Amazon Bedrock 流资源加密 - Amazon Bedrock

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

Amazon Bedrock 流资源加密

Amazon Bedrock 始终加密您的静态数据。默认情况下,Amazon Bedrock 使用 AWS 托管式密钥对这些数据进行加密。或者,您也可以使用客户自主管理型密钥对数据进行加密。

有关更多信息AWS KMS keys,请参阅《AWS Key Management Service开发人员指南》中的客户托管密钥

如果您使用自定义 KMS 密钥来加密数据,则必须设置以下基于身份的策略和基于资源的策略,以允许 Amazon Bedrock 代表您加密和解密数据。

  1. 将以下基于身份的策略附加到具有 Amazon Bedrock 流 API 调用权限的 IAM 角色或用户。此策略会验证发出 Amazon Bedrock 流调用的用户是否具有 KMS 权限。将 ${region}${account-id}${flow-id}${key-id} 替换为相应值。

    JSON
    {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "EncryptFlow",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/${flow-id}",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}

  2. 将以下基于资源的策略附加到 KMS 密钥。根据需要更改权限的范围。将{IAM-USER/ROLE-ARN}、、${region}${account-id}、和${flow-id}${key-id}替换为相应的值。

    JSON
    {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowRootModifyKMSId",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId"
        },
        {
            "Sid": "AllowRoleUseKMSKey",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/RoleName"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/FlowId",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}

  3. 对于流执行,请将以下基于身份的策略附加到具有创建和管理流权限的服务角色。此策略验证您的服务角色是否具有AWS KMS权限。将 regionaccount-idflow-idkey-id 替换为相应值。

    JSON
    {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "EncryptionFlows",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/flow-id",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}