Policy: AWS > Turbot > Permissions > Compiled > Lockdown Statements > @turbot/aws-bedrock

A calculated policy that Guardrails uses to generate Bedrock-specific region lockdown statements that are used as input to the stack that manages the Guardrails IAM permissions objects.

This policy creates custom region restrictions for AWS Bedrock when the AWS > Bedrock > Permissions > Lockdown > Regions policy is configured with additional regions. If empty or not configured, Bedrock follows the global region lockdown.

For example, if additional Bedrock regions are configured, this policy generates both a service override marker (to exclude bedrock:* from the main region deny) and a Bedrock-specific deny statement that restricts Bedrock API calls to only the combined list of global and Bedrock-specific regions.

Targets

This policy targets the following resource types:

AWS > Account

Primary Policy

This policy is used with the following primary policy:

AWS > Turbot > Permissions > Compiled > Lockdown Statements

Policy Specification

Schema Type	`array`

In Your Workspace

Policy Settings by Type report

Developers

Category URI

tmod:@turbot/turbot#/control/categories/iamPermissions

Policy Type URI

tmod:@turbot/aws-bedrock#/policy/types/awsCompiledLockdownStatements

GraphQL

query policyType(id: "tmod:@turbot/aws-bedrock#/policy/types/awsCompiledLockdownStatements") { … }

query policySettings(filter: "policyTypeId:'tmod:@turbot/aws-bedrock#/policy/types/awsCompiledLockdownStatements'") { … }

query policyValues(filter: "policyTypeId:'tmod:@turbot/aws-bedrock#/policy/types/awsCompiledLockdownStatements'") { … }

CLI

Get Policy Type

turbot graphql policy-type --id "tmod:@turbot/aws-bedrock#/policy/types/awsCompiledLockdownStatements"

Get Policy Settings

turbot graphql policy-settings --filter "policyTypeId:tmod:@turbot/aws-bedrock#/policy/types/awsCompiledLockdownStatements"