Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Restricting usage of Bedrock only through application inference profiles with tags in an AWS Organization

0

My developers need access to Claude models on Bedrock. I need to trace each Bedrock invocation to a specific individual, so I want to ensure that when a inference request is made, it is made through an application inference profile with a tag. I have tried the below SCP:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyDirectModelAccess",
      "Effect": "Deny",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*::foundation-model/*"
    },
    {
      "Sid": "DenyInferenceProfileWithoutTags",
      "Effect": "Deny",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:application-inference-profile/*",
      "Condition": {
        "Null": {
          "aws:ResourceTag/Project": "true"
        }
      }
    }
  ]
}

However it seems that since an AIP will make calls to the foundation model directly, blocking direct access to the FM will block the AIP too. Does anyone have an insight on how I can get around this?

Topics
Management & GovernanceMachine Learning & AISecurity, Identity, & ComplianceGenerative AI on AWS
Tags
AWS OrganizationsSecurity, Identity, & ComplianceAmazon Bedrock
Language
English
AWS
asked 7 months ago569 views
1 Answer
0

To restrict Amazon Bedrock usage to only application inference profiles with specific tags while still allowing those profiles to work properly, you need to modify your approach. Your current SCP has identified a key challenge: denying direct access to foundation models also prevents application inference profiles from working, as they need to invoke those models.

Here's a better approach to achieve your goal:

  1. Instead of denying access to foundation models completely, modify your policy to allow access to foundation models only when the request is coming through an application inference profile.

  2. You can implement a policy that:

  • Denies direct invocation of foundation models
  • Allows invocation through application inference profiles
  • Requires those profiles to have specific tags

A policy like this would allow your developers to use Claude models, but only through properly tagged application inference profiles, enabling you to trace each invocation to specific individuals or projects.

When creating application inference profiles, you can assign tags like "Project" or "UserId" to track usage. These profiles will have ARNs in the format arn:aws:bedrock:region:account-id:application-inference-profile/profile-id.

For your specific use case, you might want to implement conditions that check for the presence of required tags on the application inference profile resources, rather than denying access to the foundation models entirely.
Sources
Configure fine-grained access to Amazon Bedrock models using Amazon SageMaker Unified Studio | Artificial Intelligence
Identity-based policy examples for Amazon Bedrock - Amazon Bedrock
Add cost allocation tags to Amazon Bedrock on-demand models | AWS re:Post
CreateInferenceProfile - Amazon Bedrock

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content