(可选)为护栏创建客户管理的密钥以提高安全性
您可以利用客户自主管理型 AWS KMS keys 来加密护栏。任何拥有 CreateKey 权限的用户都可以使用 AWS Key Management Service(AWS KMS)控制台或 CreateKey 操作创建客户自主管理型密钥。在这些情况下,应确保创建对称加密密钥。
创建密钥后,请配置以下权限策略。
-
执行以下操作以创建基于资源的密钥策略。
-
创建密钥策略,为您的 KMS 密钥创建基于资源的策略。
-
添加以下策略语句,向护栏用户和护栏创建者授予权限。将每个 role
- JSON
-
-
{
"Version":"2012-10-17",
"Id": "KMS key policy",
"Statement": [
{
"Sid": "PermissionsForGuardrailsCreators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/role"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "PermissionsForGuardrailsUsers",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/role"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
-
将以下基于身份的策略附加到角色,以便该角色能够创建和管理护栏。将 key-id
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRoleToCreateAndManageGuardrails",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:CreateGrant"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}
]
}
-
将以下基于身份的策略附加到角色,以便该角色能够在模型推理过程中或调用代理时使用您加密的护栏。将 key-id
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRoleToUseEncryptedGuardrailDuringInference",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}
]
}
