Terjemahan disediakan oleh mesin penerjemah. Jika konten terjemahan yang diberikan bertentangan dengan versi bahasa Inggris aslinya, utamakan versi bahasa Inggris.

# Kebijakan Managing IAM tentang Proyek
<a name="security-iam-projects"></a>

Amazon Bedrock Projects mendukung lampiran kebijakan IAM langsung, memungkinkan Anda mengelola kontrol akses di tingkat sumber daya proyek. Ini memberikan alternatif untuk mengelola kebijakan pada pengguna dan peran IAM.

## Memahami Kebijakan IAM Tingkat Proyek
<a name="security-iam-projects-understanding"></a>

Kebijakan IAM tingkat proyek memungkinkan Anda untuk:
+ **Memusatkan kontrol akses**: Tentukan izin langsung pada sumber daya proyek
+ **Sederhanakan manajemen**: Perbarui akses tanpa memodifikasi kebijakan individual user/role 
+ **Audit dengan mudah**: Lihat semua izin untuk proyek di satu tempat
+ **Administrasi delegasi**: Izinkan pemilik proyek mengelola akses ke proyek mereka

## Melampirkan Kebijakan IAM ke Proyek
<a name="security-iam-projects-attaching"></a>

### Lampirkan Kebijakan untuk Memberikan Akses
<a name="security-iam-projects-attach-grant"></a>

Lampirkan kebijakan IAM langsung ke proyek untuk memberikan izin:

```
import boto3
import json

iam = boto3.client('iam', region_name='us-east-1')

project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123"

# Define the identity-based policy document
policy_document = {
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowTeamAlphaAccess",
            "Effect": "Allow",
            "Action": [
                "bedrock-mantle:ListTagsForResources",
                "bedrock-mantle:GetProject"
            ],
            "Resource": project_arn
        }
    ]
}

policy_json = json.dumps(policy_document)

# Create a managed policy
create_response = iam.create_policy(
    PolicyName="TeamAlphaAccessPolicy",
    PolicyDocument=policy_json,
    Description="Grants Team Alpha read access to the Bedrock project"
)

policy_arn = create_response['Policy']['Arn']
print(f"Policy created: {policy_arn}")

# Attach the policy to alice (IAM user)
iam.attach_user_policy(
    UserName="alice",
    PolicyArn=policy_arn
)
print("Policy attached to alice")

# Attach the policy to bob (IAM user)
iam.attach_user_policy(
    UserName="bob",
    PolicyArn=policy_arn
)
print("Policy attached to bob")

# Attach the policy to TeamAlphaRole (IAM role)
iam.attach_role_policy(
    RoleName="TeamAlphaRole",
    PolicyArn=policy_arn
)
print("Policy attached to TeamAlphaRole")
```

### Berikan Akses Proyek Penuh ke Tim
<a name="security-iam-projects-full-access"></a>

Izinkan tim akses penuh untuk mengelola dan menggunakan proyek:

```
import boto3
import json

iam = boto3.client('iam', region_name='us-east-1')

project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123"

# Identity-based policy — no Principal block needed
policy_document = {
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "FullProjectAccess",
            "Effect": "Allow",
            "Action": "bedrock-mantle:*",
            "Resource": project_arn
        }
    ]
}

# Create a managed policy
create_response = iam.create_policy(
    PolicyName="DataScienceFullAccess",
    PolicyDocument=json.dumps(policy_document),
    Description="Grants DataScienceTeamRole full access to the Bedrock project"
)

policy_arn = create_response['Policy']['Arn']
print(f"Policy created: {policy_arn}")

# Attach to the DataScienceTeamRole
iam.attach_role_policy(
    RoleName="DataScienceTeamRole",
    PolicyArn=policy_arn
)

print("Full access policy attached to DataScienceTeamRole")
```

### Berikan Akses Hanya Baca
<a name="security-iam-projects-readonly"></a>

Lampirkan kebijakan yang memungkinkan melihat detail proyek dan hanya membuat permintaan inferensi:

```
import boto3
import json

iam = boto3.client('iam', region_name='us-east-1')

project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123"

# Identity-based policy — no Principal block needed
policy_document = {
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "ReadOnlyAccess",
            "Effect": "Allow",
            "Action": [
                "bedrock-mantle:CreateInference",
                "bedrock-mantle:GetProject",
                "bedrock-mantle:ListProjects",
                "bedrock-mantle:ListTagsForResources"
            ],
            "Resource": project_arn
        }
    ]
}

# Create a managed policy
create_response = iam.create_policy(
    PolicyName="ReadOnlyAccessPolicy",
    PolicyDocument=json.dumps(policy_document),
    Description="Grants viewer1 and viewer2 read-only access to the Bedrock project"
)

policy_arn = create_response['Policy']['Arn']
print(f"Policy created: {policy_arn}")

# Attach to viewer1
iam.attach_user_policy(
    UserName="viewer1",
    PolicyArn=policy_arn
)
print("Policy attached to viewer1")

# Attach to viewer2
iam.attach_user_policy(
    UserName="viewer2",
    PolicyArn=policy_arn
)
print("Policy attached to viewer2")
```