Control permissions for generating and using Amazon Bedrock API keys - Amazon Bedrock

Control permissions for generating and using Amazon Bedrock API keys

The following IAM actions control the generation and use of Amazon Bedrock API keys:

Warning

Because a short-term Amazon Bedrock API key uses existing credentials from a session, you can prevent its usage by denying the bedrock:CallWithBearerToken action on the identity that generated the key. However, you can't prevent generation of a short-term key.

The following table summarizes how to prevent an identity from generating or using Amazon Bedrock API keys:

Purpose Long-term key Short-term key
Prevent generation of keys Attach a policy that denies the iam:CreateServiceSpecificCredential action to an IAM identity. N/A
Prevent usage of a key Attach a policy that denies the bedrock:CallWithBearerToken action to the IAM user associated with the key. Attach a policy that denies the bedrock:CallWithBearerToken action to IAM identities that you don't want to be able to use the key.

For example, to prevent an IAM identity from both generating and using Amazon Bedrock API keys, attach the following policy to the identity:

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid":"DenyBedrockShortAndLongTermAPIKeys",
      "Effect": "Deny",
      "Action": [
        "iam:CreateServiceSpecificCredential",
        "bedrock:CallWithBearerToken"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
Warning

This policy will prevent the creation of credentials for all AWS services that support creating service-specific credentials. For more information, see Service-specific credentials for IAM users.