Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve the "AccessDeniedException" error that I get when I use an Amazon Bedrock cross-Region inference profile in an Organizations account?

2 minute read
0

When I use an inference profile in an AWS Organizations account to invoke a foundation model across AWS Regions in Amazon Bedrock, I get the "AccessDeniedException" error.

Short description

The "AccessDeniedException" error occurs when your AWS Identity and Access Management (IAM) role doesn't have the permission to invoke the API request in the destination Regions. Your AWS account that's a member of AWS Organizations might have a service control policy (SCP) that restricts access to Amazon Bedrock services. To resolve this issue, modify the IAM policy permissions.

Resolution

Prerequisite: Request model access from your source Region.

Modify the IAM policy

Update your SCP to include one of the following example policy statements.

Note: In the following policy statements, replace aa-example-1, aa-example-2, aa-example-3 with your Regions.

Deny access to AWS services and resources from specified Regions except for Amazon Bedrock:

{
    "Version": "2012-10-17",
    "Statement": [
            {
            "Effect": "Deny",
            "NotAction": "bedrock:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "aa-example-1",
                        "aa-example-2",
                        "aa-example-3"
                    ]
                }
            }
        }
    ]
}

Deny actions to invoke a foundation model except through the inference profile in the specified Regions:

{
    "Version": "2012-10-17",
    "Statement": [
            {
            "Effect": "Deny",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": "arn:aws:bedrock:*::foundation-model/*",
            "Condition": {
                "StringEquals": {
                    "aws:RequestedRegion": [
                        "aa-example-1",
                        "aa-example-2",
                        "aa-example-3"
                    ]
                },
                "ArnNotLike": {
                    "bedrock:InferenceProfileArn": [
                        "arn:aws:bedrock:*:*:application-inference-profile/*",
                        "arn:aws:bedrock:*:*:inference-profile/*"
                    ]
                }
            }
        }
    ]
}

Related information

Identity-based policy examples for Amazon Bedrock

Prerequisites for inference profiles

Implementing least privilege access for Amazon Bedrock

Enable Amazon Bedrock cross-Region inference in multi-account environments

Topics
Machine Learning & AIGenerative AI on AWS
Tags
Amazon Bedrock
Language
English
AWS OFFICIALUpdated 6 months ago
2 Comments

Even without an SCP denial, discovered I had to allow action bedrock:GetInferenceProfile to use it! And of course to the model in each region I'm trying to use.

{
  "Effect": "Allow",
  "Action": ["bedrock:InvokeModel*", "bedrock:Converse", "bedrock:GetInferenceProfile"],
  "Resource": [
    "arn:aws:bedrock:us-east-1::inference-profile/us.amazon.nova-micro-v1:0",
    "arn:aws:bedrock:us-east-1::foundation-model/amazon.nova-micro-v1:0",
    "arn:aws:bedrock:us-west-2::foundation-model/amazon.nova-micro-v1:0"
  ]
}
AWS
replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

AWS
MODERATOR
replied 5 months ago

Relevant content