Expand Bedrock permissions

policies/sc-developer/FAQ.md

@@ -0,0 +1,94 @@
+## FAQ: Bedrock IAM Naming Guidance
+
+### Why do some Bedrock IAM operations fail even though this permission set allows IAM actions?
+
+The IAM permissions in this policy are not broad admin permissions. They are scoped to specific IAM role and policy name patterns. If the role or policy name falls outside those patterns, IAM create, attach, or update calls will be denied.
+
+### Which Bedrock execution role names are expected to work?
+
+These role name patterns are explicitly allowed for Bedrock-style service roles:
+
+- `service-role/AmazonBedrockExecutionRoleForAgents*`
+- `service-role/AmazonBedrockExecutionRoleForFlows*`
+- `service-role/AmazonBedrockExecutionRoleForKnowledgeBase*`
+
+In practice, the safest approach is to keep the AWS Bedrock base name intact and only add a suffix after it when a custom name is needed.
+
+Examples:
+
+- `AmazonBedrockExecutionRoleForAgents`
+- `AmazonBedrockExecutionRoleForAgents-usw2`
+- `AmazonBedrockExecutionRoleForKnowledgeBase-prod`
+- `AmazonBedrockExecutionRoleForFlows-demo`
+
+Examples that will not match:
+
+- `BedrockExecutionRoleForAgents`
+- `MyAmazonBedrockRole`
+- `kb-prod-role`
+
+### Which Lambda or helper role names are expected to work?
+
+The policy also allows create or attach operations for these service-role patterns:
+
+- `service-role/agentChatFunction-role-*`
+- `service-role/*AgentFunction-role-*`
+- `service-role/*documentWriterToS3*`
+- `service-role/*SLMSurveyScaleLookup*`
+
+If your deployment creates helper functions for an agent or knowledge base workflow, the role name needs to preserve one of those strings. Renaming them to a generic application role name will likely break IAM access under this permission set.
+
+### Which customer-managed policy names are expected to work?
+
+Create and policy-version actions are scoped to these policy name patterns:
+
+- `*AmazonBedrockAgentBedrockFoundationModelPolicy*`
+- `*AmazonBedrockS3PolicyForKnowledgeBase*`
+- `*AmazonBedrockOSSPolicyForKnowledgeBase*`
+- `*AmazonBedrockAgentRetrieveKnowledgeBasePolicy*`
+- `*AmazonBedrockFoundationModelPolicyForKnowledgeBase*`
+- `*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*`
+- `*AmazonBedrockAgentsMultiAgentsPolicies*`
+- `*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*`
+- `*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*`
+- `*AWSLambdaBasicExecutionRole*`
+
+These are substring matches, not strict prefixes, but the Bedrock-specific names still need to appear in the policy name. A completely custom name such as `team-bedrock-kb-policy` will not match these allowed resources.
+
+### What is the naming rule of thumb?
+
+Use AWS or Bedrock-generated names where possible. If you need a custom name, extend the allowed base name instead of replacing it.
+
+Good pattern:
+
+- start with the allowed Bedrock string
+- append environment, region, or workload suffixes after that base name
+- keep the role under the `service-role/` path when the service expects a service role
+
+Risky pattern:
+
+- invent a new prefix
+- shorten the Bedrock string
+- move the identifying Bedrock text to a tag only
+
+### What operations are most sensitive to naming?
+
+Naming matters most for:
+
+- `iam:CreateRole`
+- `iam:AttachRolePolicy`
+- `iam:PutRolePolicy`
+- `iam:CreatePolicy`
+- `iam:CreatePolicyVersion`
+- `iam:DeletePolicyVersion`
+
+If the target role or policy ARN does not match one of the allowed patterns, those actions will fail even if the same workflow can still list or read IAM resources.
+
+### Can I use completely custom Bedrock role or policy names?
+
+Not with this permission set as written. If a project needs a new naming convention, this policy must be expanded to include the new role or policy ARN pattern.
+
+### What should I do when I am unsure which name to pick?
+
+Use the default name generated by the AWS Bedrock console or generated by the automation you are following, then add only a small suffix if uniqueness is required. That keeps the resource inside the currently permitted IAM scope.
+

policies/sc-developer/policy.tf

@@ -51,45 +51,45 @@ data "aws_iam_policy_document" "inline" {
     effect    = "Allow"
     resources = ["*"]
     actions = [
-      "athena:*",
+      "aoss:*",
       "apigateway:*",
+      "athena:*",
       "bedrock:*",
-      "logs:*",
       "cloudshell:*",
       "cloudwatch:*",
       "codebuild:*",
       "codecommit:*",
       "codedeploy:*",
       "codepipeline:*",
-      "dynamodb:*",
       "dms:*",
+      "dynamodb:*",
       "ebs:*",
       "ecr:*",
       "ecs:*",
       "eks:*",
       "elasticfilesystem:*",
       "elasticloadbalancing:*",
+      "elasticloadbalancingv2:*",
+      "elasticmapreduce:*",
+      "es:*",
       "firehose:*",
+      "glue:*",
       "inspector2:BatchGet*",
       "inspector2:Describe*",
       "inspector2:Get*",
       "inspector2:List*",
-      "elasticloadbalancingv2:*",
-      "elasticmapreduce:*",
-      "es:*",
-      "aoss:*",
-      "glue:*",
+      "kinesis:*",
       "lambda:*",
+      "logs:*",
       "mq:*",
       "quicksight:*",
       "rds:*",
       "s3:*",
+      "sagemaker:*",
       "secretsmanager:*",
-      "states:*",
       "sqs:*",
-      "kinesis:*",
+      "states:*",
       "transfer:*",
-      "sagemaker:*",
     ]
   }
   statement {
@@ -239,16 +239,63 @@ data "aws_iam_policy_document" "inline" {
       format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "elasticloadbalancing", "ElasticLoadBalancing*")),
       format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "mq", "MQ*")),
       format(local.all_account_arn_iam, format("role/aws-service-role/%v.amazonaws.com/AWSServiceRoleFor%v", "rds", "RDS*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")),
     ]
     actions = [
       "iam:PutRolePolicy",
       "iam:AttachRolePolicy",
     ]
   }
-  #  statement {
-  #    sid    = "AllowServiceLinkedRoleCreate"
-  #    effect = "Allow"
-  #    resources = [
+  statement {
+    sid       = "AllowIAMRoleRead"
+    effect    = "Allow"
+    resources = [
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForFlows*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "AmazonBedrockExecutionRoleForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "agentChatFunction-role-*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "*AgentFunction-role-*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "*documentWriteToS3*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "*write-to-s3*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "*write_to_s3*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "*SurveyScaleLookup*")),
+      format(local.all_account_arn_iam, format("role/service-role/%v", "action_group_quick_start*")),
+    ]
+    actions = [
+      "iam:AttachRolePolicy",
+      "iam:CreateRole",
+    ]
+  }
+  statement {
+    sid       = "AllowIAMPolicyCreate"
+    effect    = "Allow"
+    resources = [
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentBedrockFoundationModelPolicy*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockOSSPolicyForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentRetrieveKnowledgeBasePolicy*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentInferenceProfilesCrossRegionPolicy*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentsMultiAgentsPolicies*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockS3PolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockFoundationModelPolicyForKnowledgeBase_AmazonBedrockExecutionRoleForAgents*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AWSLambdaBasicExecutionRole*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentS3Policy*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockInferenceProfilePolicyForKnowledgeBase*")),
+      format(local.all_account_arn_iam, format("policy/%v", "*AmazonBedrockAgentQuickCreateLambdaPolicy*")),
+    ]
+    actions = [
+      "iam:CreatePolicy",
+      "iam:CreatePolicyVersion",
+      "iam:DeletePolicyVersion",
+    ]
+  }
+  # Service Linked roles are created per account in common/service-linked-roles.tf
+  # statement {
+  #   sid = "AllowServiceLinkedRoleCreate"
+  #   effect = "Allow"
+  #   resources = [
   #      "arn:aws-us-gov:iam::*:role/aws-service-role/dynamodb.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_DynamoDBTable",
   #      "arn:aws-us-gov:iam::*:role/aws-service-role/ecs.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_ECSService",
   #      "arn:aws-us-gov:iam::*:role/aws-service-role/rds.application-autoscaling.amazonaws.com/AWSServiceRoleForApplicationAutoScaling_RDSCluster",
@@ -268,15 +315,16 @@ data "aws_iam_policy_document" "inline" {
       test     = "StringEquals"
       variable = "iam:PassedToService"
       values = [
+        "apigateway.amazonaws.com",
+        "bedrock.amazonaws.com",
+        "ecs-tasks.amazonaws.com",
+        "ecs.amazonaws.com",
         "firehose.amazonaws.com",
         "glue.amazonaws.com",
+        "lambda.amazonaws.com",
         "rds.amazonaws.com",
         "s3.amazonaws.com",
-        "lambda.amazonaws.com",
-        "ecs.amazonaws.com",
-        "ecs-tasks.amazonaws.com",
         "states.amazonaws.com",
-        "apigateway.amazonaws.com"
       ]
     }
   }