This is a cache of https://www.elastic.co/guide/en/security/current/assistant-connect-to-bedrock.html. It is a snapshot of the page at 2024-12-13T00:55:32.997+0000.
Connect to Amazon Bedrock | Elastic Security Solution [8.17] | Elastic

Connect to Amazon Bedrock

edit

This page provides step-by-step instructions for setting up an Amazon Bedrock connector for the first time. This connector type enables you to leverage large language models (LLMs) within Kibana. You’ll first need to configure AWS, then configure the connector in Kibana.

Only Amazon Bedrock’s Anthropic models are supported: Claude and Claude instant.

Configure AWS

edit
Configure an IAM policy
edit

First, configure an IAM policy with the necessary permissions:

  1. Log into the AWS console and search for Identity and Access Management (IAM).
  2. From the IAM menu, select PoliciesCreate policy.
  3. To provide the necessary permissions, paste the following JSON into the Specify permissions menu.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": [
                    "bedrock:InvokeModel",
                    "bedrock:InvokeModelWithResponseStream"
                ],
                "Resource": "*"
            }
        ]
    }

    These are the minimum required permissions. IAM policies with additional permissions are also supported.

  4. Click Next. Name your policy.

The following video demonstrates these steps.


Configure an IAM User
edit

Next, assign the policy you just created to a new user:

  1. Return to the IAM menu. Select Users from the navigation menu, then click Create User.
  2. Name the user, then click Next.
  3. Select Attach policies directly.
  4. In the Permissions policies field, search for the policy you created earlier, select it, and click Next.
  5. Review the configuration then click Create user.

The following video demonstrates these steps.


Create an access key
edit

Create the access keys that will authenticate your Elastic connector:

  1. Return to the IAM menu. Select Users from the navigation menu.
  2. Search for the user you just created, and click its name.
  3. Go to the Security credentials tab.
  4. Under Access keys, click Create access key.
  5. Select Third-party service, check the box under Confirmation, click Next, then click Create access key.
  6. Click Download .csv file to download the key. Store it securely.

The following video demonstrates these steps.


Enable model access
edit

Make sure the supported Amazon Bedrock LLMs are enabled:

  1. Search the AWS console for Amazon Bedrock.
  2. From the Amazon Bedrock page, click Get started.
  3. Select Model access from the left navigation menu, then click Manage model access.
  4. Check the boxes for Claude and/or Claude Instant, depending which model or models you plan to use.
  5. Click Save changes.

The following video demonstrates these steps.


Configure the Amazon Bedrock connector

edit

Finally, configure the connector in Kibana:

  1. Log in to Kibana.
  2. . Find the Connectors page in the navigation menu or use the global search field. Then click Create Connector, and select Amazon Bedrock.
  3. Name your connector.
  4. (Optional) Configure the Amazon Bedrock connector to use a different AWS region where Anthropic models are supported by editing the url field, for example by changing us-east-1 to eu-central-1.
  5. (Optional) Add one of the following strings if you want to use a model other than the default:

    1. For Haiku: anthropic.claude-3-haiku-20240307-v1:0
    2. For Sonnet: anthropic.claude-3-sonnet-20240229-v1:0
    3. For Opus: anthropic.claude-3-opus-20240229-v1:0
  6. Enter the Access Key and Secret that you generated earlier, then click Save.

    Your LLM connector is now configured. For more information on using Elastic AI Assistant, refer to AI Assistant.

If you’re using provisioned throughput, your ARN becomes the model ID, and the connector settings url value must be encoded to work. For example, if the non-encoded ARN is arn:aws:bedrock:us-east-2:123456789102:provisioned-model/3Ztr7hbzmkrqy1, the encoded ARN would be arn%3Aaws%3Abedrock%3Aus-east-2%3A123456789102%3Aprovisioned-model%2F3Ztr7hbzmkrqy1.

The following video demonstrates these steps.