Amazon Bedrock (bedrock)

Additions

Actions

• CreateGuardrail
  
  • Description:  Grants permission to create a new guardrail
  • Access:  Write
  • Conditions: 

    aws:RequestTag/${TagKey}

    aws:TagKeys

• CreateGuardrailVersion
  
  • Description:  Grants permission to create a new guardrail version
  • Access:  Write
  • Resources: 

    Name: guardrail

    Required: Yes

• CreateModelEvaluationJob
  
  • Description:  Grants permission to create a job for evaluation foundation models or custom models
  • Access:  Write
  • Resources: 

    Name: custom-model

    Required: Yes

    Name: foundation-model

    Required: Yes

  • Conditions: 

    aws:RequestTag/${TagKey}

    aws:TagKeys

• CreateModelInvocationJob
  
  • Description:  Grants permission to create a new model invocation job
  • Access:  Write
  • Resources: 

    Name: custom-model

    Required: Yes

    Name: foundation-model

    Required: Yes

  • Conditions: 

    aws:RequestTag/${TagKey}

    aws:TagKeys

• DeleteAgent
  
  • Description:  Grants permission to delete an Agent that you created earlier
  • Access:  Write
  • Resources: 

    Name: agent

    Required: Yes

• DeleteAgentActionGroup
  
  • Description:  Grants permission to delete an actionGroup that you created earlier
  • Access:  Write
  • Resources: 

    Name: agent

    Required: Yes

• DeleteAgentAlias
  
  • Description:  Grants permission to delete an AgentAlias that you created earlier
  • Access:  Write
  • Resources: 

    Name: agent-alias

    Required: Yes

• DeleteAgentVersion
  
  • Description:  Grants permission to delete an Agent Version that you created earlier
  • Access:  Write
  • Resources: 

    Name: agent

    Required: Yes

• DeleteGuardrail
  
  • Description:  Grants permission to delete a guardrail or its version
  • Access:  Write
  • Resources: 

    Name: guardrail

    Required: Yes

• GetGuardrail
  
  • Description:  Grants permission to retrieve a guardrail or its version
  • Access:  Read
  • Resources: 

    Name: guardrail

    Required: Yes

• GetModelEvaluationJob
  
  • Description:  Grants permission to get the properties associated with a model-evaluation job. Use this operation to get the status of a model-evaluation job
  • Access:  Read
  • Resources: 

    Name: model-evaluation-job

    Required: Yes

• GetModelInvocationJob
  
  • Description:  Grants permission to retrieve a model invocation job
  • Access:  Read
  • Resources: 

    Name: model-invocation-job

    Required: Yes

• ListGuardrails
  
  • Description:  Grants permission to list guardrails or its versions
  • Access:  List
  • Resources: 

    Name: guardrail

    Required: No

• ListModelEvaluationJobs
  
  • Description:  Grants permission to get the list of model evaluation jobs that you have submitted
  • Access:  List
• ListModelInvocationJobs
  
  • Description:  Grants permission to list model invocation jobs that you created earlier
  • Access:  List
• PrepareAgent
  
  • Description:  Grants permission to prepare an existing agent to receive runtime requests
  • Access:  Write
  • Resources: 

    Name: agent

    Required: Yes

• Retrieve
  
  • Description:  Grants permission to retrieve ingested data from a knowledge base
  • Access:  Read
  • Resources: 

    Name: knowledge-base

    Required: Yes

• RetrieveAndGenerate
  
  • Description:  Grants permission to send user input to perform retrieval and generation
  • Access:  Write
• StopModelInvocationJob
  
  • Description:  Grants permission to stop a model invocation job that you started earlier
  • Access:  Write
  • Resources: 

    Name: model-invocation-job

    Required: Yes

• UpdateGuardrail
  
  • Description:  Grants permission to update a guardrail
  • Access:  Write
  • Resources: 

    Name: guardrail

    Required: Yes

Resources

• model-evaluation-job
  
  • Arn:  arn:${Partition}:bedrock:${Region}:${Account}:model-evaluation-job/${ResourceId}
  • Conditions: 

    aws:ResourceTag/${TagKey}

• model-invocation-job
  
  • Arn:  arn:${Partition}:bedrock:${Region}:${Account}:model-invocation-job/${JobIdentifier}
  • Conditions: 

    aws:ResourceTag/${TagKey}

• guardrail
  
  • Arn:  arn:${Partition}:bedrock:${Region}:${Account}:guardrail/${GuardrailId}
  • Conditions: 

    aws:ResourceTag/${TagKey}

Updates

Actions

• CreateAgent
  
  Conditions
  
  • ＋ aws:RequestTag/${TagKey}
  • ＋ aws:TagKeys
• CreateAgentActionGroup
  
  Conditions
  
  • ＋ aws:RequestTag/${TagKey}
  • ＋ aws:TagKeys
• CreateAgentAlias
  
  Conditions
  
  • ＋ aws:RequestTag/${TagKey}
  • ＋ aws:TagKeys
• CreateKnowledgeBase
  
  Conditions
  
  • ＋ aws:RequestTag/${TagKey}
  • ＋ aws:TagKeys
• InvokeModel
  
  Resources
  
  • ＋ guardrail
• InvokeModelWithResponseStream
  
  Resources
  
  • ＋ guardrail
• ListTagsForResource
  
  Resources
  
  • ＋ agent
  • ＋ agent-alias
  • ＋ guardrail
  • ＋ knowledge-base
  • ＋ model-evaluation-job
  • ＋ model-invocation-job
• TagResource
  
  Resources
  
  • ＋ agent
  • ＋ agent-alias
  • ＋ guardrail
  • ＋ knowledge-base
  • ＋ model-evaluation-job
  • ＋ model-invocation-job
• UntagResource
  
  Resources
  
  • ＋ agent
  • ＋ agent-alias
  • ＋ guardrail
  • ＋ knowledge-base
  • ＋ model-evaluation-job
  • ＋ model-invocation-job

Resources

• agent
  
  Conditions
  
  • ＋ aws:ResourceTag/${TagKey}
• agent-alias
  
  Conditions
  
  • ＋ aws:ResourceTag/${TagKey}
• knowledge-base
  
  Conditions
  
  • ＋ aws:ResourceTag/${TagKey}

Deletions

Actions

• CreateAgentDraftSnapshot
  
  • Description:  Grants permission to create a draft version snapshot for an agent
  • Access:  Write
  • Resources: 

    Name: agent

    Required: Yes

• QueryKnowledgeBase
  
  • Description:  Grants permission to retrieve ingested data from a knowledge base.
  • Access:  Read
  • Resources: 

    Name: knowledge-base

    Required: Yes