Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Configure Permissions Boundaries for IAM Identities used by Amazon Bedrock

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that permissions boundaries are set for IAM identities (users and roles) used by Amazon Bedrock in order to control the maximum permissions they can have. Permission boundaries are IAM restrictions (similar to Service Control Policies) that define the maximum allowed permissions for an IAM user or role within your AWS cloud account. This feature allows others to perform tasks on your behalf within a specific boundary of permissions. As an IAM administrator, you can define one or more permission boundaries using managed policies and allow another user in your organization to create a principal with this boundary. The trusted user can then attach a permissions policy to this principal. However, the effective permissions of the newly created principal are the intersection of the permission boundary and the permissions policy, so the principal cannot exceed the boundary you define. Specifically, you can grant another user permission to create IAM roles and assign permissions. By using a permission boundary, you can ensure that those new IAM roles can only access certain actions and resources in a particular AWS region."

Security

As your organization grows, you may need to allow your trusted employees to configure and manage IAM permissions to help your organization scale permission management and move workloads to AWS cloud faster. For example, you might need to grant a developer the ability to create and manage permissions for an IAM role required to launch Amazon Bedrock Studio workspaces. This ability is quite powerful and can be used inappropriately or accidentally to attach an administrator access policy, obtaining full access to all resources within an AWS account. With permissions boundaries, you can easily control the maximum permissions that your employees can grant to the IAM principals (i.e., users and roles) that they create and manage.


Audit

To determine if the IAM identities used by Amazon Bedrock have permissions boundaries configured to control the maximum permissions that these can acquire, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Users or Roles, depending on the identity type that you want to examine.

04 Click on the name (link) of the IAM user/role that you want to examine.

05 Select the Permissions tab to access the policies attached to the selected IAM identity.

06 In the Permissions policies section, click on the Expand button (i.e. plus icon) available next to each managed/inline policy, and check the "Action" element value for operations that start with "bedrock:*", such as "bedrock:InvokeModel", "bedrock:ApplyGuardrail", and "bedrock:ListIngestionJobs". If the "Action" element value contains one or more "bedrock:*" operations, the selected IAM identity is used by Amazon Bedrock, therefore, you can continue the Audit process with the next step.

07 Choose Permissions boundary under Permissions policies and check for any assigned IAM policies. If there is no IAM policy configured as the permissions boundary, the selected Amazon IAM identity does not have any permissions boundaries set.

08 Repeat steps no. 4 – 7 for each Amazon IAM identity that you want to check for permissions boundaries.

Using AWS CLI

01 Based on Amazon IAM identity type that you want to examine, perform one of the following sets of commands:

  1. For IAM users:
    1. Run list-attached-user-policies command (OSX/Linux/UNIX) with the name of the Amazon IAM user that you want to examine as the identifier parameter and custom output filtering to list the ARN of each managed policy attached to the selected user:
      aws iam list-attached-user-policies
        --user-name tm-bedrock-studio-developer
        --query 'AttachedPolicies[*].PolicyArn'
      
    2. The command output should return an array with the requested IAM managed policy ARN(s):
      [
      	"arn:aws:iam::aws:policy/AmazonBedrockFullAccess"
      ]
      
    3. Run get-policy-version command (OSX/Linux/UNIX) with the ARN of the IAM managed policy that you want to examine as the identifier parameter and custom filtering to describe the policy document (JSON format) defined for the selected policy version:
      aws iam get-policy-version
        --policy-arn arn:aws:iam::aws:policy/AmazonBedrockFullAccess
        --version-id v1
        --query 'PolicyVersion.Document'
      
    4. The command output should return the requested IAM policy document. Check the "Action" element value for operations that start with "bedrock:*", such as "bedrock:InvokeModel", "bedrock:ApplyGuardrail", and "bedrock:ListIngestionJobs". If the "Action" element value contains one or more "bedrock:*" operations, the selected IAM identity is used by Amazon Bedrock, therefore, you can continue the Audit process with the next step:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Sid": "BedrockAll",
      			"Effect": "Allow",
      			"Action": [
      				"bedrock:*"
      			],
      			"Resource": "*"
      		},
      		{
      			"Sid": "DescribeKey",
      			"Effect": "Allow",
      			"Action": [
      				"kms:DescribeKey"
      			],
      			"Resource": "arn:*:kms:*:::*"
      		},
      		{
      			"Sid": "APIsWithAllResourceAccess",
      			"Effect": "Allow",
      			"Action": [
      				"iam:ListRoles",
      				"ec2:DescribeVpcs",
      				"ec2:DescribeSubnets",
      				"ec2:DescribeSecurityGroups"
      			],
      			"Resource": "*"
      		},
      		{
      			"Sid": "PassRoleToBedrock",
      			"Effect": "Allow",
      			"Action": [
      				"iam:PassRole"
      			],
      			"Resource": "arn:aws:iam::*:role/*AmazonBedrock*",
      			"Condition": {
      				"StringEquals": {
      					"iam:PassedToService": [
      						"bedrock.amazonaws.com"
      					]
      				}
      			}
      		}
      	]
      }
      
    5. Run list-user-policies command (OSX/Linux/UNIX) with the name of the Amazon IAM user that you want to examine as the identifier parameter and custom output filters to list the name of each inline policy associated with the selected user:
      aws iam list-user-policies
        --user-name tm-bedrock-studio-developer
        --query 'PolicyNames'
      
    6. The command output should return a table with the requested inline IAM policy name(s):
      [
      	"tm-bedrock-inline-policy"
      ]
      
    7. Run get-user-policy command (OSX/Linux/UNIX) with the name of the IAM inline policy that you want to examine as the identifier parameter, to describe the policy document (JSON format) defined for the selected inline policy:
      aws iam get-user-policy
        --user-name tm-bedrock-studio-developer
        --policy-name tm-bedrock-inline-policy
        --query 'PolicyDocument'
      
    8. The command output should return the requested inline policy document. Check the "Action" element value for operations that start with "bedrock:*", such as "bedrock:InvokeModel", "bedrock:ApplyGuardrail", and "bedrock:ListIngestionJobs". If the "Action" element value contains one or more "bedrock:*" operations, the selected IAM identity is used by Amazon Bedrock, therefore, you can continue the Audit process with the next step:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Effect": "Allow",
      			"Action": "bedrock:ApplyGuardrail",
      			"Resource": "arn:aws:bedrock:*:123456789012:guardrail/*"
      		}
      	]
      }
      
    9. Run get-user command (OSX/Linux/UNIX) with the name of the Amazon IAM user that you want to examine as the identifier parameter, to describe the permissions boundary configuration information available for the selected IAM user:
      aws iam get-user
        --user-name tm-bedrock-studio-developer
        --query "User.PermissionsBoundary"
      
    10. If the get-user command output returns null, as shown in the example below, the selected Amazon IAM user does not have any permissions boundaries set:
      null
      
  2. For IAM roles:
    1. Run list-attached-role-policies command (OSX/Linux/UNIX) with the name of the Amazon IAM role that you want to examine as the identifier parameter and custom output filters to list the Amazon Resource Name (ARN) of each managed policy attached to the selected role:
      aws iam list-attached-role-policies
        --role-name tm-bedrock-prov-role
        --query 'AttachedPolicies[*].PolicyArn'
      
    2. The command output should return the ARN of each managed policy attached to the selected role:
      [
      	"arn:aws:iam::123456789012:policy/tm-bedrock-managed-policy"
      ]
      
    3. Run get-policy-version command (OSX/Linux/UNIX) with the ARN of the IAM managed policy that you want to examine as the identifier parameter and custom filtering to describe the policy document (JSON format) defined for the selected policy version:
      aws iam get-policy-version
        --policy-arn arn:aws:iam::123456789012:policy/tm-bedrock-managed-policy
        --version-id v1
        --query 'PolicyVersion.Document'
      
    4. The command output should return the requested IAM policy document. Check the "Action" element value for operations that start with "bedrock:*", such as "bedrock:InvokeModel", "bedrock:ApplyGuardrail", and "bedrock:ListIngestionJobs". If the "Action" element value contains one or more "bedrock:*" operations, the selected IAM identity is used by Amazon Bedrock, therefore, you can continue the Audit process with the next step:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Effect": "Allow",
      			"Action": [
      				"bedrock:*"
      			],
      			"Resource": "*"
      		}
      	]
      }
      
    5. Run list-role-policies command (OSX/Linux/UNIX) with the name of the Amazon IAM role that you want to examine as the identifier parameter and custom output filtering to describe the name of each inline policy attached to the selected role:
      aws iam list-role-policies
        --role-name tm-bedrock-prov-role
        --query 'PolicyNames'
      
    6. The command output should return the name of each inline policy associated with the selected role:
      [
      	"tm-bedrock-inline-policy"
      ]
      
    7. Run get-role-policy command (OSX/Linux/UNIX) with the name of the IAM inline policy that you want to examine as the identifier parameter, to describe the policy document (JSON format) defined for the selected inline policy:
      aws iam get-role-policy
        --role-name tm-bedrock-prov-role
        --policy-name tm-bedrock-inline-policy
        --query 'PolicyDocument'
      
    8. The command output should return the requested inline policy document. Check the "Action" element value for operations that start with "bedrock:*", such as "bedrock:InvokeModel", "bedrock:ApplyGuardrail", and "bedrock:ListIngestionJobs". If the "Action" element value contains one or more "bedrock:*" operations, the selected IAM identity is used by Amazon Bedrock, therefore, you can continue the Audit process with the next step:
      {
      	"Version": "2012-10-17",
      	"Statement": [
      		{
      			"Effect": "Allow",
      			"Action": "bedrock:InvokeModel",
      			"Resource": [
      				"arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-text-premier-v1:0"
      			]
      		}
      	]
      }
      
    9. Run get-role command (OSX/Linux/UNIX) with the name of the Amazon IAM role that you want to examine as the identifier parameter, to describe the permissions boundary configuration available for the selected IAM role:
      aws iam get-role
        --role-name tm-bedrock-prov-role
        --query "Role.PermissionsBoundary"
      
    10. If the get-role command output returns null, as shown in the example below, the selected Amazon IAM role does not have any permissions boundaries configured:
      null
      

Remediation / Resolution

To set up permissions boundaries for the IAM identities used by Amazon Bedrock in order to control the maximum permissions that these IAM entities can get, perform the following operations:

A permissions boundary limits the maximum permissions, but does not grant access on its own. Permissions policies alone provide permission and can be limited by the permissions boundaries. The Amazon IAM identities presented as examples in this section have attached permissions policies that require limitations.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Identity and Access Management (IAM) console available at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Users or Roles, depending on the identity type that you want to configure.

04 Click on the name (link) of the IAM user/role that you want to configure.

05 Select the Permissions tab, choose Permissions boundary, and select Set permissions boundary.

06 On the Set the permissions boundary on \ page, select a managed policy (customer-managed or AWS-managed policy) to set as the permissions boundary for the selected IAM user/role, then choose Set boundary to apply the chosen permissions.

07 Repeat steps no. 4 – 6 to set up permissions boundaries for other Amazon IAM identities that require permissions limitations.

Using AWS CLI

01 Based on Amazon IAM identity type that you want to configure, perform one of the following commands:

  1. For IAM users:
    1. To set permissions boundaries for a specific Amazon IAM user, run put-user-permissions-boundary command (OSX/Linux/UNIX) using the name of the IAM user that you want to configure as the identifier parameter, and the Amazon Resource Name (ARN) of the managed policy that you want to set as permissions boundary, as value for the --permissions-boundary parameter (the command request does not produce an output):
      aws iam put-user-permissions-boundary
        --user-name tm-bedrock-studio-developer
        --permissions-boundary arn:aws:iam::123456789012:policy/tm-bedrock-boundary-policy
      
  2. For IAM roles:
    1. To set permissions boundaries for a specific Amazon IAM role, run put-role-permissions-boundary command (OSX/Linux/UNIX) using the name of the IAM role that you want to configure as the identifier parameter, and the ARN of the managed policy that you want to set as the role's permissions boundary, as value for the --permissions-boundary parameter (the command request does not return an output):
      aws iam put-role-permissions-boundary
        --role-name tm-bedrock-prov-role
        --permissions-boundary arn:aws:iam::123456789012:policy/tm-bedrock-boundary-policy
      

02 Repeat step no. 1 to set up permissions boundaries for other Amazon IAM identities that require permissions limitations.

References

Publication date Jul 24, 2024