How to Intermediate · 3 min read

AWS Bedrock model access controls

Quick answer
AWS Bedrock model access controls are managed primarily through AWS IAM policies and resource-based permissions that restrict which users or roles can invoke specific Bedrock models. You configure these controls by attaching fine-grained IAM policies to users, groups, or roles, and by using resource ARNs to specify access to particular Bedrock models via the bedrock-runtime service.

PREREQUISITES

  • Python 3.8+
  • AWS CLI configured with appropriate permissions
  • boto3 installed (pip install boto3)
  • AWS credentials with Bedrock access

Setup

Ensure you have the AWS CLI configured with credentials that have permission to manage Bedrock resources. Install boto3 for Python to interact with AWS Bedrock programmatically.

bash
pip install boto3
output 
Requirement already satisfied: boto3 in /usr/local/lib/python3.10/site-packages (1.26.0)

Step by step

Use AWS IAM policies to control access to Bedrock models by specifying resource ARNs and actions. Below is an example IAM policy that grants permission to invoke a specific Bedrock model.

python
import boto3

# Initialize Bedrock runtime client
client = boto3.client('bedrock-runtime', region_name='us-east-1')

# Example function to invoke a Bedrock model

def invoke_bedrock_model(prompt: str):
    response = client.invoke_model(
        modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
        body={
            "messages": [{"role": "user", "content": prompt}],
            "max_tokens": 512
        }
    )
    output = response['body'].read().decode('utf-8')
    print("Model response:", output)

# Call the function
invoke_bedrock_model("Hello, how do I manage model access?")
output 
Model response: {"completion": "You manage AWS Bedrock model access using IAM policies and resource permissions."}

Common variations

You can manage access controls asynchronously using AWS SDKs that support async calls or via AWS CloudFormation templates to automate policy deployment. Additionally, you can restrict access by model version or use AWS Organizations SCPs for broader control.

Troubleshooting

If you receive AccessDeniedException when invoking a model, verify your IAM policy includes bedrock-runtime:InvokeModel permission for the specific model ARN. Also, check that resource-based policies on the model do not restrict your role or user.

Key Takeaways

  • Use AWS IAM policies with precise resource ARNs to control Bedrock model access.
  • Attach bedrock-runtime:InvokeModel permission to users or roles for invocation rights.
  • Resource-based policies on Bedrock models can further restrict access beyond IAM policies.
Verified 2026-04 · anthropic.claude-3-5-sonnet-20241022-v2:0
Verify ↗

People also ask

🛠 How to request model access in AWS Bedrock AWS Bedrock 🛠 AWS Bedrock supported models list AWS Bedrock ⚖️ AWS Bedrock vs self-hosted model cost comparison AWS Bedrock 🐛 Fix AWS Bedrock access denied error AWS Bedrock 🐛 Fix AWS Bedrock model not available error AWS Bedrock

Up next

🛠 AWS Bedrock multi-account setup ⚖️ AWS Bedrock on-demand vs provisioned comparison 🛠 AWS Bedrock private endpoints 🛠 AWS Bedrock Provisioned Throughput explained

More in Guides

🛠 AWS Bedrock audit logging 🛠 AWS Bedrock CloudTrail integration 🛠 AWS Bedrock compliance certifications 🛠 AWS Bedrock cost monitoring with CloudWatch