本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
Amazon 基岩工作室基於身份的政策示例
以下是 Amazon 基岩工作室的政策示例。
管理工作區
若要建立和管理 Amazon 基岩工作室工作區和管理工作區成員,您需要下列IAM許可。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "datazone:CreateDomain", "datazone:ListDomains", "datazone:GetDomain", "datazone:UpdateDomain", "datazone:ListProjects", "datazone:ListTagsForResource", "datazone:UntagResource", "datazone:TagResource", "datazone:SearchUserProfiles", "datazone:SearchGroupProfiles", "datazone:UpdateGroupProfile", "datazone:UpdateUserProfile", "datazone:CreateUserProfile", "datazone:CreateGroupProfile", "datazone:PutEnvironmentBlueprintConfiguration", "datazone:ListEnvironmentBlueprints", "datazone:ListEnvironmentBlueprintConfigurations", "datazone:DeleteDomain" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:passedToService": "datazone.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Decrypt", "kms:CreateGrant", "kms:Encrypt", "kms:GenerateDataKey", "kms:ReEncrypt*", "kms:RetireGrant" ], "Resource": "
kms key for domain
" }, { "Effect": "Allow", "Action": [ "kms:ListKeys", "kms:ListAliases" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:ListRoles", "iam:GetPolicy", "iam:ListAttachedRolePolicies", "iam:GetPolicyVersion" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sso:DescribeRegisteredRegions", "sso:ListProfiles", "sso:AssociateProfile", "sso:DisassociateProfile", "sso:GetProfile", "sso:ListInstances", "sso:CreateApplication", "sso:DeleteApplication", "sso:PutApplicationAssignmentConfiguration", "sso:PutApplicationGrant", "sso:PutApplicationAuthenticationMethod" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "bedrock:ListFoundationModels", "bedrock:ListProvisionedModelThroughputs", "bedrock:ListModelCustomizationJobs", "bedrock:ListCustomModels", "bedrock:ListTagsForResource", "bedrock:ListGuardrails", "bedrock:ListAgents", "bedrock:ListKnowledgeBases", "bedrock:GetFoundationModelAvailability" ], "Resource": "*" } ] }
權限界限
此原則是權限界限。權限界限會設定以身分識別為基礎的原則可授與主參與者的最大權限。IAM您不應該自行使用和附加 Amazon 基岩工作室許可邊界政策。Amazon 基岩工作室許可邊界政策只應附加至 Amazon 基岩工作室受管角色。如需有關權限界限的詳細資訊,請參閱《IAM使用指南》中的IAM實體權限界限。
當您建立 Amazon 基岩工作室專案、應用程式和元件時,Amazon 基岩工作室會將此許可界限套用到建立這些資源時產生的IAM角色。
Amazon 基岩工作室使用AmazonDataZoneBedrockPermissionsBoundary
受管政策來限制其所附加之已佈建IAM主體的許可。主體可能會採用 Amazon DataZone 可代表 Amazon 基岩工作室使用者承擔的使用者角色形式,然後執行讀取和寫入 Amazon S3 物件或叫用 Amazon 基岩代理程式等動作。
該AmazonDataZoneBedrockPermissionsBoundary
政策授予 Amazon 基岩工作室的讀取和寫入訪問權限,例如 Amazon S3,Amazon 基岩,Amazon 無服務器和 OpenSearch AWS Lambda。 該政策還為使用這些服務所需的某些基礎設施資源提供讀取和寫入許可,例如 AWS Secrets Manager 密碼、Amazon CloudWatch 日誌群組和 AWS KMS
鑰匙。
此原則包含下列權限集。
s3
— 允許讀取和寫入存取 Amazon S3 儲存貯體中由 Amazon 基岩工作室管理的物件。bedrock
— 授予使用 Amazon 基岩工作室管理的 Amazon 基岩代理程式、知識庫和護欄的能力。aoss
— 允許API訪問由 Amazon 基岩工作室管理的 Amazon OpenSearch 無服務器集合。lambda
— 授予叫用由 Amazon 基岩工作室管理的 AWS Lambda 函數的能力。secretsmanager
— 允許讀取和寫入訪問由 Amazon 基岩工作室管 Secrets Manager 的秘密管理器秘密。AWSlogs
— 提供對 Amazon 基岩工作室管理的 Amazon CloudWatch 日誌的寫入訪問權限。kms
— 授予使用AWSKMS金鑰以加密 Amazon 基岩工作室資料的存取權。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AccessS3Buckets", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:ListBucketVersions", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion" ], "Resource": "arn:aws:s3:::br-studio-${aws:PrincipalAccount}-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "AccessOpenSearchCollections", "Effect": "Allow", "Action": "aoss:APIAccessAll", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "InvokeBedrockModels", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "arn:aws:bedrock:*::foundation-model/*" }, { "Sid": "AccessBedrockResources", "Effect": "Allow", "Action": [ "bedrock:InvokeAgent", "bedrock:Retrieve", "bedrock:StartIngestionJob", "bedrock:GetIngestionJob", "bedrock:ListIngestionJobs", "bedrock:ApplyGuardrail", "bedrock:ListPrompts", "bedrock:GetPrompt", "bedrock:CreatePrompt", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:InvokeFlow", "bedrock:ListTagsForResource", "bedrock:TagResource", "bedrock:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "RetrieveAndGenerate", "Effect": "Allow", "Action": "bedrock:RetrieveAndGenerate", "Resource": "*" }, { "Sid": "WriteLogs", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "InvokeLambdaFunctions", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:*:*:function:br-studio-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "AccessSecretsManagerSecrets", "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue" ], "Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/AmazonBedrockManaged": "true" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } }, { "Sid": "UseKmsKeyWithBedrock", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/EnableBedrock": "true" }, "Null": { "kms:EncryptionContext:aws:bedrock:arn": "false" } } }, { "Sid": "UseKmsKeyWithAwsServices", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}", "aws:ResourceTag/EnableBedrock": "true" }, "StringLike": { "kms:ViaService": [ "s3.*.amazonaws.com", "secretsmanager.*.amazonaws.com" ] } } }, { "Sid": "GetDataZoneEnvCfnStacks", "Effect": "Allow", "Action": [ "cloudformation:GetTemplate", "cloudformation:DescribeStacks" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone-Env-*", "Condition": { "StringEquals": { "aws:ResourceAccount": "${aws:PrincipalAccount}" }, "Null": { "aws:ResourceTag/AmazonDataZoneProject": "false" } } } ] }