Enable multiple (permission policy and boundary) checks to ensure that the Role is privileged in AWS/Bedrock
Use a system property to determine what checks are used to verify whether a role is allowed to perform a privileged operation.
AWS Permission can be set using Identity and Access Management (IAM) policies such as bedrock:InvokeModel that allow an application to call InvokeModel function on all available models in all regions. Boundary in
bedrock is used to limit the maximum permission such as Limit bedrock:InvokeModel to only the haiku-3.5 model and specific regions.
The sn_ai_security.bedrock_priviledge.permission_policy system property determines whether an application checks both IAM policy and the bedrock boundary configuration to verify whether a role is allowed to perform a privileged operation.
This property enables multiple (permission policy and boundary) checks to ensure that the role is privileged in AWS/Bedrock. If it is not set to the recommended value of false, then the application relies only on IAM policy to decide whether a role is privileged.
Set the sn_ai_security.bedrock_priviledge.permission_policy system property to false or ensure that it doesn't exist in the System Properties [sys_properties] table to help ensure defense in depth.
More information
| Attribute | Description |
|---|---|
| Configuration name | sn_ai_security.bedrock_priviledge.permission_policy |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | Boolean |
| Recommended value | false |
| Default value | false |
| Fallback value | false |
| Category | Access control |
| Security risk |
|
| Functional impact | Based on the property value, the application checks either IAM policy only within AWS or also checks boundary configuration within AWS/Bedrock along with IAM policy in order to verify whether a role associated to a request is privileged or not. |
| Dependencies and prerequisites | None |