Ensure that permissions boundaries are set for IAM identities (users and roles) used by Amazon Bedrock in order to control the maximum permissions they can have. Permission boundaries are IAM restrictions (similar to Service Control Policies) that define the maximum allowed permissions for an IAM user or role within your AWS cloud account. This feature allows others to perform tasks on your behalf within a specific boundary of permissions. As an IAM administrator, you can define one or more permission boundaries using managed policies and allow another user in your organization to create a principal with this boundary. The trusted user can then attach a permissions policy to this principal. However, the effective permissions of the newly created principal are the intersection of the permission boundary and the permissions policy, so the principal cannot exceed the boundary you define. Specifically, you can grant another user permission to create IAM roles and assign permissions. By using a permission boundary, you can ensure that those new IAM roles can only access certain actions and resources in a particular AWS region."
As your organization grows, you may need to allow your trusted employees to configure and manage IAM permissions to help your organization scale permission management and move workloads to AWS cloud faster. For example, you might need to grant a developer the ability to create and manage permissions for an IAM role required to launch Amazon Bedrock Studio workspaces. This ability is quite powerful and can be used inappropriately or accidentally to attach an administrator access policy, obtaining full access to all resources within an AWS account. With permissions boundaries, you can easily control the maximum permissions that your employees can grant to the IAM principals (i.e., users and roles) that they create and manage.
Audit
To determine if the IAM identities used by Amazon Bedrock have permissions boundaries configured to control the maximum permissions that these can acquire, perform the following operations:
Remediation / Resolution
To set up permissions boundaries for the IAM identities used by Amazon Bedrock in order to control the maximum permissions that these IAM entities can get, perform the following operations:
A permissions boundary limits the maximum permissions, but does not grant access on its own. Permissions policies alone provide permission and can be limited by the permissions boundaries. The Amazon IAM identities presented as examples in this section have attached permissions policies that require limitations.References
- AWS Documentation
- IAM Identities (users, user groups, and roles)
- IAM users
- Managing IAM users
- IAM roles
- Managing IAM roles
- Access management for AWS resources
- Permissions boundaries for IAM entities
- Policy evaluation logic
- Identity-based policy examples for Amazon Bedrock
- AWS Command Line Interface (CLI) Documentation
- list-attached-user-policies
- get-policy-version
- list-user-policies
- get-user-policy
- get-user
- list-attached-role-policies
- get-policy-version
- list-role-policies
- get-role-policy
- get-role
- put-user-permissions-boundary
- put-role-permissions-boundary