Set up permissions to use guardrails for content filtering
To set up a role with permissions for guardrails, create an IAM role and attach the following permissions by following the steps at Creating a role to delegate permissions to an AWS service.
If you're using guardrails with an agent, attach the permissions to a service role with permissions to create and manage agents. You can set up this role in the console or create a custom role by following the steps at Create a service role for Amazon Bedrock Agents.
Permissions to create and manage guardrails for the policy role
Append the following statement to the Statement field in the policy
for your role to use guardrails.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateAndManageGuardrails", "Effect": "Allow", "Action": [ "bedrock:CreateGuardrail", "bedrock:CreateGuardrailVersion", "bedrock:DeleteGuardrail", "bedrock:GetGuardrail", "bedrock:ListGuardrails", "bedrock:UpdateGuardrail" ], "Resource": "*" } ] }
Permissions for invoking guardrails to filter content
Append the following statement to the Statement field in the policy
for the role to allow for model inference and to invoke guardrails.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "InvokeFoundationModel", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": [ "arn:aws:bedrock:region::foundation-model/*" ] }, { "Sid": "ApplyGuardrail", "Effect": "Allow", "Action": [ "bedrock:ApplyGuardrail" ], "Resource": [ "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" ] } ] }
