Start by treating model invocation as a privileged access path rather than a routine API call. Limit rights to specific models, approved environments, and defined use cases. Separate runtime access from model administration, and prefer short-lived credentials for workloads and users so access does not persist longer than the task that requires it.
Why This Matters for Security Teams
Amazon Bedrock access should be scoped like any other privileged NHI path because model invocation can trigger data exposure, tool use, and downstream actions that are hard to reverse once initiated. The mistake is to treat Bedrock as a generic developer API and grant broad IAM permissions that outlive the task, environment, or use case. That pattern creates unnecessary blast radius for both human users and automated pipelines.
Current guidance suggests separating who can build prompts, who can invoke models, and who can administer the Bedrock environment. This is especially important when pipelines fetch secrets, enrich prompts with internal data, or pass model output into deployment steps. The OWASP Non-Human Identity Top 10 frames this as an identity and privilege problem, not just an application feature. NHIMG’s Ultimate Guide to NHIs shows why this matters at scale: 97% of NHIs carry excessive privileges, which is exactly the condition that turns a convenience integration into a standing access path.
In practice, many security teams discover Bedrock over-permissioning only after a pipeline has already been allowed to call more models, across more accounts, than anyone intended.
How It Works in Practice
Scoped Bedrock access starts with a tight permissions model. Developers should receive only the rights needed for approved experimentation or application code, while pipelines should use workload identity with short-lived credentials rather than static keys. That means mapping access to the specific model, region, environment, and action, then denying everything else by default. For many teams, the right mental model is intent-based access at runtime, not a broad “can call Bedrock” entitlement.
Use separate roles for model invocation and model administration. A developer role may allow InvokeModel on a narrow set of model ARNs, while a platform role handles guardrails, logging, and policy changes. For pipelines, prefer ephemeral credentials issued through the existing CI/CD identity plane, with TTL aligned to the job duration. Where possible, pair that with policy-as-code controls so access decisions are evaluated at request time using environment and workload context.
- Restrict model access to approved model IDs and regions.
- Separate human development access from CI/CD runtime access.
- Use short-lived credentials or federated workload identity for pipelines.
- Deny administration permissions unless the role explicitly manages Bedrock configuration.
- Log model invocation, prompt handling, and downstream tool calls as privileged activity.
NHIMG’s CI/CD pipeline exploitation case study and Guide to the Secret Sprawl Challenge are relevant because pipeline compromise and secret sprawl are common pathways into overbroad AI access. These controls tend to break down when the same IAM role is reused across dev, test, and prod, because the role becomes a persistent identity with no reliable runtime boundary.
Common Variations and Edge Cases
Tighter Bedrock scoping often increases delivery friction, requiring organisations to balance developer speed against containment. That tradeoff becomes visible when teams want shared sandbox access, cross-account model testing, or automated prompt evaluation in CI. The best practice is evolving, but current guidance suggests those exceptions should be explicitly time-bound and environment-bound rather than handled through permanent permissions.
One common edge case is prompt tooling that needs to read from internal repositories or secret stores before calling the model. In that pattern, the Bedrock role should not inherit repository or vault permissions by default. Another edge case is multi-stage pipelines where one step prepares data and a later step invokes the model. Those stages should not share the same identity unless the full chain is equally trusted. NHIMG’s 52 NHI Breaches Analysis shows how often excessive privilege and weak lifecycle control turn routine automation into an incident path.
For governance, pair IAM boundaries with reviewable approval criteria: which models are allowed, which datasets may be sent, what outputs may be acted on automatically, and what evidence is retained. There is no universal standard for this yet, but teams that treat Bedrock access as a privileged NHI lifecycle rather than a one-time developer permission usually get far better control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | A-04 | Agent and pipeline calls to Bedrock need runtime-scoped authorization. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Scoped Bedrock access depends on short-lived, non-standing non-human credentials. |
| NIST AI RMF | GOVERN | Bedrock governance requires accountable controls for AI use and access decisions. |
Limit model invocation to approved intents, models, and environments at request time.
Related resources from NHI Mgmt Group
- How should security teams scope remote access without exposing the broader network?
- How should security teams decide whether JIT access is safe for non-human identities?
- Which frameworks help teams align identity governance with dynamic access control?
- How can IAM teams support remote work without weakening access control?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 24, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
