IAM Credentials

Introduction

• AWS Bedrock: A comprehensive managed service delivering access to cutting-edge generative AI models (such as Anthropic Claude, Amazon Nova) via AWS infrastructure.
  Learn more about AWS Bedrock.
• Sypha: A Visual Studio Code extension functioning as an AI-powered development companion through AI model integration—enabling developers to produce code, troubleshoot issues, and perform data analysis.
• Enterprise Orientation: This documentation targets organizations operating mature AWS infrastructures (utilizing IAM roles, AWS SSO, AWS Organizations, etc.) to maintain secure and policy-compliant operations.

---

Step 1: Configure Your AWS Infrastructure

1.1 Establish or Utilize an IAM Role/User

1. Authenticate to AWS Management Console:
   AWS Console
2. Navigate to IAM:
   • Locate IAM (Identity and Access Management) through the AWS Console search.
   • Either establish a fresh IAM user or leverage your organization's AWS SSO to adopt a specific role for Bedrock operations.
   • AWS IAM User Guide

1.2 Configure Required Policy Attachments

To enable Sypha's interaction with AWS Bedrock, your IAM user or role requires designated permissions. The AmazonBedrockLimitedAccess managed policy offers broad access, however for enhanced security following least-privilege principles, these minimal permissions suffice for Sypha's primary model invocation operations:

• bedrock:InvokeModel
• bedrock:InvokeModelWithResponseStream

You can construct a custom IAM policy containing these permissions and associate it with your IAM user or role.

Option 1: Minimal Permissions (Recommended for Production & Least Privilege)

1. Within the AWS IAM console, initiate new policy creation.
2. Employ the JSON editor to insert the following policy document:

   {
   	"Version": "2012-10-17",
   	"Statement": [
   		{
   			"Effect": "Allow",
   			"Action": ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"],
   			"Resource": "*" // For enhanced security, scope this to specific model ARNs if possible.
   		}
   	]
   }

3. Assign a policy name (for instance, SyphaBedrockInvokeAccess) and connect it to your IAM user or role.

Option 2: Leveraging a Managed Policy (Streamlined Initial Configuration)

• As an alternative, you may associate the AWS managed policy AmazonBedrockLimitedAccess. This provides expanded permissions, encompassing model listing capabilities, provisioning management, and additional Bedrock functionalities. This approach may simplify initial configuration or suit scenarios requiring these extended capabilities. View AmazonBedrockLimitedAccess Policy Details

Critical Considerations:

• Model Discovery in Sypha: The minimal permission set (bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream) enables Sypha to utilize a model when you directly specify the model ID in Sypha's configuration. Should you depend on Sypha to automatically discover available Bedrock models, you may require supplementary permissions such as bedrock:ListFoundationModels.
• AWS Marketplace Subscriptions: For third-party model providers (such as Anthropic Claude), verify active AWS Marketplace subscriptions exist. This is generally administered in the AWS Bedrock console within "Model access" and may necessitate aws-marketplace:Subscribe permissions if not previously configured.
• Enterprise Recommendation: Consistently implement least-privilege methodologies. When feasible, restrict resource ARNs in your IAM policies to designated models or regions. Employ Service Control Policies (SCPs) for comprehensive governance within AWS Organizations.

---

Step 2: Confirm Regional and Model Availability

2.1 Determine and Validate a Region

1. Choose a Region:
   AWS Bedrock operates across numerous regions (including US East, Europe, Asia Pacific). Select the region aligning with your latency requirements and regulatory compliance.
   AWS Global Infrastructure
2. Confirm Model Availability:
   • Through the AWS Bedrock console, verify that required models for your team (such as Anthropic Claude, Amazon Nova) display "Access granted" status.
   • Note: Certain sophisticated models may necessitate an Inference Profile when on-demand access is unavailable.

2.2 Establish AWS Marketplace Subscriptions (when required)

1. Activate Third-Party Model Subscriptions:
   • Access the AWS Bedrock console and find the model subscription area.
   • For third-party provider models (such as Anthropic), review and accept subscription terms.
   • AWS Marketplace
2. Enterprise Recommendation:
   • Model subscriptions frequently undergo centralized management. Verify with your cloud infrastructure team whether standardized subscription procedures exist.

---

Step 3: Set Up the Sypha VS Code Extension

3.1 Deploy and Launch Sypha

1. Acquire VS Code:
   Obtain installation files from the VS Code website.
2. Deploy the Sypha Extension:
   • Launch VS Code.
   • Access the Extensions Marketplace (Ctrl+Shift+X or Cmd+Shift+X).
   • Locate Sypha and complete installation.

3.2 Adjust Sypha Configuration

1. Access Sypha Configuration:
   • Select the settings ⚙️ to designate your API Provider.
2. Designate AWS Bedrock as the API Provider:
   • Within the API Provider selector, pick AWS Bedrock.
3. Provide Your AWS Credentials:
   • Supply your Access Key and Secret Key (alternatively employ temporary credentials when utilizing AWS SSO).
   • Indicate the appropriate AWS Region (for instance, us-east-1 or your organization-authorized region).
4. Choose a Model:
   • Pick an on-demand model (such as anthropic.claude-3-5-sonnet-20241022-v2:0).
5. Preserve and Validate:
   • Select Done/Save to commit your configuration.
   • Verify the integration by submitting a straightforward prompt (for example, "Generate a Python function to check if a number is prime.").

---

Step 4: Security, Oversight, and Recommended Practices

1. Strengthen Access Controls:
   • Prioritize AWS SSO/federated roles instead of persistent IAM credentials.
   • AWS IAM Best Practices
2. Fortify Network Security:
   • Evaluate implementing AWS PrivateLink for secure Bedrock connectivity.
3. Track and Record Activity:
   • Activate AWS CloudTrail for Bedrock API call logging.
   • Leverage CloudWatch for monitoring indicators including invocation frequency, latency, and token consumption.
   • Configure alerts for unusual patterns.
4. Address Errors and Control Costs:
   • Deploy exponential backoff strategies for rate-limiting errors.
   • Utilize AWS Cost Explorer and configure billing notifications to monitor consumption.
     AWS Cost Management
5. Conduct Regular Reviews and Maintain Compliance:
   • Systematically examine IAM roles and CloudTrail records.
   • Adhere to organizational data privacy and governance protocols.

---

Summary

Following these procedures, your enterprise team can safely integrate AWS Bedrock with the Sypha VS Code extension to enhance development velocity:

1. Configure Your AWS Infrastructure: Establish or employ a secure IAM role/user, associate the AmazonBedrockLimitedAccess policy, and confirm required permissions.
2. Validate Region and Model Availability: Verify your chosen region accommodates necessary models and activate AWS Marketplace subscriptions as required.
3. Configure Sypha in VS Code: Deploy and configure Sypha using your AWS credentials and select a suitable model.
4. Apply Security and Monitoring Practices: Follow recommended approaches for IAM, network protection, monitoring, and cost oversight.

For comprehensive information, reference the AWS Bedrock Documentation and collaborate with your internal cloud infrastructure team. Happy coding!

---

This documentation will receive updates as AWS Bedrock and Sypha advance. Consistently reference current documentation and organizational policies for modern practices.