AWS bedrock documentation change
Summary
Restructured documentation from conceptual explanation of project-level IAM policies to focused examples of IAM policies for Amazon Bedrock Projects, removing detailed boto3 implementation code and providing specific policy examples for read-only and full access.
Security assessment
The changes provide clearer examples of IAM policies for controlling access to Bedrock Projects resources, which is security documentation about access control. However, there is no evidence of addressing a specific security vulnerability, weakness, or incident. The changes appear to be routine documentation improvements to make policy examples more accessible and remove implementation details.
Diff
diff --git a/bedrock/latest/userguide/security-iam-projects.md b/bedrock/latest/userguide/security-iam-projects.md index e2c42eab3..5363e00a4 100644 --- a//bedrock/latest/userguide/security-iam-projects.md +++ b//bedrock/latest/userguide/security-iam-projects.md @@ -7 +7 @@ -Understanding Project-Level IAM PoliciesAttaching IAM Policies to Projects +Example IAM policies for Projects @@ -9 +9 @@ Understanding Project-Level IAM PoliciesAttaching IAM Policies to Projects -# Managing IAM policies on Projects +# IAM policies for Amazon Bedrock Projects @@ -11 +11 @@ Understanding Project-Level IAM PoliciesAttaching IAM Policies to Projects -Amazon Bedrock Projects support direct IAM policy attachment, allowing you to manage access control at the project resource level. This provides an alternative to managing policies on IAM users and roles. +You can use IAM policies to control access to Amazon Bedrock Projects resources. These are standard IAM identity-based policies that you attach to IAM users, groups, or roles. The policies use the `Resource` element to scope permissions to specific project ARNs. For general information about creating and managing IAM policies, see [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) in the _IAM User Guide_. @@ -13 +13 @@ Amazon Bedrock Projects support direct IAM policy attachment, allowing you to ma -## Understanding Project-Level IAM Policies +## Example IAM policies for Projects @@ -15 +15 @@ Amazon Bedrock Projects support direct IAM policy attachment, allowing you to ma -Project-level IAM policies allow you to: +The following examples show IAM policy documents that grant access to Bedrock Projects resources. Attach these policies to IAM users, groups, or roles using the IAM console, CLI, or API. @@ -17 +17 @@ Project-level IAM policies allow you to: - * **Centralize access control** : Define permissions directly on the project resource +### Read-only access to a project @@ -19 +19 @@ Project-level IAM policies allow you to: - * **Simplify management** : Update access without modifying individual user/role policies +The following policy grants read-only access to a specific project: @@ -21 +20,0 @@ Project-level IAM policies allow you to: - * **Audit easily** : View all permissions for a project in one place @@ -23,21 +22 @@ Project-level IAM policies allow you to: - * **Delegate administration** : Allow project owners to manage access to their projects - - - - -## Attaching IAM Policies to Projects - -### Attach a Policy to Grant Access - -Attach an IAM policy directly to a project to grant permissions: - - - import boto3 - import json - - iam = boto3.client('iam', region_name='us-east-1') - - project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" - - # Define the identity-based policy document - policy_document = { + { @@ -47 +26 @@ Attach an IAM policy directly to a project to grant permissions: - "Sid": "AllowTeamAlphaAccess", + "Sid": "ReadOnlyProjectAccess", @@ -49,0 +29,2 @@ Attach an IAM policy directly to a project to grant permissions: + "bedrock-mantle:GetProject", + "bedrock-mantle:ListProjects", @@ -51 +32 @@ Attach an IAM policy directly to a project to grant permissions: - "bedrock-mantle:GetProject" + "bedrock-mantle:CreateInference" @@ -53 +34 @@ Attach an IAM policy directly to a project to grant permissions: - "Resource": project_arn + "Resource": "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" @@ -58,25 +39 @@ Attach an IAM policy directly to a project to grant permissions: - policy_json = json.dumps(policy_document) - - # Create a managed policy - create_response = iam.create_policy( - PolicyName="TeamAlphaAccessPolicy", - PolicyDocument=policy_json, - Description="Grants Team Alpha read access to the Bedrock project" - ) - - policy_arn = create_response['Policy']['Arn'] - print(f"Policy created: {policy_arn}") - - # Attach the policy to alice (IAM user) - iam.attach_user_policy( - UserName="alice", - PolicyArn=policy_arn - ) - print("Policy attached to alice") - - # Attach the policy to bob (IAM user) - iam.attach_user_policy( - UserName="bob", - PolicyArn=policy_arn - ) - print("Policy attached to bob") +### Full access to a project @@ -84,6 +41 @@ Attach an IAM policy directly to a project to grant permissions: - # Attach the policy to TeamAlphaRole (IAM role) - iam.attach_role_policy( - RoleName="TeamAlphaRole", - PolicyArn=policy_arn - ) - print("Policy attached to TeamAlphaRole") +The following policy grants full access to all Bedrock Projects actions on a specific project: @@ -91 +42,0 @@ Attach an IAM policy directly to a project to grant permissions: -### Grant Full Project Access to a Team @@ -93,12 +44 @@ Attach an IAM policy directly to a project to grant permissions: -Allow a team full access to manage and use a project: - - - import boto3 - import json - - iam = boto3.client('iam', region_name='us-east-1') - - project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" - - # Identity-based policy — no Principal block needed - policy_document = { + { @@ -111 +51 @@ Allow a team full access to manage and use a project: - "Resource": project_arn + "Resource": "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" @@ -116,72 +55,0 @@ Allow a team full access to manage and use a project: - # Create a managed policy - create_response = iam.create_policy( - PolicyName="DataScienceFullAccess", - PolicyDocument=json.dumps(policy_document), - Description="Grants DataScienceTeamRole full access to the Bedrock project" - ) - - policy_arn = create_response['Policy']['Arn'] - print(f"Policy created: {policy_arn}") - - # Attach to the DataScienceTeamRole - iam.attach_role_policy( - RoleName="DataScienceTeamRole", - PolicyArn=policy_arn - ) - - print("Full access policy attached to DataScienceTeamRole") - -### Grant Read-Only Access - -Attach a policy that allows viewing project details and making inference requests only: - - - import boto3 - import json - - iam = boto3.client('iam', region_name='us-east-1') - - project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" - - # Identity-based policy — no Principal block needed - policy_document = { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ReadOnlyAccess", - "Effect": "Allow", - "Action": [ - "bedrock-mantle:CreateInference", - "bedrock-mantle:GetProject", - "bedrock-mantle:ListProjects", - "bedrock-mantle:ListTagsForResources" - ], - "Resource": project_arn - } - ] - } - - # Create a managed policy - create_response = iam.create_policy( - PolicyName="ReadOnlyAccessPolicy", - PolicyDocument=json.dumps(policy_document), - Description="Grants viewer1 and viewer2 read-only access to the Bedrock project" - ) - - policy_arn = create_response['Policy']['Arn'] - print(f"Policy created: {policy_arn}") - - # Attach to viewer1 - iam.attach_user_policy( - UserName="viewer1", - PolicyArn=policy_arn - ) - print("Policy attached to viewer1") - - # Attach to viewer2 - iam.attach_user_policy( - UserName="viewer2", - PolicyArn=policy_arn - ) - print("Policy attached to viewer2") -