Change log of AWS IAM permissions

2024-12-07

39 new actions, 6 new resources, 1 new condition | 2 updated actions

Additions

Actions

AssociateAgentCollaborator
- Description: Grants permission to associate another existing agent as a collaborator to an existing agent
- Access: Write
- Resources:
  Name: agent
  
  Required: Yes
CreateBlueprint
- Description: Grants permission to create a blueprint for custom output from data automation
- Access: Write
CreateBlueprintVersion
- Description: Grants permission to create a new version for an existing blueprint
- Access: Write
- Resources:
  Name: blueprint
  
  Required: Yes
CreateDataAutomationProject
- Description: Grants permission to create a data automation project
- Access: Write
- Resources:
  Name: blueprint
  
  Required: No
CreateMarketplaceModelEndpoint
- Description: Grants permission to create a marketplace model endpoint
- Access: Write
DeleteBlueprint
- Description: Grants permission to delete a blueprint for data automation
- Access: Write
- Resources:
  Name: blueprint
  
  Required: Yes
DeleteDataAutomationProject
- Description: Grants permission to delete a data automation project
- Access: Write
- Resources:
  Name: data-automation-project
  
  Required: Yes
DeleteKnowledgeBaseDocuments
- Description: Grants permission to delete documents from a knowledge base
- Access: Write
- Resources:
  Name: knowledge-base
  
  Required: Yes
DeleteMarketplaceModelAgreement
- Description: Grants permission to unsubscribe from a bedrock marketplace enabled AWS marketplace model
- Access: Write
DeleteMarketplaceModelEndpoint
- Description: Grants permission to delete a marketplace model endpoint
- Access: Write
- Resources:
  Name: bedrock-marketplace-model-endpoint
  
  Required: Yes
DeregisterMarketplaceModelEndpoint
- Description: Grants permission to deregister a marketplace model endpoint to make it unusable in Bedrock Marketplace
- Access: Write
- Resources:
  Name: bedrock-marketplace-model-endpoint
  
  Required: Yes
DisassociateAgentCollaborator
- Description: Grants permission to diassociate a collaborator that you associated earlier
- Access: Write
- Resources:
  Name: agent
  
  Required: Yes
GenerateQuery
- Description: Grants permission to generate queries associated with user input
- Access: Read
GetAgentCollaborator
- Description: Grants permission to retrieve an existing collaborator
- Access: Read
- Resources:
  Name: agent
  
  Required: Yes
GetAsyncInvoke
- Description: Grants permission to get the properties associated with an asynchronous invocation that you have submitted
- Access: Read
- Resources:
  Name: async-invoke
  
  Required: Yes
GetBlueprint
- Description: Grants permission to retrieve an existing blueprint for data automation
- Access: Read
- Resources:
  Name: blueprint
  
  Required: Yes
GetBlueprintRecommendation
- Description: Grants permission to retrieve blueprint recommendation
- Access: Read
GetDataAutomationProject
- Description: Grants permission to retrieve an existing data automation project
- Access: Read
- Resources:
  Name: data-automation-project
  
  Required: Yes
GetDataAutomationStatus
- Description: Grants permission to retrieve the status of a data automation invocation job
- Access: Read
- Resources:
  Name: data-automation-invocation-job
  
  Required: Yes
GetKnowledgeBaseDocuments
- Description: Grants permission to get details for documents in a knowledge base
- Access: Read
- Resources:
  Name: knowledge-base
  
  Required: Yes
GetMarketplaceModelEndpoint
- Description: Grants permission to get the properties of a marketplace model endpoint
- Access: Read
- Resources:
  Name: bedrock-marketplace-model-endpoint
  
  Required: Yes
GetPromptRouter
- Description: Grants permission to get the properties associated with a prompt router
- Access: Read
- Resources:
  Name: default-prompt-router
  
  Required: Yes
IngestKnowledgeBaseDocuments
- Description: Grants permission to directly ingest documents into a knowledge base
- Access: Write
- Resources:
  Name: knowledge-base
  
  Required: Yes
InvokeBlueprintRecommendationAsync
- Description: Grants permission to invoke blueprint recommendations asynchronously
- Access: Write
InvokeDataAutomationAsync
- Description: Grants permission to invoke a Bedrock data automation job
- Access: Write
- Resources:
  Name: blueprint
  
  Required: Yes
  
  Name: data-automation-project
  
  Required: Yes
ListAgentCollaborators
- Description: Grants permission to list collaborators for an agent
- Access: List
- Resources:
  Name: agent
  
  Required: Yes
ListAsyncInvokes
- Description: Grants permission to get a list of asynchronous invocations that you have submitted
- Access: List
ListBlueprints
- Description: Grants permission to list existing blueprints for data automation
- Access: List
- Resources:
  Name: data-automation-project
  
  Required: No
ListDataAutomationProjects
- Description: Grants permission to list existing data automation projects
- Access: List
- Resources:
  Name: blueprint
  
  Required: No
ListKnowledgeBaseDocuments
- Description: Grants permission to list documents in a knowledge base
- Access: List
- Resources:
  Name: knowledge-base
  
  Required: Yes
ListMarketplaceModelEndpoints
- Description: Grants permission to list marketplace model endpoints that you can use
- Access: Read
ListPromptRouters
- Description: Grants permission to list prompt routers that you can use
- Access: List
OptimizePrompt
- Description: Grants permission to optimize a prompt with user input
- Access: Read
RegisterMarketplaceModelEndpoint
- Description: Grants permission to register a sagemaker endpoint as a marketplace model endpoint
- Access: Write
- Resources:
  Name: bedrock-marketplace-model-endpoint
  
  Required: Yes
Rerank
- Description: Grants permission to rank documents based on user input
- Access: Write
UpdateAgentCollaborator
- Description: Grants permission to update an existing collaborator
- Access: Write
- Resources:
  Name: agent
  
  Required: Yes
UpdateBlueprint
- Description: Grants permission to update a blueprint for data automation
- Access: Write
- Resources:
  Name: blueprint
  
  Required: Yes
UpdateDataAutomationProject
- Description: Grants permission to update a data automation project
- Access: Write
- Resources:
  Name: data-automation-project
  
  Required: Yes
  
  Name: blueprint
  
  Required: No
UpdateMarketplaceModelEndpoint
- Description: Grants permission to update a marketplace model endpoint
- Access: Write
- Resources:
  Name: bedrock-marketplace-model-endpoint
  
  Required: Yes

Resources

async-invoke
- Arn: arn:${Partition}:bedrock:${Region}:${Account}:async-invoke/${ResourceId}
- Conditions:
  aws:ResourceTag/${TagKey}
default-prompt-router
- Arn: arn:${Partition}:bedrock:${Region}:${Account}:default-prompt-router/${ResourceId}
bedrock-marketplace-model-endpoint
- Arn: arn:${Partition}:bedrock:${Region}:${Account}:marketplace/model-endpoint/all-access
data-automation-project
- Arn: arn:${Partition}:bedrock:${Region}:${Account}:data-automation-project/${ProjectId}
blueprint
- Arn: arn:${Partition}:bedrock:${Region}:${Account}:blueprint/${BlueprintId}
data-automation-invocation-job
- Arn: arn:${Partition}:bedrock:${Region}:${Account}:data-automation-invocation/${JobId}

Conditions

bedrock:PromptRouterArn
- Description: Filters access by the specified prompt router
- Type: ARN

Updates

Actions

ListPrompts
- ＋ async-invoke
- ＋ bedrock-marketplace-model-endpoint
- ＋ default-prompt-router
- ＋ bedrock:PromptRouterArn
- ＋ aws:RequestTag/${TagKey}
- ＋ aws:TagKeys
ListProvisionedModelThroughputs
- ＋ bedrock-marketplace-model-endpoint
- ＋ default-prompt-router
- ＋ bedrock:PromptRouterArn

Amazon Bedrock (bedrock)

Additions

Updates