Before you can use AI Validation to test models hosted in AWS Bedrock, you must configure the AI Defense connection to AWS Bedrock as shown below.
Procedure
| 1 |
Create an IAM Role for AI Defense
-
Navigate to the IAM service for your AWS account. Be sure to use the same AWS account that you used to set up your Multicloud Defense integration.
-
Create an IAM role in your AWS account with the following permissions.
{
"Action": "bedrock:InvokeModel",
"Effect": "Allow",
"Resource": "*",(or list of models to give access to)
"Sid": ""
}
-
Add the following in the trust relationship for the IAM role. The AWS value shown below is the AWS Role ARN for the AI Defense validation service.
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::565498894455:role/ai-defense-prod-ai-validation- \\
generative-validation-irsa"
},
"Action": "sts:AssumeRole"
}
The trust relationship allows the AI Defense Validation service to assume your IAM role and invoke the model.
|
| 2 |
Prepare the AWS Bedrock connection
After configuring your IAM role in AWS, return to AI Defense to configure the AWS Bedrock integration.
-
In your cloud service, find the IAM role ARN for an account with access to your models. If you’re setting this up for the first time, this is the role you created in the preceding section.
-
Open the AI Defense Administration tab, go to the AWS Bedrock card, provide the IAM role ARN, and click Connect to complete the connection.
-
Make sure Multicloud Defense is connected to AI Defense. If the Multicloud Defense card on the Administration tab shows a Disconnect button, then Multicloud Defense is connected. If it’s not connected, see the section Set up AI Asset discovery.
-
Proceed to the Find Asset section to add the AI models and applications you wish to scan.
|
What to do next
See Validation to test your models.
