SCP Error while deploying cross region inference

Question

i am planning on migrating claude from 3.5 to 4
and also want to implement cross region inference 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BedrockKnowledgeBaseAccess",
            "Effect": "Allow",
            "Action": [
                "bedrock:Retrieve"
            ],
            "Resource": "arn:aws:bedrock:us-east-1:169108430853:knowledge-base/4VNJFRDDSB"
        },
        {
            "Sid": "ClaudeSonnet4USInferenceProfile",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": [
                "arn:aws:bedrock:us-east-1:169108430853:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0",
                "arn:aws:bedrock:us-east-1:169108430853:inference-profile/global.anthropic.claude-sonnet-4-20250514-v1:0"
            ]
        },
        {
            "Sid": "ClaudeSonnet4DestinationRegions",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": "arn:aws:bedrock:*::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0"
        }
    ]
}
this is my policy
An error occurred (AccessDeniedException) when calling the InvokeModel operation:
User: arn:aws:sts::128071099072:assumed-role/ap-tf-ppl-chat-bot-p-aws-use1-lambda-role/ap-tf-ppl-chat-bot-p-aws-use1-lambda
is not authorized to perform: bedrock:InvokeModel on resource:
arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0
with an explicit deny in a service control policy.
Getting this error
the client is telling they have not added any scps.

re:Post Agent · Accepted Answer

The error you're encountering is related to Service Control Policies (SCPs) blocking cross-Region inference for Amazon Bedrock. Even though your client claims they haven't added any SCPs, the error message clearly indicates there is "an explicit deny in a service control policy" affecting your ability to use cross-Region inference.

For cross-Region inference to work properly with Amazon Bedrock, you need to ensure that all potential destination Regions in the inference profile are allowed in your SCPs. If any destination Region in a cross-Region inference profile is blocked by SCPs, the request will fail even if other Regions remain allowed.

Here are some steps to resolve this issue:

1. Verify if there are any organization-level SCPs that might be denying access to certain Regions. Common scenarios include landing zone configurations that deny access to Regions not explicitly allowed.

2. Check if there's a Region deny policy (like GRREGIONDENY) that's blocking access to some of the Regions included in the cross-Region inference profile.

3. Modify the existing SCPs to allow Amazon Bedrock inference actions in all destination Regions included in your chosen inference profile. You'll need to add exceptions for `bedrock:InvokeModel*` operations in the Regions where Claude 4 Sonnet is available.

4. For your IAM policy, ensure you have the necessary permissions for using inference profiles:
- Add `bedrock:GetInferenceProfile`, `bedrock:ListInferenceProfiles`, and `bedrock:UseInferenceProfile` permissions for the inference profile resources.

The error specifically mentions that the operation is being denied on the resource `arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0`, which suggests that the SCP is blocking access to this foundation model in one of the Regions that the cross-Region inference is attempting to use.  
**Sources**  
[Enable Amazon Bedrock cross-Region inference in multi-account environments | AWS Machine Learning Blog](https://aws.amazon.com/blogs/machine-learning/enable-amazon-bedrock-cross-region-inference-in-multi-account-environments/)  
[CDK - Resource handler returned message: "Access denied for operation 'AWS::Bedrock::Agent'." when creating an agent with foundationModel set as inference-profile. | AWS re:Post](https://repost.aws/questions/QUUnZyzMKBT3ettsqG3P9qOQ/cdk-resource-handler-returned-message-access-denied-for-operation-aws-bedrock-agent-when-creating-an-agent-with-foundationmodel-set-as-inference-profile)  
[Implementing Cross-Region Inference with Amazon Bedrock while Maintaining Your Landing Zone Structure | AWS re:Post](https://repost.aws/articles/ARjL1-GiHRTJKQLP4V7-0tow/implementing-cross-region-inference-with-amazon-bedrock-while-maintaining-your-landing-zone-structure)  
[How inference works in Amazon Bedrock - Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/inference-how.html)

SCP Error while deploying cross region inference

답변 추가

관련 콘텐츠