AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-05-03 · Documentation medium

File: bedrock/latest/userguide/model-customization-iam-role.md

Summary

Added documentation for cross-region inference profile permissions in distillation jobs, including a sample IAM policy for invoking models across regions

Security assessment

The change documents IAM permission requirements for cross-region model invocations, which relates to access control configuration. While security-related in nature, there's no indication this addresses a specific vulnerability - rather it provides guidance for proper security configuration of cross-region operations.

Diff

diff --git a/bedrock/latest/userguide/model-customization-iam-role.md b/bedrock/latest/userguide/model-customization-iam-role.md
index 0e905ccfe..0d95a44e8 100644
--- a//bedrock/latest/userguide/model-customization-iam-role.md
+++ b//bedrock/latest/userguide/model-customization-iam-role.md
@@ -5 +5 @@
-Trust relationshipPermissions to access training and validation files and to write output files in S3
+Trust relationshipPermissions to access training and validation files and to write output files in S3(Optional) Permissions to create a Distillation job with a cross-region inference profiles
@@ -29,0 +30,2 @@ To use a custom role for model customization instead of the one Amazon Bedrock a
+  * (Optional) Permissions to create a Distillation job with a cross-region inference profiles
+
@@ -105,0 +108,26 @@ To restrict access to a specific folder in a bucket, add an `s3:prefix` conditio
+## (Optional) Permissions to create a Distillation job with a cross-region inference profiles
+
+To use a cross-region inference profile for a teacher model in a distillation job, the service role must have permissions to invoke the inference profile in an AWS Region, in addition to the model in each Region in the inference profile.
+
+For permissions to invoke with a cross-Region (system-defined) inference profile, use the following policy as a template for the permissions policy to attach to your service role:
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "CrossRegionInference",
+                "Effect": "Allow",
+                "Action": [  
+                    "bedrock:InvokeModel"
+                ],
+                "Resource": [
+                    "arn:aws:bedrock:${Region}:${AccountId}:inference-profile/${InferenceProfileId}",
+                    "arn:aws:bedrock:${Region1}::foundation-model/${ModelId}",
+                    "arn:aws:bedrock:${Region2}::foundation-model/${ModelId}",
+                ...
+                ]
+            }
+        ]
+    }
+