本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# 使用客户自主管理型密钥（CMK）加密代理会话
<a name="ltm-permissions"></a>

如果您已经为代理启用内存，并且使用客户自主管理型密钥加密代理会话，则必须配置以下密钥政策，并调用身份 IAM 权限来配置您的客户自主管理型密钥。

**客户自主管理型密钥策略**

Amazon Bedrock 使用这些权限生成加密的数据密钥，然后使用生成的密钥来加密代理内存。Amazon Bedrock 还需要权限，重新加密生成的具有不同加密上下文的数据密钥。当客户自主管理型密钥在另一个客户自主管理型密钥或服务拥有的密钥之间切换时，也会使用重新加密权限。有关更多信息，请参阅[分层密钥环](https://docs.aws.amazon.com//database-encryption-sdk/latest/devguide/use-hierarchical-keyring.html)。

使用相应的值替换 `$region`、`account-id` 和 `${caller-identity-role}`。

```
{
    "Version": "2012-10-17",		 	 	 
    {
        "Sid": "Allow access for bedrock to enable long term memory",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "bedrock.amazonaws.com",
            ],
        },
        "Action": [
            "kms:GenerateDataKeyWithoutPlainText",
            "kms:ReEncrypt*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "$account-id"
            },
            "ArnLike": {
                "aws:SourceArn": "arn:aws:bedrock:$region:$account-id:agent-alias/*"
            }
        }
        "Resource": "*"
    },
    {
        "Sid": "Allow the caller identity control plane permissions for long term memory",
        "Effect": "Allow", 
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}"
        },
        "Action": [
            "kms:GenerateDataKeyWithoutPlainText",
            "kms:ReEncrypt*"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*"
            }
        }
    },
    {
        "Sid": "Allow the caller identity data plane permissions to decrypt long term memory",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}"
        },
        "Action": [
            "kms:Decrypt"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*",
                "kms:ViaService": "bedrock.$region.amazonaws.com" 
            }
        }
    }
}
```

**用于加密和解密代理内存的 IAM 权限**

以下是身份调用代理 API 为启用了内存的代理配置 KMS 密钥时所需的 IAM 权限。Amazon Bedrock 代理使用这些权限来确保来电者身份被授权拥有上述密钥策略中提及的 APIs 管理、训练和部署模型的权限。对于调用代理 APIs ，Amazon Bedrock 代理使用呼叫者身份的`kms:Decrypt`权限来解密内存。

使用相应的值替换 `$region`、`account-id` 和 `${key-id}`。

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AgentsControlPlaneLongTermMemory",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKeyWithoutPlaintext", 
                "kms:ReEncrypt*"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent-alias/*"
                }
            }
        },
        {
            "Sid": "AgentsDataPlaneLongTermMemory",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId",
            "Condition": {
                "StringLike": {
                    "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent-alias/*"
                }
            }
        }
    ]
}
```

------