Skip to content

Commit 40313be

Browse files
kris-szlapakris-szlapa
committed
Add KMS permissions directly to the Bedrock execution role policy
1 parent ec852cd commit 40313be

File tree

2 files changed

+8
-9
lines changed

2 files changed

+8
-9
lines changed

packages/cdk/resources/IamResources.ts

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,12 @@ export class IamResources extends Construct {
5656
s3AccessGetPolicy.addResources(`${props.kbDocsBucket.bucketArn}/*`)
5757
s3AccessGetPolicy.addCondition("StringEquals", {"aws:ResourceAccount": props.account})
5858

59+
// KMS permissions for S3 bucket encryption
60+
const kmsAccessPolicy = new PolicyStatement()
61+
kmsAccessPolicy.addActions("kms:Decrypt", "kms:DescribeKey")
62+
kmsAccessPolicy.addResources("*")
63+
kmsAccessPolicy.addCondition("StringEquals", {"aws:ResourceAccount": props.account})
64+
5965
// Create managed policy for Bedrock execution role
6066
const bedrockExecutionManagedPolicy = new ManagedPolicy(this, "BedrockExecutionManagedPolicy", {
6167
description: "Policy for Bedrock Knowledge Base to access S3 and OpenSearch"
@@ -65,6 +71,7 @@ export class IamResources extends Construct {
6571
bedrockExecutionManagedPolicy.addStatements(bedrockOSSPolicyForKnowledgeBase)
6672
bedrockExecutionManagedPolicy.addStatements(s3AccessListPolicy)
6773
bedrockExecutionManagedPolicy.addStatements(s3AccessGetPolicy)
74+
bedrockExecutionManagedPolicy.addStatements(kmsAccessPolicy)
6875

6976
// Create Bedrock execution role with managed policy
7077
this.bedrockExecutionRole = new Role(this, "EpsAssistMeBedrockExecutionRole", {

packages/cdk/stacks/EpsAssistMeStack.ts

Lines changed: 1 addition & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -60,15 +60,7 @@ export class EpsAssistMeStack extends Stack {
6060
kbDocsBucket: storage.kbDocsBucket.bucket
6161
})
6262

63-
// Update storage with bedrock role for KMS access
64-
if (storage.kbDocsBucket.kmsKey) {
65-
storage.kbDocsBucket.kmsKey.addToResourcePolicy(new PolicyStatement({
66-
effect: Effect.ALLOW,
67-
principals: [new ArnPrincipal(iamResources.bedrockExecutionRole.roleArn)],
68-
actions: ["kms:Decrypt", "kms:DescribeKey"],
69-
resources: ["*"]
70-
}))
71-
}
63+
7264

7365
// Create OpenSearch Resources
7466
const openSearchResources = new OpenSearchResources(this, "OpenSearchResources", {

0 commit comments

Comments
 (0)