Skip to content

GRREGIONDENY policy preventing implementation of Bedrock #211

New issue
New issue
Open
Open
GRREGIONDENY policy preventing implementation of Bedrock#211
Labels
enhancementNew feature or request
@Waqiah

Description

@Waqiah
Waqiah
opened on Apr 16, 2025

Receiving the following error when trying to implement Bedrock due to the GRREGIONDENY SCP :
"User: arn:aws:sts::123456789012:assumed-role/AmazonBedrockExecutionRoleForAgents_ABCD1234567/BedrockAgents-xxxxxx is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:::foundation-model/anthropic.claude-3-5-haiku-20241022-v1:0 with an explicit deny in a service control policy"

According to the below document, us.anthropic.claude-3-5-haiku-20241022-v1:0 cross-region inference profile requests can be routed to one of us-east-1, us-east-2, or us-west-2:
https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html

Creating this Feature Request to allow the Bedrock service to be added to the existing exclusion mechanism as used by GGREGIONDENY
Or to allow users to govern authorized regions for inference using inference profiles in Bedrock which could be modeled as custom inference profiles or a separate guardrail resource that governs which regions Bedrock will select from an inference profile.

The following workarounds in the meantime have been noted:

  1. (Recommended)Migrate to OU-level region deny, use the built-in exemption feature to exempt bedrock:Invoke* from OU level region deny in addition to adopting the OU level region deny control CTMULTISERVICEPV1. Optionally, can add a custom SCP statement to deny bedrock:Invoke* when a request is made to an undesired region.

  2. Configure the Landing Zone level control (GRREGIONDENY) with additional regions required for cross-region inference (e.g. us-east-2). To ensure that actions other than bedrock:InvokeModel cannot be used in the new region, a custom SCP can be used to deny all operations in the new region with a condition based on the bedrock:InferenceProfileArn condition key as described here:
    https://aws.amazon.com/blogs/machine-learning/enable-amazon-bedrock-cross-region-inference-in-multi-account-environments/

However these workarounds are not viable for large Organizations with a large number of OUs and accounts.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions