AWS bedrock documentation change
Summary
Added a complete IAM policy example showing how to control access to AWS Marketplace models using product ID condition keys and Bedrock invoke permissions
Security assessment
This change adds detailed IAM policy documentation for controlling access to AWS Marketplace models, which is a security best practice for implementing least-privilege access. It provides concrete examples of using condition keys to restrict marketplace subscriptions and model invocation, but doesn't indicate any specific security vulnerability being addressed.
Diff
diff --git a/bedrock/latest/userguide/model-access-product-ids.md b/bedrock/latest/userguide/model-access-product-ids.md index a1e798364..a3a7b967b 100644 --- a//bedrock/latest/userguide/model-access-product-ids.md +++ b//bedrock/latest/userguide/model-access-product-ids.md @@ -55,0 +56,34 @@ You can use the following template to attach an IAM policy that controls model a + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowBedrockModelAccess", + "Effect": "Allow", + "Action": [ + "aws-marketplace:Subscribe", + "aws-marketplace:Unsubscribe", + "aws-marketplace:ViewSubscriptions" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws-marketplace:ProductId": [ + "product-id-1", + "product-id-2" + ] + } + } + }, + { + "Sid": "AllowBedrockInvokeModel", + "Effect": "Allow", + "Action": [ + "bedrock:InvokeModel", + "bedrock:InvokeModelWithResponseStream" + ], + "Resource": "arn:aws:bedrock:*::foundation-model/*" + } + ] + } +