Skip to content

Commit c9c2202

Browse files
author
Bob Strahan
committed
Update Bedrock knowledge base configuration for S3 vectors and security
1 parent 2f84739 commit c9c2202

File tree

2 files changed

+26
-21
lines changed

2 files changed

+26
-21
lines changed

options/bedrockkb/src/s3_vectors_manager/handler.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -335,11 +335,11 @@ def create_vector_index(s3vectors_client, bucket_name, index_name):
335335
indexName=index_name,
336336
dataType="float32",
337337
dimension=1024, # All embedding models in picklist output 1024
338-
distanceMetric="cosine",
338+
distanceMetric="euclidean",
339339
metadataConfiguration={
340340
"nonFilterableMetadataKeys": [
341341
"AMAZON_BEDROCK_METADATA",
342-
"AMAZON_BEDROCK_TEXT_CHUNK"
342+
"AMAZON_BEDROCK_TEXT"
343343
]
344344
}
345345
)

options/bedrockkb/template.yaml

Lines changed: 24 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -686,7 +686,7 @@ Resources:
686686
Effect: Allow
687687
Action:
688688
- bedrock:InvokeModel
689-
Resource: !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}::foundation-model/*"
689+
Resource: !Sub "arn:${AWS::Partition}:bedrock:${AWS::Region}::foundation-model/${pEmbedModel}"
690690
- !If
691691
- UseOpenSearchServerless
692692
- PolicyName: oss-api-access
@@ -708,20 +708,15 @@ Resources:
708708
- Sid: S3VectorsAccess
709709
Effect: Allow
710710
Action:
711-
- s3vectors:GetVectors
712-
- s3vectors:PutVectors
711+
- s3vectors:GetIndex
713712
- s3vectors:QueryVectors
713+
- s3vectors:PutVectors
714+
- s3vectors:GetVectors
714715
- s3vectors:DeleteVectors
715-
- s3vectors:DescribeVectorIndex
716-
- s3vectors:GetIndex
717-
- s3vectors:ListIndexes
718-
Resource:
719-
- !Sub
720-
- "arn:${AWS::Partition}:s3vectors:${AWS::Region}:${AWS::AccountId}:bucket/${BucketName}"
721-
- BucketName: !GetAtt S3VectorBucketAndIndex.BucketName
722-
- !Sub
723-
- "arn:${AWS::Partition}:s3vectors:${AWS::Region}:${AWS::AccountId}:bucket/${BucketName}/*"
724-
- BucketName: !GetAtt S3VectorBucketAndIndex.BucketName
716+
Resource: !GetAtt S3VectorBucketAndIndex.IndexArn
717+
Condition:
718+
StringEquals:
719+
aws:ResourceAccount: !Sub ${AWS::AccountId}
725720
- !Ref "AWS::NoValue"
726721
- !If
727722
- IsS3DataSource
@@ -733,12 +728,22 @@ Resources:
733728
Effect: Allow
734729
Action:
735730
- s3:ListBucket
736-
Resource: !Sub "arn:${AWS::Partition}:s3:::${pKnowledgeBaseBucketName}"
731+
Resource:
732+
- !Sub "arn:${AWS::Partition}:s3:::${pKnowledgeBaseBucketName}"
733+
- !GetAtt S3VectorBucketAndIndex.BucketArn
734+
Condition:
735+
StringEquals:
736+
aws:ResourceAccount: !Sub ${AWS::AccountId}
737737
- Sid: S3GetObject
738738
Effect: Allow
739739
Action:
740740
- s3:GetObject
741-
Resource: !Sub "arn:${AWS::Partition}:s3:::${pKnowledgeBaseBucketName}/*"
741+
Resource:
742+
- !Sub "arn:${AWS::Partition}:s3:::${pKnowledgeBaseBucketName}/*"
743+
- !GetAtt S3VectorBucketAndIndex.BucketArn
744+
Condition:
745+
StringEquals:
746+
aws:ResourceAccount: !Sub ${AWS::AccountId}
742747
- !Ref "AWS::NoValue"
743748
- !If
744749
- IsCustomerManagedKey
@@ -748,12 +753,12 @@ Resources:
748753
Statement:
749754
- Effect: Allow
750755
Action:
751-
- kms:Encrypt
756+
- kms:GenerateDataKey
752757
- kms:Decrypt
753-
- kms:ReEncrypt*
754-
- kms:GenerateDataKey*
755-
- kms:DescribeKey
756758
Resource: !Ref pCustomerManagedEncryptionKeyArn
759+
Condition:
760+
StringEquals:
761+
kms:ViaService: !Sub "s3.${AWS::Region}.${AWS::URLSuffix}"
757762
- !Ref "AWS::NoValue"
758763

759764
#

0 commit comments

Comments
 (0)