Skip to content
Agent Guides

Amazon Bedrock Agents - IAM Examples

Amazon Bedrock Agents - IAM Examples

Section titled “Amazon Bedrock Agents - IAM Examples”

Agent Invocation (Least Privilege)

Section titled “Agent Invocation (Least Privilege)”
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": [
        "arn:aws:bedrock:*:*:foundation-model/*"
      ]
    }
  ]
}

Knowledge Base Access

Section titled “Knowledge Base Access”
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:Retrieve",
        "bedrock:RetrieveAndGenerate"
      ],
      "Resource": "*"
    }
  ]
}

KMS Decrypt for Encrypted Secrets

Section titled “KMS Decrypt for Encrypted Secrets”
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [ "kms:Decrypt" ],
      "Resource": "arn:aws:kms:REGION:ACCOUNT:key/KEY_ID"
    }
  ]
}