k9 Security now reports IAM principals’ access entitlements to the Amazon Bedrock APIs. The Bedrock APIs allow customers to manage generative AI data resources and create AI-enabled services and agents. k9 reports whether IAM principals may administer, change, or read AI data resources and services so that you can govern access to AI services and reduce risks to your data and AI models.
Wondering which IAM principals can administer or use Bedrock APIs? k9 can give you a short list to review. k9 analyzes AWS accounts to see which IAM users and roles can use Bedrock APIs (e.g. bedrock:CreateAgent or bedrock:InvokeModel), then maps each principal’s access to a k9 access capability.
Here’s an example of how Bedrock API access is summarized in the Principal Access Summary worksheet of k9-dev’s report (sample: xlsx):
This excerpt shows the AdministratorAccess IAM role has full access to Bedrock APIs. It is allowed to administer-resource, read-config, read-data, write-data, and delete-data. The k9-auditor role has only the read-config capability for the Bedrock APIs, as granted by the SecurityAudit AWS Managed Policy.
The sample report documents the full mapping of service API actions to k9 access capabilities in the ‘k9 Access Capability Mapping’ worksheet.
The AWS Bedrock API currently has 175 permissions, which k9 will now track for updates. This summary of k9’s AWS service coverage shows how Bedrock compares to other AWS data, compute, and security APIs:
The Amazon Bedrock API manages generative AI data resources, prompts, inference, and agents operating within your AWS account. Manage risk to your generative AI applications and data in your AWS account by continuously reviewing and adjusting access to Bedrock APIs.
Amazon Bedrock currently models 26 resource types for use in IAM policies. By contrast, RDS supports 24 types of resources and EC2 supports 93 resource types. So while Bedrock is a relatively new service, it already supports a rich and diverse set of configuration, processing, and data resources to build AI-enabled applications. We are thinking about which resource types it’d be most valuable to support for resource level analysis. Some questions we are thinking about trying to answer:
- Who can read from or write into that (custom) model? And does that role have access to sensitive data in S3?
- Who can read or write data in that knowledge base (RAG)?
- Who can change that prompt or read data from it?
What questions are you trying to answer to secure data and AI-enabled applications? We’d love to hear and help your try to answer them!
We hope k9’s new Bedrock analysis capabilities help you identify which IAM users and roles can use generative AI, modify AI data sources, and read sensitive data in your AWS accounts. We are happy to answer any questions!
Recent Comments