AWS bedrock documentation change
Summary
Updated model requirements and swapped S3/Bedrock permissions in service role policies
Security assessment
Restructures permissions documentation but maintains equivalent access levels. Changes appear focused on accuracy rather than addressing security issues. Permission adjustments maintain principle of least privilege but don't introduce new security controls.
Diff
diff --git a/bedrock/latest/userguide/judge-service-roles.md b/bedrock/latest/userguide/judge-service-roles.md index 34d8cd70b..d22d079f8 100644 --- a//bedrock/latest/userguide/judge-service-roles.md +++ b//bedrock/latest/userguide/judge-service-roles.md @@ -19,12 +19 @@ You need to create a policy that allows Amazon Bedrock to invoke the models you -The service role must include access to at least one supported evaluator model. - - * Mistral Large – `mistral.mistral-large-2402-v1:0` - - * Anthropic Claude 3.5 Sonnet – `anthropic.claude-3-5-sonnet-20240620-v1:0` - - * Anthropic Claude 3 Haiku – anthropic.claude-3-5-haiku-20241022-v1:0 - - * Meta Llama 3.1 70B Instruct – `meta.llama3-1-70b-instruct-v1:0` - - - +The service role must include access to at least one supported evaluator model. For a list of currently supported evaluator models, see [Supported models](./evaluation-judge.html#evaluation-judge-supported). @@ -40,6 +29,3 @@ The service role must include access to at least one supported evaluator model. - "s3:GetObject", - "s3:ListBucket", - "s3:PutObject", - "s3:GetBucketLocation", - "s3:AbortMultipartUpload", - "s3:ListBucketMultipartUploads" + "bedrock:InvokeModel", + "bedrock:CreateModelInvocationJob", + "bedrock:StopModelInvocationJob" @@ -69,3 +55,6 @@ Your service role policy needs to include access to the Amazon S3 bucket where y - "bedrock:InvokeModel", - "bedrock:CreateModelInvocationJob", - "bedrock:StopModelInvocationJob" + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject", + "s3:GetBucketLocation", + "s3:AbortMultipartUpload", + "s3:ListBucketMultipartUploads"