Amazon Bedrock Flows 资源的加密 - Amazon Bedrock

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Bedrock Flows 资源的加密

Amazon Bedrock 会对您的静态数据进行加密。默认情况下,Amazon Bedrock 使用 AWS 托管式密钥对这些数据进行加密。或者,您可以使用客户管理的密钥对数据进行加密。

有关更多信息 AWS KMS keys,请参阅《AWS Key Management Service 开发人员指南》中的客户托管密钥

如果您使用自定义 KMS 密钥加密数据,则必须设置以下基于身份的策略和基于资源的策略,以允许 Amazon Bedrock 代表您加密和解密数据。

  1. 将以下基于身份的策略附加到有权调用 Amazon Bedrock Flows API 的 IAM 角色或用户。此策略验证发出 Amazon Bedrock Flows 调用的用户是否具有 KMS 权限。将${region}${account-id}、和${flow-id}${key-id}替换为相应的值。

    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EncryptFlow",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/${flow-id}",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}

  2. 将以下基于资源的策略附加到 KMS 密钥。根据需要更改权限的范围。用相应的值替换{IAM-USER/ROLE-ARN}${region}${account-id}${flow-id}、、、和${key-id}

    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}"
        },
        {
            "Sid": "Allow the IAM user or IAM role of Flows API caller to use the key to encrypt and decrypt data.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "{IAM-USER/ROLE-ARN}"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/${flow-id}",
                    "kms:ViaService": "bedrock.${region}.amazonaws.com"
                }
            }
        }
    ]
}

  3. 对于流程执行,请将以下基于身份的策略附加到具有创建和管理流程权限的服务角色。此策略验证您的服务角色是否具有 AWS KMS 权限。将regionaccount-id、和flow-idkey-id替换为相应的值。

    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EncryptionFlows",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/flow-id",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}