Answer-first summary for fast verification
Answer: Use AWS Identity and Access Management (IAM) policies to restrict model access.
## Detailed Explanation To restrict employee access to specific foundation models (FMs) within Amazon Bedrock, the optimal solution is to use **AWS Identity and Access Management (IAM) policies**. Here's why: ### Why Option A (IAM Policies) is Correct: 1. **Granular Access Control**: IAM policies allow administrators to define fine-grained permissions at the model level. You can specify exactly which foundation models (e.g., Anthropic Claude, AI21 Jurassic, Meta Llama) employees can access while denying others. 2. **Native Integration**: Amazon Bedrock is designed to work seamlessly with IAM for access management. The service supports IAM policy conditions that can restrict actions like `InvokeModel` to specific model IDs. 3. **User/Role-Based Management**: IAM policies can be attached to individual users, groups, or roles, enabling flexible permission management aligned with organizational structures. 4. **Comprehensive Coverage**: IAM policies control both who can access models and what actions they can perform (e.g., invoke, fine-tune, or manage custom models). ### Why Other Options Are Less Suitable: - **Option B (AWS STS)**: While AWS Security Token Service generates temporary credentials, it doesn't inherently restrict access to specific models. STS is typically used for federated access or cross-account scenarios, not for defining which Bedrock models users can access. - **Option C (IAM Service Roles)**: Service roles are used by AWS services to access other AWS resources on your behalf, not for controlling user access to specific Bedrock models. This approach doesn't address the requirement of restricting employee access. - **Option D (Amazon Inspector)**: Amazon Inspector is a security vulnerability assessment service for EC2 instances and container images. It monitors for security issues but doesn't control access permissions to Bedrock models. ### Best Practice Implementation: To implement this solution, create an IAM policy with a `Deny` effect for all Bedrock models, then add `Allow` statements for specific model ARNs that employees should access. This follows the principle of least privilege, ensuring employees only have access to necessary resources. This approach aligns with AWS security best practices and provides the precise control required by the scenario.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has enabled Amazon Bedrock for application development and needs to limit employee access to only certain models within Amazon Bedrock.
What solution fulfills this requirement?
A
Use AWS Identity and Access Management (IAM) policies to restrict model access.
B
Use AWS Security Token Service (AWS STS) to generate temporary credentials for model use.
C
Use AWS Identity and Access Management (IAM) service roles to restrict model subscription.
D
Use Amazon Inspector to monitor model access.