Resources: BedrockStudioServiceRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - datazone.amazonaws.com Action: - sts:AssumeRole - sts:TagSession Condition: StringEquals: aws:SourceAccount: !Ref AWS::AccountId ForAllValues:StringLike: aws:TagKeys: datazone* Policies: - PolicyName: BedrockStudioServiceRolePolicy PolicyDocument: Version: '2012-10-17' Statement: - Sid: DomainExecutionRoleStatement Effect: Allow Action: - datazone:GetDomain - datazone:ListProjects - datazone:GetProject - datazone:CreateProject - datazone:UpdateProject - datazone:DeleteProject - datazone:ListProjectMemberships - datazone:CreateProjectMembership - datazone:DeleteProjectMembership - datazone:ListEnvironments - datazone:GetEnvironment - datazone:CreateEnvironment - datazone:UpdateEnvironment - datazone:DeleteEnvironment - datazone:ListEnvironmentBlueprints - datazone:GetEnvironmentBlueprint - datazone:CreateEnvironmentBlueprint - datazone:UpdateEnvironmentBlueprint - datazone:DeleteEnvironmentBlueprint - datazone:ListEnvironmentBlueprintConfigurations - datazone:ListEnvironmentBlueprintConfigurationSummaries - datazone:ListEnvironmentProfiles - datazone:GetEnvironmentProfile - datazone:CreateEnvironmentProfile - datazone:UpdateEnvironmentProfile - datazone:DeleteEnvironmentProfile - datazone:UpdateEnvironmentDeploymentStatus - datazone:GetEnvironmentCredentials - datazone:ListGroupsForUser - datazone:SearchUserProfiles - datazone:SearchGroupProfiles - datazone:GetUserProfile - datazone:GetGroupProfile Resource: '*' - Sid: RAMResourceShareStatement Effect: Allow Action: ram:GetResourceShareAssociations Resource: '*' - Effect: Allow Action: - bedrock:InvokeModel - bedrock:InvokeModelWithResponseStream - bedrock:GetFoundationModelAvailability Resource: '*' BedrockStudioProvisioningRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: - datazone.amazonaws.com Action: - sts:AssumeRole Policies: - PolicyName: BedrockStudioProvisioningRolePolicy PolicyDocument: Version: '2012-10-17' Statement: - Sid: AmazonDataZonePermissionsToCreateEnvironmentRole Effect: Allow Action: - iam:CreateRole - iam:GetRolePolicy - iam:DetachRolePolicy - iam:AttachRolePolicy - iam:UpdateAssumeRolePolicy Resource: arn:aws:iam::*:role/DataZoneBedrockProjectRole* Condition: StringEquals: iam:PermissionsBoundary: !Sub arn:aws:iam::${AWS::AccountId}:policy/AmazonDataZoneBedrockPermissionsBoundary aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneEnvironment: 'false' - Sid: AmazonDataZonePermissionsToServiceRole Effect: Allow Action: - iam:CreateRole - iam:GetRolePolicy - iam:DetachRolePolicy - iam:AttachRolePolicy - iam:UpdateAssumeRolePolicy Resource: - arn:aws:iam::*:role/BedrockStudio* - arn:aws:iam::*:role/AmazonBedrockExecution* Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneEnvironment: 'false' - Sid: IamPassRolePermissionsForBedrock Effect: Allow Action: - iam:PassRole Resource: arn:aws:iam::*:role/AmazonBedrockExecution* Condition: StringEquals: iam:PassedToService: - bedrock.amazonaws.com aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: IamPassRolePermissionsForLambda Effect: Allow Action: - iam:PassRole Resource: - arn:aws:iam::*:role/BedrockStudio* Condition: StringEquals: iam:PassedToService: - lambda.amazonaws.com aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: AmazonDataZonePermissionsToManageCreatedEnvironmentRole Effect: Allow Action: - iam:DeleteRole - iam:GetRole - iam:DetachRolePolicy - iam:GetPolicy - iam:DeleteRolePolicy - iam:PutRolePolicy Resource: - arn:aws:iam::*:role/DataZoneBedrockProjectRole* - arn:aws:iam::*:role/AmazonBedrock* - arn:aws:iam::*:role/BedrockStudio* Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: AmazonDataZoneCFStackCreationForEnvironments Effect: Allow Action: - cloudformation:CreateStack - cloudformation:UpdateStack - cloudformation:TagResource Resource: - arn:aws:cloudformation:*:*:stack/DataZone* Condition: ForAnyValue:StringLike: aws:TagKeys: AmazonDataZoneEnvironment 'Null': aws:ResourceTag/AmazonDataZoneEnvironment: 'false' - Sid: AmazonDataZoneCFStackManagementForEnvironments Effect: Allow Action: - cloudformation:DeleteStack - cloudformation:DescribeStacks - cloudformation:DescribeStackEvents Resource: - arn:aws:cloudformation:*:*:stack/DataZone* - Sid: AmazonDataZoneEnvironmentBedrockGetViaCloudformation Effect: Allow Action: - bedrock:GetAgent - bedrock:GetAgentActionGroup - bedrock:GetAgentAlias - bedrock:GetAgentKnowledgeBase - bedrock:GetKnowledgeBase - bedrock:GetDataSource - bedrock:GetGuardrail Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: AmazonDataZoneEnvironmentDeleteGuardrailViaCloudformation Effect: Allow Action: - bedrock:DeleteGuardrail Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: AmazonDataZoneEnvironmentBedrockAgentPermissions Effect: Allow Action: - bedrock:CreateAgent - bedrock:UpdateAgent - bedrock:DeleteAgent - bedrock:ListAgents - bedrock:CreateAgentActionGroup - bedrock:UpdateAgentActionGroup - bedrock:DeleteAgentActionGroup - bedrock:ListAgentActionGroups - bedrock:CreateAgentAlias - bedrock:UpdateAgentAlias - bedrock:DeleteAgentAlias - bedrock:ListAgentAliases - bedrock:AssociateAgentKnowledgeBase - bedrock:DisassociateAgentKnowledgeBase - bedrock:UpdateAgentKnowledgeBase - bedrock:ListAgentKnowledgeBases - bedrock:PrepareAgent Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: AmazonDataZoneEnvironmentOpenSearch Effect: Allow Action: - aoss:CreateAccessPolicy - aoss:DeleteAccessPolicy - aoss:UpdateAccessPolicy - aoss:GetAccessPolicy - aoss:ListAccessPolicies - aoss:CreateSecurityPolicy - aoss:DeleteSecurityPolicy - aoss:UpdateSecurityPolicy - aoss:GetSecurityPolicy - aoss:ListSecurityPolicies Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: AmazonDataZoneEnvironmentOpenSearchPermissions Effect: Allow Action: - aoss:UpdateCollection - aoss:DeleteCollection - aoss:BatchGetCollection - aoss:ListCollections - aoss:CreateCollection Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: AmazonDataZoneEnvironmentBedrockKnowledgeBasePermissions Effect: Allow Action: - bedrock:CreateKnowledgeBase - bedrock:UpdateKnowledgeBase - bedrock:DeleteKnowledgeBase - bedrock:CreateDataSource - bedrock:UpdateDataSource - bedrock:DeleteDataSource - bedrock:ListKnowledgeBases - bedrock:ListDataSources Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: AmazonDataZoneEnvironmentBedrockGuardrailPermissions Effect: Allow Action: - bedrock:CreateGuardrail - bedrock:CreateGuardrailVersion - bedrock:ListGuardrails - bedrock:ListTagsForResource - bedrock:TagResource - bedrock:UntagResource - bedrock:UpdateGuardrail Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: AmazonDataZoneEnvironmentLambdaPermissions Effect: Allow Action: - lambda:AddPermission - lambda:CreateFunction - lambda:ListFunctions - lambda:UpdateFunctionCode - lambda:UpdateFunctionConfiguration - lambda:InvokeFunction - lambda:ListVersionsByFunction - lambda:PublishVersion Resource: - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:br-studio* - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:OpensearchIndexLambda* - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:IngestionTriggerLambda* Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneEnvironment: 'false' - Sid: AmazonDataZoneEnvironmentLambdaManagePermissions Effect: Allow Action: - lambda:GetFunction - lambda:DeleteFunction - lambda:RemovePermission Resource: - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:br-studio* - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:OpensearchIndexLambda* - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:IngestionTriggerLambda* Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: ManageLogGroups Effect: Allow Action: - logs:CreateLogGroup - logs:PutRetentionPolicy - logs:DeleteLogGroup Resource: - arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-* - arn:aws:logs:*:*:log-group:datazone-* Condition: StringEquals: aws:CalledViaFirst: cloudformation.amazonaws.com - Sid: ListTags Effect: Allow Action: - bedrock:ListTagsForResource - aoss:ListTagsForResource - lambda:ListTags - iam:ListRoleTags - iam:ListPolicyTags Resource: '*' Condition: StringEquals: aws:CalledViaFirst: cloudformation.amazonaws.com - Sid: AmazonDataZoneEnvironmentTagsCreationPermissions Effect: Allow Action: - iam:TagRole - iam:TagPolicy - iam:UntagRole - iam:UntagPolicy - logs:TagLogGroup - bedrock:TagResource - bedrock:UntagResource - bedrock:ListTagsForResource - aoss:TagResource - aoss:UnTagResource - aoss:ListTagsForResource - lambda:TagResource - lambda:UnTagResource - lambda:ListTags Resource: '*' Condition: ForAnyValue:StringLike: aws:TagKeys: AmazonDataZoneEnvironment 'Null': aws:ResourceTag/AmazonDataZoneEnvironment: 'false' StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: AmazonDataZoneEnvironmentBedrockTagResource Effect: Allow Action: - bedrock:TagResource Resource: !Sub arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent-alias/* Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com ForAnyValue:StringLike: aws:TagKeys: AmazonDataZoneEnvironment - Sid: PermissionsToGetAmazonDataZoneEnvironmentBlueprintTemplates Effect: Allow Action: s3:GetObject Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com StringNotEquals: aws:ResourceAccount: ${aws:PrincipalAccount} - Sid: PermissionsToManageSecrets Effect: Allow Action: - secretsmanager:GetRandomPassword Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: PermissionsToStoreSecrets Effect: Allow Action: - secretsmanager:CreateSecret - secretsmanager:TagResource - secretsmanager:UntagResource - secretsmanager:PutResourcePolicy - secretsmanager:DeleteResourcePolicy - secretsmanager:DeleteSecret Resource: '*' Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com 'Null': aws:ResourceTag/AmazonDataZoneEnvironment: 'false' - Sid: AmazonDataZoneManageProjectBuckets Effect: Allow Action: - s3:CreateBucket - s3:DeleteBucket - s3:PutBucketTagging - s3:PutEncryptionConfiguration - s3:PutBucketVersioning - s3:PutBucketCORS - s3:PutBucketPublicAccessBlock - s3:PutBucketPolicy - s3:PutLifecycleConfiguration - s3:DeleteBucketPolicy Resource: arn:aws:s3:::br-studio-* Condition: StringEquals: aws:CalledViaFirst: - cloudformation.amazonaws.com - Sid: CreateServiceLinkedRoleForOpenSearchServerless Effect: Allow Action: iam:CreateServiceLinkedRole Resource: '*' Condition: StringEquals: iam:AWSServiceName: observability.aoss.amazonaws.com aws:CalledViaFirst: cloudformation.amazonaws.com AmazonDataZoneBedrockPermissionsBoundary: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: AmazonDataZoneBedrockPermissionsBoundary PolicyDocument: Version: '2012-10-17' Statement: - Sid: BedrockRuntimeAgentPermissions Effect: Allow Action: - bedrock:InvokeAgent Resource: '*' Condition: 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: BedrockRuntimeModelsAndJobsRole Effect: Allow Action: - bedrock:InvokeModel - bedrock:InvokeModelWithResponseStream - bedrock:RetrieveAndGenerate Resource: '*' - Sid: BedrockApplyGuardrails Effect: Allow Action: - bedrock:ApplyGuardrail Resource: '*' Condition: 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: BedrockRuntimePermissions Effect: Allow Action: - bedrock:Retrieve - bedrock:StartIngestionJob - bedrock:GetIngestionJob - bedrock:ListIngestionJobs Resource: '*' Condition: 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: BedrockFunctionsPermissions Action: - secretsmanager:PutSecretValue Resource: arn:aws:secretsmanager:*:*:secret:br-studio/* Effect: Allow Condition: 'Null': aws:ResourceTag/AmazonDataZoneProject: 'false' - Sid: BedrockS3ObjectsHandlingPermissions Action: - s3:GetObject - s3:PutObject - s3:GetObjectVersion - s3:ListBucketVersions - s3:DeleteObject - s3:DeleteObjectVersion - s3:ListBucket Resource: - !Sub arn:aws:s3:::br-studio-${AWS::AccountId}-* Effect: Allow