Skip to content
Developer Docs
Fides Configuration
Data Discovery
LLM Classification with AWS Bedrock

LLM Classification Configuration

Fides' Data Discovery module includes an LLM-powered data classifier that leverages large language models to automatically identify and categorize sensitive data in your systems. This guide explains how to configure AWS Bedrock as the LLM backend for Fides' data classification capabilities.

Overview

The LLM classifier in Fides can use a variety of LLM providers to support intelligent, context-aware data categorization.

If you are running Fides on AWS, you may want to use AWS Bedrock as the LLM provider for Fides' data classifier.

AWS Bedrock provides access to foundation models from leading AI companies, enabling sophisticated natural language processing for data classification tasks.

Prerequisites

Before configuring AWS Bedrock for Fides, ensure you have:

  • A Fides deployment running on AWS EKS or AWS ECS
  • AWS Bedrock enabled in your AWS account with appropriate model access
  • Permissions to create and manage IAM roles and policies
  • Access to update Fides configuration settings
  • Fides OAuth access token with config:update scope

Note: AWS Bedrock must be enabled in your AWS account and you must have access to the foundation models you wish to use. Visit the AWS Bedrock console (opens in a new tab) to enable model access.

Authentication Methods

Fides supports multiple authentication methods for connecting to AWS Bedrock.

Recommended: IAM Role-Based Authentication

For production deployments, Ethyca recommends using IAM role-based authentication to eliminate the need for long-term credentials:

Note: The steps below serve as an illustrative example of how to set up appropriate AWS resources. They should be adapted to meet your organization’s AWS best practices.

Note: Many of the examples below use CLI tools like aws iam and eksctl, as a reference. You may prefer to use terraform to define and manage these resources.

EKS Deployments: IRSA (IAM Roles for Service Accounts)

If Fides is deployed on Amazon EKS, use IRSA (see AWS user guide (opens in a new tab)) to enable secure, credential-less authentication.

Step 1: Create an IAM Policy for Bedrock Access

Create an IAM policy that grants the minimum required permissions to invoke Bedrock models:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "InvokeBedrockFoundationModels",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:foundation-model/*"
    },
    {
      "Sid": "InvokeBedrockInferenceProfiles",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:inference-profile/*"
    }
  ]
}

Using the AWS CLI:

aws iam create-policy \
  --policy-name bedrock-invoke-policy \
  --policy-document file://bedrock-policy.json

Step 2: Set Up OIDC Provider and Service Account

Associate an OIDC provider with your EKS cluster (one-time setup):

# Set your cluster details
CLUSTER_NAME="your-cluster-name"
AWS_REGION="us-east-1"
NAMESPACE="fides"
SERVICE_ACCOUNT="fides-bedrock-sa"
 
# Associate OIDC provider with the cluster
eksctl utils associate-iam-oidc-provider \
  --region=$AWS_REGION \
  --cluster=$CLUSTER_NAME \
  --approve

Step 3: Create the IAM Service Account

Create a Kubernetes ServiceAccount linked to an IAM role:

# Replace with your policy ARN from Step 1
POLICY_ARN="arn:aws:iam::ACCOUNT_ID:policy/bedrock-invoke-policy"
 
# Create the service account and IAM role
eksctl create iamserviceaccount \
  --name=$SERVICE_ACCOUNT \
  --namespace=$NAMESPACE \
  --cluster=$CLUSTER_NAME \
  --region=$AWS_REGION \
  --attach-policy-arn=$POLICY_ARN \
  --approve \
  --override-existing-serviceaccounts

Step 4: Update Your Fides Deployment

Configure your Fides deployment to use the service account:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: fides
  namespace: fides
spec:
  template:
    spec:
      serviceAccountName: fides-bedrock-sa  # Reference the service account
      containers:
      - name: fides
        env:
        - name: AWS_REGION
          value: "us-east-1"  # Set to your AWS region

Note: The AWS SDK used by Fides automatically detects and uses the IRSA credentials without requiring additional environment variables or configuration within the application. The service account token is automatically mounted and refreshed by EKS.

ECS Deployments: Task IAM Roles

If Fides is deployed on Amazon ECS, use ECS Task IAM Roles for authentication:

Step 1: Create an IAM Policy

Use the same IAM policy JSON from the EKS section above to create a policy with Bedrock permissions.

Step 2: Create an ECS Task Role

Create an IAM role with a trust policy that allows ECS tasks to assume it:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Attach the Bedrock policy to the task role:

aws iam attach-role-policy \
  --role-name fides-ecs-task-role \
  --policy-arn arn:aws:iam::ACCOUNT_ID:policy/bedrock-invoke-policy

Step 3: Update Your ECS Task Definition

Configure your ECS task definition to use the task role:

{
  "family": "fides-task",
  "taskRoleArn": "arn:aws:iam::ACCOUNT_ID:role/fides-ecs-task-role",
  "containerDefinitions": [
    {
      "name": "fides",
      "environment": [
        {
          "name": "AWS_REGION",
          "value": "us-east-1"
        }
      ]
    }
  ]
}

Note: ECS automatically provides temporary credentials to containers via the task role. No additional configuration is needed in your application code.

Alternative: Long-Term API Token (Not Recommended for Production)

For development or testing environments, you can use long-term Bedrock API tokens. However, this approach is not recommended for production due to security concerns around credential management and rotation.

To use long-term API tokens, create a long-term Bedrock API token, and then set the following environment variable on your deployed Fides containers:

AWS_BEARER_TOKEN_BEDROCK="your-bedrock-api-token"
⚠️

Security Warning: Long-term API token require manual rotation and are more susceptible to credential leakage. Always use IAM role-based authentication (IRSA or Task IAM Roles) for production deployments.

Testing the Bedrock Connection

Once you've configured authentication, verify that Fides can successfully connect to AWS Bedrock.

Using the Fides API

Test the connection by making a POST request to the Bedrock test endpoint:

POST /api/v1/plus/connection/aws-bedrock/test
curl -X POST '{{FIDES_URL}}/api/v1/plus/connection/aws-bedrock/test' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer {{FIDES_ACCESS_TOKEN}}' \
  -d '{
    "model": "bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0",
    "aws_region": "us-east-1"
  }'

In the above example:

  • {{FIDES_URL}} is the URL to your Fides server
  • {{FIDES_ACCESS_TOKEN}} is your Fides OAuth access token
  • model specifies the Bedrock model to test (use any model you have access to)
  • aws_region is the AWS region where Bedrock is enabled

Successful Response

If the connection is configured correctly, you'll receive a success response:

Connection Test Success Response
HTTP/1.1 200 OK
Content-Type: application/json
 
{
  "success": true,
  "message": "AWS Bedrock connection test completed successfully",
  "response_content": "...",
  "model": "bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0"
}

Troubleshooting Connection Issues

If the connection test fails, check the following:

Authentication Issues

  • Verify that the IAM policy is correctly attached to the role
  • Ensure the trust policy allows the service account or ECS task to assume the role
  • Check that the service account annotation (EKS) or task role ARN (ECS) is correctly configured

Permission Issues

  • Confirm that Bedrock is enabled in your AWS account
  • Verify you have requested access to the specific foundation models you're trying to use
  • Review AWS CloudTrail logs for AssumeRoleWithWebIdentity (EKS) or IAM role assumption events (ECS)

Network Issues

  • Ensure your Fides deployment has outbound internet access or VPC endpoints for Bedrock
  • Verify security groups allow HTTPS (port 443) outbound traffic
  • For private deployments, configure VPC endpoints for Bedrock and STS services

Check Fides Logs

View the Fides pod or container logs for detailed error messages:

Supported Bedrock Models

Fides supports any AWS Bedrock foundation model or inference profile that provides text generation capabilities. At this time, Ethyca specifically recommends the following model for use with the LLM classifier:

  • Anthropic Claude Haiku 4.5: bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0, best balance of accuracy and price

In order to use this model with the LLM classifier, the model string bedrock/us.anthropic.claude-haiku-4-5-20251001-v1:0 should be specified in the "Model override" field when configuring your monitor.

Model Access: Before using a specific model, you must request access in the AWS Bedrock console. Model availability varies by region. Refer to the AWS Bedrock documentation (opens in a new tab) for details.

If Anthropic Claude Haiku 4.5 is not available as a model for use in your organization, please contact Ethyca support to determine a viable alternative model for use.

Additional Resources

Configuring OIDC with Azure ADData Mapping