The Zero Trust Foundation: IAM Best Practices for GenAI
Security is non-negotiable. Learn how to implement the Principle of Least Privilege for your AI models, data sources, and Lambda executors using AWS IAM.
Lockdown the Brain
In a world where AI agents can call APIs and modify databases, your security is only as strong as your Identity and Access Management (IAM) policy. If you give your Bedrock Agent AdministratorAccess, a single prompt injection could allow an attacker to delete your entire AWS account.
In the AWS Certified Generative AI Developer – Professional exam, Domain 3 focuses heavily on Identity and Access Control. In this lesson, we will master the IAM best practices that separate a "Junior Developer" from a "Professional GenAI Architect."
1. The Principle of Least Privilege
The golden rule of AWS security: Give a service exactly what it needs to do its job, and nothing more.
Bad Practice:
Assigning AmazonBedrockFullAccess to a Lambda function that only needs to call a single Claude model.
Pro Practice:
Writing a custom policy that allows bedrock:InvokeModel ONLY on a specific model-id.
2. IAM Service Roles for GenAI
Many GenAI services need to "assume" a role to act on your behalf.
- Bedrock Execution Role: Used by a Bedrock Agent to call Lambda functions or read from S3.
- Knowledge Base Execution Role: Used by a Knowledge Base to call the Embedding model and write to the Vector Store.
- Lambda Execution Role: Used by your code to call the Bedrock API.
The "Trust Policy"
For a service to use a role, you must configure a Trust Policy. This tells IAM: "I allow the service bedrock.amazonaws.com to assume this specific role."
graph LR
A[Amazon Bedrock] -->|AssumeRole| B[IAM Execution Role]
B -->|Permission| C[S3: GetObject]
B -->|Permission| D[Lambda: Invoke]
style B fill:#f96,stroke:#333,stroke-width:2px
3. Resource-Level Permissions
In a professional environment, you often have multiple models and multiple data buckets. You must use Resource ARNs to isolate them.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "bedrock:InvokeModel",
"Resource": "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0"
},
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-secure-ai-bucket/*"
}
]
}
This policy ensures the application can only use one specific model and read from one specific bucket.
4. Permission Boundaries
A Permission Boundary is an advanced IAM feature that sets the "Maximum possible permissions" a role can have. Even if you accidentally add AdministratorAccess to a developer's role later, if the Permission Boundary says "No S3 Deletes," the developer will never be able to delete a bucket.
Why use it in GenAI? To ensure that even if an AI Agent "goes rogue" or is exploited, it can never perform destructive actions like deleting models or changing IAM policies.
5. Cross-Account Access for Models
In large enterprises, you might have your data in "Account A" but your Bedrock models configured in "Account B" (a shared AI service account).
- You must use Resource-based Policies (like an S3 Bucket Policy) or Cross-Account Roles to bridge this gap.
- Exam Tip: Remember that for cross-account access, permissions must be granted in BOTH accounts.
6. Code Example: Checking Permissions Programmatically
import boto3
# A professional script to verify the caller identity and permissions
def verify_security_context():
sts = boto3.client('sts')
identity = sts.get_caller_identity()
print(f"Account: {identity['Account']}")
print(f"Role/User Arn: {identity['Arn']}")
# Check if this role is actually the expected one
if "ai-limited-role" not in identity['Arn']:
print("WARNING: Using highly privileged identity! Revoke immediately.")
verify_security_context()
Knowledge Check: Test Your IAM Knowledge
?Knowledge Check
An AI agent needs to read internal manuals from an S3 bucket and then call a custom Lambda function to generate a report. Following the 'Principle of Least Privilege', what is the most secure way to configure the agent's permissions?
Summary
IAM is the "Digital Vault" around your AI. If you get this wrong, your data is at risk. If you get it right, you can build autonomous systems with confidence. In the next lesson, we will dive deeper into Fine-grained Policies and how to use Condition Keys.
Next Lesson: Precision Security: Fine-grained Policies and Condition Keys