本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
知识库评估作业的数据加密
在知识库评估工作中,Amazon Bedrock 会临时复制您的数据。作业完成后,Amazon Bedrock 会删除数据。为了加密数据,Amazon Bedrock 使用 KMS 密钥。它使用您指定的 KMS 密钥或 Amazon Bedrock 拥有的密钥。
Amazon Bedrock 需要以下部分中的 IAM 和 AWS KMS 权限,这样它才能使用您的 KMS 密钥来执行以下操作:
创建知识库评估任务时,您可以选择使用 Amazon Bedrock 拥有的 KMS 密钥,也可以选择自己的客户管理密钥。如果您未指定客户管理的密钥,Amazon Bedrock 会默认使用其密钥。
在使用客户管理的密钥之前,必须执行以下操作:
必需的策略元素
以下各节中的 IAM 和 KMS 密钥策略包括以下必需元素:
-
kms:Decrypt— 对于您使用 KMS 密钥加密的文件,请向 Amazon Bedrock 提供访问和解密这些文件的权限。
-
kms:GenerateDataKey— 控制使用 KMS 密钥生成数据密钥的权限。Amazon Bedrock 使用GenerateDataKey它为评估任务存储的临时数据进行加密。
-
kms:DescribeKey— 提供有关 KMS 密钥的详细信息。
-
kms:ViaService— 条件密钥限制使用 KMS 密钥向指定 AWS 服务发出请求。必须指定以下服务:
-
kms:EncryptionContext:context-key— 此条件密钥限制了对 AWS KMS 操作的访问,因此它们仅特定于提供的加密上下文。
IAM 策略要求
在您使用的 Amazon Bedrock 的 IAM 角色中,关联的 IAM 策略必须包含以下元素。要了解有关管理 AWS KMS 密钥的更多信息,请参阅将 IAM 策略与一起使用 AWS KMS。
Amazon Bedrock 中的知识库评估工作使用 AWS 自有密钥。有关 AWS 自有密钥的更多信息,请参阅《AWS Key Management Service 开发者指南》中的AWS 自有密钥。
以下是仅包含所需 AWS KMS
操作和资源的 IAM 策略示例:
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CustomKMSKeyProvidedToBedrockEncryption",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/*"
],
"Condition": {
"StringEquals": {
"kms:ViaService": [
"s3.us-east-1.amazonaws.com"
]
}
}
},
{
"Sid": "CustomKMSKeyProvidedToBedrockEvalKMS",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/*"
],
"Condition": {
"StringLike": {
"kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*"
}
}
},
{
"Sid": "CustomKMSKeyProvidedToBedrockKBDecryption",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/*"
],
"Condition": {
"StringLike": {
"kms:EncryptionContext:knowledgeBaseArn": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/*"
}
}
},
{
"Sid": "CustomKMSKeyProvidedToBedrockKBEncryption",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/*"
],
"Condition": {
"StringLike": {
"kms:EncryptionContext:knowledgeBaseArn": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/*"
},
"StringEquals": {
"kms:ViaService": [
"bedrock.us-east-1.amazonaws.com"
]
}
}
},
{
"Sid": "CustomKMSKeyProvidedToBedrockKBGenerateDataKey",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/*"
],
"Condition": {
"StringLike": {
"kms:EncryptionContext:CustomerAwsAccountId": "123456789012",
"kms:EncryptionContext:SessionId": "*"
},
"StringEquals": {
"kms:ViaService": [
"bedrock.us-east-1.amazonaws.com"
]
}
}
},
{
"Sid": "CustomKMSDescribeKeyProvidedToBedrock",
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/*"
]
}
]
}
AWS KMS 关键政策要求
每个 KMS 密钥都必须有一个密钥策略。密钥策略中的语句确定谁有权限使用 KMS 密钥以及如何使用 KMS 密钥。您也可以使用 IAM 策略和授权来控制对 KMS 密钥的访问权限,但每个 KMS 密钥都必须有一个密钥策略。
您必须将以下语句添加到现有 KMS 密钥策略中。它为 Amazon Bedrock 提供了使用您指定的 KMS 密钥将您的数据临时存储在 S3 存储桶中的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/CustomerProvidedRole"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/CustomerProvidedRole"
},
"Action": [
"kms:Decrypt"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:knowledgeBaseArn": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/*"
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/CustomerProvidedRole"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:knowledgeBaseArn": "arn:aws:bedrock:us-east-1:123456789012:knowledge-base/*"
},
"StringEquals": {
"kms:ViaService": [
"bedrock.us-east-1.amazonaws.com"
]
}
}
},
{
"Sid": "CustomKMSKeyProvidedToBedrockKBGenerateDataKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/CustomerProvidedRole"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:CustomerAwsAccountId": "123456789012",
"kms:EncryptionContext:SessionId": "*"
},
"StringEquals": {
"kms:ViaService": [
"bedrock.us-east-1.amazonaws.com"
]
}
}
},
{
"Sid": "CustomKMSKeyProvidedToBedrockS3",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/CustomerProvidedRole"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "s3.us-east-1.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": [
"bedrock.amazonaws.com"
]
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:SourceArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*",
"kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*"
}
}
}
]
}
为调用 CreateEvaluationJob API 的角色设置 KMS 权限
确保您的角色具有 DescribeKey GenerateDataKey、和 Decrypt 权限,这些权限用于在评估作业中使用的 KMS 密钥上创建评估作业。
KMS 密钥策略示例
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:role/APICallingRole"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kmsDescribeKey"
],
"Resource": "*"
}
]
}
角色调用 CreateEvaluationJob API 的 IAM 策略示例
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CustomKMSKeyProvidedToBedrockEncryption",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/keyYouUse"
]
}
]
}
