActionGroup",
"bedrock:UpdateAgentActionGroup",
"bedrock:DeleteAgentActionGroup",
"bedrock:ListAgentKnowledgeBases",
"bedrock:GetAgentKnowledgeBase",
"bedrock:AssociateAgentKnowledgeBase",
"bedrock:DisassociateAgentKnowledgeBase",
"bedrock:UpdateAgentKnowledgeBase",
"bedrock:CreateKnowledgeBase",
"bedrock:UpdateKnowledgeBase",
"bedrock:DeleteKnowledgeBase",
"bedrock:ListDataSources",
"bedrock:GetDataSource",
"bedrock:CreateDataSource",
"bedrock:UpdateDataSource",
"bedrock:DeleteDataSource",
"bedrock:CreateGuardrail",
"bedrock:UpdateGuardrail",
"bedrock:DeleteGuardrail",
"bedrock:CreateGuardrailVersion",
"bedrock:CreatePrompt",
"bedrock:UpdatePrompt",
"bedrock:DeletePrompt",
"bedrock:CreatePromptVersion",
"bedrock:CreateFlow",
"bedrock:UpdateFlow",
"bedrock:PrepareFlow",
"bedrock:DeleteFlow",
"bedrock:ListFlowAliases",
"bedrock:GetFlowAlias",
"bedrock:CreateFlowAlias",
"bedrock:UpdateFlowAlias",
"bedrock:DeleteFlowAlias",
"bedrock:ListFlowVersions",
"bedrock:GetFlowVersion",
"bedrock:CreateFlowVersion",
"bedrock:DeleteFlowVersion"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "TagBedrockAgentAliases",
"Effect": "Allow",
"Action": "bedrock:TagResource",
"Resource": "arn:aws:bedrock:*:*:agent-alias/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/AmazonBedrockManaged": "true"
}
}
},
{
"Sid": "TagBedrockFlowAliases",
"Effect": "Allow",
"Action": "bedrock:TagResource",
"Resource": "arn:aws:bedrock:*:*:flow/*/alias/*",
"Condition": {
"Null": {
"aws:RequestTag/AmazonDataZoneEnvironment": "false"
}
}
},
{
"Sid": "CreateFunctions",
"Effect": "Allow",
"Action": [
"lambda:GetFunction",
"lambda:CreateFunction",
"lambda:InvokeFunction",
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:GetFunctionConfiguration",
"lambda:UpdateFunctionConfiguration",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:GetPolicy",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:ListTags"
],
"Resource": "arn:aws:lambda:*:*:function:br-studio-*"
},
{
"Sid": "ManageLogGroups",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteRetentionPolicy",
"logs:GetDataProtectionPolicy",
"logs:PutDataProtectionPolicy",
"logs:DeleteDataProtectionPolicy",
"logs:AssociateKmsKey",
"logs:DisassociateKmsKey",
"logs:ListTagsLogGroup",
"logs:ListTagsForResource"
],
"Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*"
},
{
"Sid": "GetRandomPasswordForSecret",
"Effect": "Allow",
"Action": "secretsmanager:GetRandomPassword",
"Resource": "*"
},
{
"Sid": "ManageSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:UpdateSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:GetResourcePolicy",
"secretsmanager:PutResourcePolicy",
"secretsmanager:DeleteResourcePolicy"
],
"Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*"
},
{
"Sid": "UseCustomerManagedKmsKey",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:CreateGrant",
"kms:RetireGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/EnableBedrock": "true"
}
}
},
{
"Sid": "TagResources",
"Effect": "Allow",
"Action": [
"iam:TagRole",
"iam:UntagRole",
"aoss:TagResource",
"aoss:UntagResource",
"bedrock:TagResource",
"bedrock:UntagResource",
"lambda:TagResource",
"lambda:UntagResource",
"logs:TagLogGroup",
"logs:UntagLogGroup",
"logs:TagResource",
"logs:UntagResource",
"secretsmanager:TagResource",
"secretsmanager:UntagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/AmazonBedrockManaged": "true"
}
}
}
]
}
