# Encryption of agent resources Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements. Amazon Bedrock uses default AWS-owned keys to automatically encrypt agent's information. This includes control plane data and session data. You can't view, manage, or audit the use of AWS owned keys. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk). While you can't disable this layer of encryption, you can choose to use customer managed keys instead of AWS-owned keys to encrypt agent's information. Amazon Bedrock supports the use of a symmetric customer managed keys (CMK) that you can create, own, and manage instead of the default AWS owned encryption. For more information, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). **Important** Amazon Bedrock automatically encrypts your agent's session information using AWS owned keys at no charge. AWS KMS charges apply for using a customer managed keys. For more information about pricing, see [AWS Key Management Service Pricing](https://aws.amazon.com/kms/pricing/). If you've created your agent *before* January 22, 2025 and want to use customer managed key for encrypting agent resources, follow instructions for [Encryption of agent resources for agents created before January 22, 2025](encryption-agents.md). # Encryption of agent resources with customer managed keys (CMK) You can at any time create a customer managed key to encrypt your agent’s information using the following agent information provided when building your agent. **Note** The following agent resources will only be encrypted for the agents created after January 22, 2025. **** [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/bedrock/latest/userguide/cmk-agent-resources.html) To use a customer managed key, complete the following steps: 1. Create customer managed key with the AWS Key Management Service. 1. Create a key policy and attach to the customer managed key ## Create a customer managed key You can create a symmetric customer managed key by using the AWS Management Console, or the AWS Key Management Service APIs. First make sure that you have `CreateKey` permissions and then, follow the steps for [Creating symmetric customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*. **Key policy** - key policies control access to your customer managed key . Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to customer managed key](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the *AWS Key Management Service Developer Guide*. If you have created your agent after January 22, 2025 and want to use customer managed key to encrypt your agent's information, make sure that the user or the role calling the agent API operations has the following permissions in the key policy: + [kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) – returns a unique symmetric data key for use outside of AWS KMS. + [kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) – decrypts ciphertext that was encrypted by a KMS key. Creation of the key returns an `Arn` for the key that you can use as the `customerEncryptionKeyArn`, when creating your agent. ## Create a key policy and attach it to the customer managed key If you encrypt agent resources with a customer managed key, you must set up an identity-based policy and a resource-based policy to allow Amazon Bedrock to encrypt and decrypt the agent resources on your behalf. **Identity-based policy** Attach the following identity-based policy to an IAM role or user with permissions to make calls to agent APIs that encrypt and decrypt agent resources on your behalf. This policy validates the user making API call has AWS KMS permissions. Replace the `${region}`, `${account-id}`, `${agent-id}`, and `${key-id}` with the appropriate values. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "EncryptAgents", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/${agent-id}" } } } ] } ``` ------ **Resource-based policy** Attach the following resource-based policy to your AWS KMS key *only* if you are creating action groups where the schema in Amazon S3 is encrypted. You do not need to attach resource-based policy for any other use cases. To attach the following resource-based policy, change the scope of the permissions as necessary and replace the `${region}`, `${account-id}`, `${agent-id}`, and `${key-id}` with the appropriate values. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "kms:*", "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}" }, { "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/${agent-id}" } } } ] } ``` ------ ## Changing the customer managed key Amazon Bedrock agents do not support re-encryption of versioned agents when the customer managed key associated with the *DRAFT* agent is changed or when you move from customer managed key to AWS owned key. Only the data for the *DRAFT* resource will be re-encrypted with the new key. Make sure you are not deleting or removing permissions for any keys for a versioned agent if using it to serve production data. To view and verify the keys being used by a version, call [GetAgentVersion](https://docs.aws.amazon.com//bedrock/latest/APIReference/API_agent_GetAgentVersion.html) and check the `customerEncryptionKeyArn` in the response. # Encrypt agent sessions with customer managed key (CMK) If you've enabled memory for your agent and if you encrypt agent sessions with a customer managed key, you must configure the following key policy and the calling identity IAM permissions to configure your customer managed key. **Customer managed key policy** Amazon Bedrock uses these permissions to generate encrypted data keys and then use the generated keys to encrypt agent memory. Amazon Bedrock also needs permissions to re-encrypt the the generated data key with different encryption contexts. Re-encrypt permissions are also used when customer managed key transitions between another customer managed key or service owned key. For more information, see [Hierarchical Keyring](https://docs.aws.amazon.com//database-encryption-sdk/latest/devguide/use-hierarchical-keyring.html). Replace the `$region`, `account-id`, and `${caller-identity-role}` with appropriate values. ``` { "Version": "2012-10-17", { "Sid": "Allow access for bedrock to enable long term memory", "Effect": "Allow", "Principal": { "Service": [ "bedrock.amazonaws.com", ], }, "Action": [ "kms:GenerateDataKeyWithoutPlainText", "kms:ReEncrypt*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "$account-id" }, "ArnLike": { "aws:SourceArn": "arn:aws:bedrock:$region:$account-id:agent-alias/*" } } "Resource": "*" }, { "Sid": "Allow the caller identity control plane permissions for long term memory", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}" }, "Action": [ "kms:GenerateDataKeyWithoutPlainText", "kms:ReEncrypt*" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*" } } }, { "Sid": "Allow the caller identity data plane permissions to decrypt long term memory", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}" }, "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*", "kms:ViaService": "bedrock.$region.amazonaws.com" } } } } ``` **IAM permissions to encrypt and decrypt agent memory** The following IAM permissions are needed for the identity calling Agents API to configure KMS key for agents with memory enabled. Amazon Bedrock agents use these permissions to make sure that the caller identity is authorized to have permissions mentioned in the key policy above for APIs to manage, train, and deploy models. For the APIs that invoke agents, Amazon Bedrock agent uses caller identity's `kms:Decrypt` permissions to decrypty memory. Replace the `$region`, `account-id`, and `${key-id}` with appropriate values. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AgentsControlPlaneLongTermMemory", "Effect": "Allow", "Action": [ "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncrypt*" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId", "Condition": { "StringLike": { "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent-alias/*" } } }, { "Sid": "AgentsDataPlaneLongTermMemory", "Effect": "Allow", "Action": [ "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId", "Condition": { "StringLike": { "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent-alias/*" } } } ] } ``` ------ # Preventative security best practice for agents The following best practices for Amazon Bedrock service can help prevent security incidents: **Use secure connections** Always use encrypted connections, such as those that begin with `https://` to keep sensitive information secure in transit. **Implement least priviledge access to resources** When you create custom policies for Amazon Bedrock resources, grant only the permissions required to perform a task. It's recommended to start with a minimum set of permissions and grant additional permissions as needed. Implementing least privilege access is essential to reducing the risk and impact that could result from errors or malicious attacks. For more information, see [Identity and access management for Amazon Bedrock](security-iam.md). **Do not include PII in any of the agent resources containing customer data** When creating, updating, and deleting agents resources (for example, when using [CreateAgent](https://docs.aws.amazon.com//bedrock/latest/APIReference/API_agent_CreateAgent.html) ) do not include personally-identifiable information (PII) in any fields that do not support using customer managed key such as action group names and knowledgebase names. For the list of fields that support using customer managed key, see [Encryption of agent resources with customer managed keys (CMK)](cmk-agent-resources.md) # Encryption of agent resources for agents created before January 22, 2025 **Important** If you've created your agent *after* January 22, 2025, follow instructions for [Encryption of agent resources](encryption-agents-new.md) Amazon Bedrock encrypts your agent's session information. By default, Amazon Bedrock encrypts this data using an AWS managed key. Optionally, you can encrypt the agent artifacts using a customer managed key. For more information about AWS KMS keys, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*. If you encrypt sessions with your agent with a custom KMS key, you must set up the following identity-based policy and resource-based policy to allow Amazon Bedrock to encrypt and decrypt agent resources on your behalf. 1. Attach the following identity-based policy to an IAM role or user with permissions to make `InvokeAgent` calls. This policy validates the user making an `InvokeAgent` call has KMS permissions. Replace the *\$1\$1region\$1*, *\$1\$1account-id\$1*, *\$1\$1agent-id\$1*, and *\$1\$1key-id\$1* with the appropriate values. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "EncryptDecryptAgents", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/agent-id" } } } ] } ``` ------ 1. Attach the following resource-based policy to your KMS key. Change the scope of the permissions as necessary. Replace the *\$1\$1region\$1*, *\$1\$1account-id\$1*, *\$1\$1agent-id\$1*, and *\$1\$1key-id\$1* with the appropriate values. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowRootModifyKMSKey", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "kms:*", "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId" }, { "Sid": "AllowBedrockEncryptAgent", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/AgentId" } } }, { "Sid": "AllowRoleEncryptAgent", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/Role" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId" }, { "Sid": "AllowAttachmentPersistentResources", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] } ``` ------