随着 Amazon Bedrock 和 Amazon SageMaker JumpStart 等服务支持的强大基础模型 (FM) 的兴起，企业希望对哪些用户和组可以访问和使用这些模型进行细粒度控制。这对于合规性、安全性和治理至关重要。 Amazon SageMaker Canvas 于 2021 年推出，它是一个可视化的点击式服务，允许业务分析师和公民数据科学家使用现成的机器学习 (ML) 模型并构建自定义 ML 模型以生成准确的预测，而无需编写任何代码。SageMaker Canvas 提供了一个无代码界面，可以以开箱即用的方式使用来自两种服务的各种 FM，以及使用 Amazon Kendra 作为知识库的检索增强生成 (RAG) 工作流自定义模型响应，或使用标记数据集进行微调。这简化了业务分析师和数据科学家对生成式人工智能 (AI) 功能的访问，无需技术知识或编写代码，从而提高了生产力。 本文分析了使用 AWS Identity and Access Management (IAM) 策略管理 SageMaker Canvas 内对 Amazon Bedrock 和 SageMaker JumpStart 模型的访问策略。您将学习如何创建细粒度的权限来控制对现成的 Amazon Bedrock 模型的调用，并防止使用指定的 SageMaker JumpStart 模型配置 SageMaker 端点。我们提供了针对常见企业治理场景的代码示例。最后，您将了解如何根据组织要求锁定对生成式 AI 功能的访问，在无代码 SageMaker Canvas 环境中保持对尖端 AI 的安全和合规使用。

😄 **限制对所有 Amazon Bedrock 模型的访问** 为了限制对所有 Amazon Bedrock 模型的访问，您可以修改 SageMaker 角色以明确拒绝这些 API。这确保了任何用户都无法通过 SageMaker Canvas 调用任何 Amazon Bedrock 模型。 以下是一个实现此目的的 IAM 策略示例： { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" } ] } 该策略使用以下参数： * "Effect": "Deny" 指定以下操作被拒绝 * "Action": ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"] 指定被拒绝的 Amazon Bedrock API * "Resource": "*" 表示拒绝适用于所有 Amazon Bedrock 模型

😊 **限制对特定 Amazon Bedrock 模型的访问** 您可以扩展前面的 IAM 策略以通过在策略的“资源”部分中指定模型 ID 来限制对特定 Amazon Bedrock 模型的访问。这样，用户只能调用允许的模型。 以下是对扩展 IAM 策略的示例： { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": [ "arn:aws:bedrock:<region-or-*>::foundation-model/<model-id-1>", "arn:aws:bedrock:<region-or-*>::foundation-model/<model-id-2>" ] } ] } 在此策略中，“资源”数组列出了被拒绝的特定 Amazon Bedrock 模型。提供适合您环境的 AWS 区域、帐户和模型 ID。

😉 **限制对所有 SageMaker JumpStart 模型的访问** 为了限制对所有 SageMaker JumpStart 模型的访问，请配置 SageMaker 角色以阻止在任何 SageMaker JumpStart 模型 ID 上创建“CreateEndpointConfig”和“CreateEndpoint”API。这将阻止使用这些模型创建端点。请参阅以下代码： { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/sagemaker-sdk:jumpstart-model-id":”*” } } } ] } 该策略使用以下参数： * "Effect": "Deny" 指定以下操作被拒绝 * "Action": ["sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint"] 指定被拒绝的 SageMaker API * AWS IAM 策略中的“Null”条件运算符用于检查键是否存在。它不检查键的值，只检查其存在或不存在 * "aws:RequestTag/sagemaker-sdk:jumpstart-model-id":”*” 表示拒绝适用于所有 SageMaker JumpStart 模型

😎 **限制对特定 SageMaker JumpStart 模型的访问和部署** 与 Amazon Bedrock 模型类似，您可以通过在 IAM 策略中指定其模型 ID 来限制对特定 SageMaker JumpStart 模型的访问。为了实现这一点，管理员需要限制用户创建使用未经授权模型的端点。例如，要拒绝访问 Hugging Face FLAN T5 模型和 MPT 模型，请使用以下代码： { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:RequestTag/sagemaker-sdk:jumpstart-model-id": [ "huggingface-text2text-flan-t5-*", "huggingface-textgeneration1-mpt-7b-*" ] } } } ] } 该策略使用以下参数： * "Effect": "Deny" 指定以下操作被拒绝 * "Action": ["sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint"] 指定被拒绝的 SageMaker API * "StringNotEquals" 条件运算符用于检查请求标签的值是否等于指定的值 * "aws:RequestTag/sagemaker-sdk:jumpstart-model-id": ["huggingface-text2text-flan-t5-*", "huggingface-textgeneration1-mpt-7b-*"] 表示拒绝适用于所有 SageMaker JumpStart 模型

With the rise of powerful foundation models (FMs) powered by services such as Amazon Bedrock and Amazon SageMaker JumpStart, enterprises want to exercise granular control over which users and groups can access and use these models. This is crucial for compliance, security, and governance.

Launched in 2021, Amazon SageMaker Canvas is a visual point-and-click service that allows business analysts and citizen data scientists to use ready-to-use machine learning (ML) models and build custom ML models to generate accurate predictions without writing any code. SageMaker Canvas provides a no-code interface to consume a broad range of FMs from both services in an off-the-shelf fashion, as well as to customize model responses using a Retrieval Augmented Generation (RAG) workflow using Amazon Kendra as a knowledge base or fine-tune using a labeled dataset. This simplifies access to generative artificial intelligence (AI) capabilities to business analysts and data scientists without the need for technical knowledge or having to write code, thereby accelerating productivity.

In this post, we analyze strategies for governing access to Amazon Bedrock and SageMaker JumpStart models from within SageMaker Canvas using AWS Identity and Access Management (IAM) policies. You’ll learn how to create granular permissions to control the invocation of ready-to-use Amazon Bedrock models and prevent the provisioning of SageMaker endpoints with specified SageMaker JumpStart models. We provide code examples tailored to common enterprise governance scenarios. By the end, you’ll understand how to lock down access to generative AI capabilities based on your organizational requirements, maintaining secure and compliant use of cutting-edge AI within the no-code SageMaker Canvas environment.

This post covers an increasingly important topic as more powerful AI models become available, making it a valuable resource for ML operators, security teams, and anyone governing AI in the enterprise.

Solution overview

The following diagram illustrates the solution architecture.

The architecture of SageMaker Canvas allows business analysts and data scientists to interact with ML models without writing any code. However, managing access to these models is crucial for maintaining security and compliance. When a user interacts with SageMaker Canvas, the operations they perform, such as invoking a model or creating an endpoint, are run by the SageMaker service role. SageMaker user profiles can either inherit the default role from the SageMaker domain or have a user-specific role.

By customizing the policies attached to this role, you can control what actions are permitted or denied, thereby governing the access to generative AI capabilities. As part of this post, we discuss which IAM policies to use for this role to control operations within SageMaker Canvas, such as invoking models or creating endpoints, based on enterprise organizational requirements. We analyze two patterns for both Amazon Bedrock models and SageMaker JumpStart models: limiting access to all models from a service or limiting access to specific models.

Govern Amazon Bedrock access to SageMaker Canvas

In order to use Amazon Bedrock models, SageMaker Canvas calls the following Amazon Bedrock APIs:

bedrock:InvokeModel – Invokes the model synchronously bedrock:InvokeModelWithResponseStream – Invokes the model synchronously, with the response being streamed over a socket, as illustrated in the following diagram

Additionally, SageMaker Canvas can call the bedrock:FineTune API to fine-tune large language models (LLMs) with Amazon Bedrock. At the time of writing, SageMaker Canvas only allows fine-tuning of Amazon Titan models.

To use a specific LLM from Amazon Bedrock, SageMaker Canvas uses the model ID of the chosen LLM as part of the API calls. At the time of writing, SageMaker Canvas supports the following models from Amazon Bedrock, grouped by model provider:

AI21
Jurassic-2 Mid: j2-mid-v1 Jurassic-2 Ultra : j2-ultra-v1
Amazon
Titan: titan-text-premier-v1:* Titan Large: titan-text-lite-v1 Titan Express: titan-text-express-v1
Anthropic
Claude 2: claude-v2 Claude Instant: claude-instant-v1
Cohere
Command Text: command-text-* Command Light: command-light-text-*
Meta
Llama 2 13B: llama2-13b-chat-v1 Llama 2 70B: llama2-70b-chat-v1

For the complete list of models IDs for Amazon Bedrock, see Amazon Bedrock model IDs.

Limit access to all Amazon Bedrock models

To restrict access to all Amazon Bedrock models, you can modify the SageMaker role to explicitly deny these APIs. This makes sure no user can invoke any Amazon Bedrock model through SageMaker Canvas.

The following is an example IAM policy to achieve this:

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Deny",            "Action": [                "bedrock:InvokeModel",                "bedrock:InvokeModelWithResponseStream"            ],            "Resource": "*"        }    ]}

The policy uses the following parameters:

"Effect": "Deny" specifies that the following actions are denied "Action": ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"] specifies the Amazon Bedrock APIs that are denied "Resource": "*" indicates that the denial applies to all Amazon Bedrock models

Limit access to specific Amazon Bedrock models

You can extend the preceding IAM policy to restrict access to specific Amazon Bedrock models by specifying the model IDs in the Resources section of the policy. This way, users can only invoke the allowed models.

The following is an example of the extended IAM policy:

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Deny",            "Action": [                "bedrock:InvokeModel",                "bedrock:InvokeModelWithResponseStream"            ],            "Resource": [                "arn:aws:bedrock:<region-or-*>::foundation-model/<model-id-1>",                "arn:aws:bedrock:<region-or-*>::foundation-model/<model-id-2>"            ]        }    ]}

In this policy, the Resource array lists the specific Amazon Bedrock models that are denied. Provide the AWS Region, account, and model IDs appropriate for your environment.

Govern SageMaker JumpStart access to SageMaker Canvas

For SageMaker Canvas to be able to consume LLMs from SageMaker JumpStart, it must perform the following operations:

Select the LLM from SageMaker Canvas or from the list of JumpStart Model IDs (link below). Create an endpoint configuration and Deploy the LLM on a real-time endpoint. Invoke the endpoint to generate the prediction.

The following diagram illustrates this workflow.

For a list of available JumpStart model IDs, see JumpStart Available Model Table. At the time of writing, SageMaker Canvas supports the following model IDs:

huggingface-textgeneration1-mpt-7b-* huggingface-llm-mistral-* meta-textgeneration-llama-2-* huggingface-llm-falcon-* huggingface-textgeneration-dolly-v2-* huggingface-text2text-flan-t5-*

To identify the right model from SageMaker JumpStart, SageMaker Canvas passes aws:RequestTag/sagemaker-sdk:jumpstart-model-id as part of the endpoint configuration. To learn more about other techniques to limit access to SageMaker JumpStart models using IAM permissions, refer to Manage Amazon SageMaker JumpStart foundation model access with private hubs.

Configure permissions to deploy endpoints through the UI

On the SageMaker domain configuration page on the SageMaker page of the AWS Management Console, you can configure SageMaker Canvas to be able to deploy SageMaker endpoints. This option also enables deployment of real-time endpoints for classic ML models, such as time series forecasting or classification. To enable model deployment, complete the following steps:

On the Amazon SageMaker console, navigate to your domain. On the Domain details page, choose the App Configurations

In the Canvas section, choose Edit.

Turn on Enable direct deployment of Canvas models in the ML Ops configuration

Limit access to all SageMaker JumpStart models

To limit access to all SageMaker JumpStart models, configure the SageMaker role to block the CreateEndpointConfig and CreateEndpoint APIs on any SageMaker JumpStart Model ID. This prevents the creation of endpoints using these models. See the following code:

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Deny",            "Action": [                "sagemaker:CreateEndpointConfig",                "sagemaker:CreateEndpoint"            ],            "Resource": "*","Condition": {                "Null": {                    "aws:RequestTag/sagemaker-sdk:jumpstart-model-id":”*”           }       }        }    ]}

This policy uses the following parameters:

"Effect": "Deny" specifies that the following actions are denied "Action": ["sagemaker:CreateEndpointConfig", "sagemaker:CreateEndpoint"] specifies the SageMaker APIs that are denied The "Null" condition operator in AWS IAM policies is used to check whether a key exists or not. It does not check the value of the key, only its presence or absence "aws:RequestTag/sagemaker-sdk:jumpstart-model-id":”*” indicates that the denial applies to all SageMaker JumpStart models

Limit access and deployment for specific SageMaker JumpStart models

Similar to Amazon Bedrock models, you can limit access to specific SageMaker JumpStart models by specifying their model IDs in the IAM policy. To achieve this, an administrator needs to restrict users from creating endpoints with unauthorized models. For example, to deny access to Hugging Face FLAN T5 models and MPT models, use the following code:

{    "Version": "2012-10-17",    "Statement": [        {            "Effect": "Deny",            "Action": [                "sagemaker:CreateEndpointConfig",                "sagemaker:CreateEndpoint"            ],            "Resource": "*",            "Condition": {                "StringLike": {                    "aws:RequestTag/sagemaker-sdk:jumpstart-model-id": [                        "huggingface-textgeneration1-mpt-7b-*",                        "huggingface-text2text-flan-t5-*"                    ]                }            }        }    ]}

In this policy, the "StringLike" condition allows for pattern matching, enabling the policy to apply to multiple model IDs with similar prefixes.

Clean up

To avoid incurring future workspace instance charges, log out of SageMaker Canvas when you’re done using the application. Optionally, you can configure SageMaker Canvas to automatically shut down when idle.

Conclusion

In this post, we demonstrated how SageMaker Canvas invokes LLMs powered by Amazon Bedrock and SageMaker JumpStart, and how enterprises can govern access to these models, whether you want to limit access to specific models or to any model from either service. You can combine the IAM policies shown in this post in the same IAM role to provide complete control.

By following these guidelines, enterprises can make sure their use of generative AI models is both secure and compliant with organizational policies. This approach not only safeguards sensitive data but also empowers business analysts and data scientists to harness the full potential of AI within a controlled environment.

Now that your environment is configured according to the enterprise standard, we suggest reading the following posts to learn what SageMaker Canvas enables you to do with generative AI:

Prioritizing employee well-being: An innovative approach with generative AI and Amazon SageMaker Canvas Fine-tune and deploy language models with Amazon SageMaker Canvas and Amazon Bedrock Analyze security findings faster with no-code data preparation using generative AI and Amazon SageMaker Canvas Overcoming common contact center challenges with generative AI and Amazon SageMaker Canvas Empower your business users to extract insights from company documents using Amazon SageMaker Canvas and Generative AI

---

About the Authors

Davide Gallitelli is a Senior Specialist Solutions Architect GenAI/ML. He is Italian, based in Brussels, and works closely with customer all around the world on Generative AI workloads and Low-Code No-Code ML technology. He has been a developer since very young, starting to code at the age of 7. He started learning AI/ML in his later years of university, and has fallen in love with it since then.

Lijan Kuniyil is a Senior Technical Account Manager at AWS. Lijan enjoys helping AWS enterprise customers build highly reliable and cost-effective systems with operational excellence. Lijan has more than 25 years of experience in developing solutions for financial and consulting companies.

Saptarshi Banerjee serves as a Senior Partner Solutions Architect at AWS, collaborating closely with AWS Partners to design and architect mission-critical solutions. With a specialization in generative AI, AI/ML, serverless architecture, and cloud-based solutions, Saptarshi is dedicated to enhancing performance, innovation, scalability, and cost-efficiency for AWS Partners within the cloud ecosystem.