本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# 控制對 Amazon Bedrock 市集模型的存取
<a name="control-amazon-bedrock-marketplace"></a>

您可以使用 [Amazon Bedrock 完整存取政策](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockFullAccess.html)，為 SageMaker AI 提供許可。若要防止使用者存取特定 Bedrock Marketplace 模型，同時維持對所有其他模型的存取，請使用拒絕政策。下列政策示範如何拒絕存取特定模型。

拒絕對特定模型的存取：

```
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "MarketplaceModelDeny",
            "Effect": "Deny",
            "Action": [
                "sagemaker:*",
                "bedrock:*"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:endpoint/*",
                "arn:aws:sagemaker:*:*:endpoint-config/*",
                "arn:aws:sagemaker:*:*:model/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/sagemaker-studio:hub-content-arn": "arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/{{model-id-to-deny}}/*"
                }
            }
        }
    ]
}
```

**重要**  
此政策明確拒絕對指定模型的存取，同時允許對所有其他 Bedrock Marketplace 模型的存取 (假設具有其他必要的許可)。

**僅允許對特定模型的存取**

若要限制使用者只存取特定的 Bedrock Marketplace 模型，請使用允許政策搭配明確的模型規格。下列政策示範如何僅允許存取特定模型：

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "MarketplaceModelAllow",
            "Effect": "Allow",
            "Action": [
                "sagemaker:CreateEndpoint",
                "sagemaker:CreateEndpointConfig",
                "sagemaker:CreateModel",
                "sagemaker:DeleteEndpoint",
                "sagemaker:UpdateEndpoint"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:endpoint/*",
                "arn:aws:sagemaker:*:*:endpoint-config/*",
                "arn:aws:sagemaker:*:*:model/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:CalledViaLast": "bedrock.amazonaws.com",
                    "aws:ResourceTag/sagemaker-sdk:bedrock": "compatible"
                },
                "StringLike": {
                    "aws:ResourceTag/sagemaker-studio:hub-content-arn": "arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/<model-id-to-allow>/*"
                }
            }
        },
        {
            "Sid": "BedrockEndpointTaggingOperations",
            "Effect": "Allow",
            "Action": [
                "sagemaker:AddTags",
                "sagemaker:DeleteTags"
            ],
            "Resource": [
                "arn:aws:sagemaker:*:*:endpoint/*",
                "arn:aws:sagemaker:*:*:endpoint-config/*",
                "arn:aws:sagemaker:*:*:model/*"
            ],
            "Condition": {
                "StringLike": {
                    "aws:ResourceTag/sagemaker-studio:hub-content-arn": "arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/<model-id-to-allow>/*"
                }
            }
        }
    ]
}
```

------

此政策僅允許存取指定的模型，並拒絕存取所有其他模型。如果政策是以 `AmazonBedrockFullAccess` 為基礎，這應該取代 `MarketplaceModelEndpointMutatingAPIs` 和 `BedrockEndpointTaggingOperations` 陳述式。