View a markdown version of this page

Cross-account access to Amazon S3 bucket for custom model import jobs - Amazon Bedrock
Configure cross-account access to Amazon S3 bucketConfigure cross-account access to Amazon S3 bucket encrypted with a custom AWS KMS key

Cross-account access to Amazon S3 bucket for custom model import jobs

If you are importing your model from an Amazon S3 bucket in a different AWS account, you will need to grant permissions for accessing the bucket before you import your customized model. See Prerequisites for importing custom model.

Note

If the custom model import job was submitted through the Amazon Bedrock console, a default import execution role is created automatically. You must edit the default import execution role policy and replace the account ID specified for aws:ResourceAccount with the AWS account ID of the bucket owner.

Configure cross-account access to Amazon S3 bucket

Follow these steps to configure cross-account access to an Amazon S3 bucket for a custom model import job.

  1. Create an import execution role – In the user's AWS account (the account that will run the import job), create an IAM role that Amazon Bedrock can assume. For more information about creating a service role for custom model import, see Prerequisites for importing custom model.

  2. Create a bucket policy – In the bucket owner's account, create a bucket policy that grants access to the import execution role in the user's account.

    The following example bucket policy, created and applied to bucket s3://amzn-s3-demo-bucket by the bucket owner, grants access to a user in bucket owner's account 123456789123.

    JSON
    { 
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid": "CrossAccountAccess",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/ImportRole"
            },           
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::amzn-s3-demo-bucket",
                "arn:aws:s3:::amzn-s3-demo-bucket/*"
            ]
        }
    ]
}

  3. Create an import execution role policy – In the user's AWS account, attach a policy to the import execution role that allows access to the cross-account bucket. For aws:ResourceAccount, specify the account ID of the bucket owner's AWS account.

    The following example import execution role policy in the user's account provides the bucket owner's account id 111222333444555 access to Amazon S3 bucket s3://amzn-s3-demo-bucket.

    JSON
    { 
    "Version":"2012-10-17",
   "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::amzn-s3-demo-bucket",
            "arn:aws:s3:::amzn-s3-demo-bucket/*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:ResourceAccount": "123456789012"
            }
        }
    }
  ]
}

Configure cross-account access to Amazon S3 bucket encrypted with a custom AWS KMS key

If the Amazon S3 bucket is encrypted with a custom AWS Key Management Service (AWS KMS) key, you need to perform additional steps to grant the import execution role permissions to decrypt the key.

  1. Create an import execution role – In the user's AWS account, create an IAM role that Amazon Bedrock can assume. For more information, see Prerequisites for importing custom model.

  2. Create a bucket policy – In the bucket owner's account, create a bucket policy that grants access to the import execution role in the user's account.

    The following example bucket policy, created and applied to bucket s3://amzn-s3-demo-bucket by the bucket owner, grants access to a user in bucket owner's account 123456789123.

    JSON
    { 
   "Version":"2012-10-17",
   "Statement": [
    {
        "Sid": "CrossAccountAccess",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789012:role/ImportRole"
        },           
        "Action": [
            "s3:ListBucket",
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::amzn-s3-demo-bucket",
            "arn:aws:s3:::amzn-s3-demo-bucket/*"
        ]
     }
   ]
}

  3. Update the AWS KMS key policy – In the bucket owner's account, add the following statement to the AWS KMS key policy to allow the user's import execution role to decrypt objects.

    {
    "Sid": "Allow use of the key by the destination account",
    "Effect": "Allow",
    "Principal": {
        "AWS": "arn:aws:iam::123456789123:role/ImportRole"
    },
    "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
    ],
    "Resource": "*"
}

  4. Create an import execution role policy – In the user's AWS account, attach a policy to the import execution role that allows access to the cross-account bucket and the AWS KMS key. For aws:ResourceAccount, specify the account ID of the bucket owner's AWS account.

    The following example import execution role policy provides access to the bucket owner's Amazon S3 bucket s3://amzn-s3-demo-bucket in account 111222333444555 and the AWS KMS key arn:aws:kms:us-west-2:123456789098:key/111aa2bb-333c-4d44-5555-a111bb2c33dd.

    JSON
    { 
    "Version":"2012-10-17",
   "Statement": [
      {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket",
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::amzn-s3-demo-bucket",
            "arn:aws:s3:::amzn-s3-demo-bucket/*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:ResourceAccount": "123456789012"
            }
        }
     },
     {
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:us-west-2:123456789012:key/111aa2bb-333c-4d44-5555-a111bb2c33dd"
    }
  ]
 }