Amazon Bedrock Flows 資源的加密 - Amazon Bedrock

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Amazon Bedrock Flows 資源的加密

Amazon Bedrock 會加密靜態資料。根據預設,Amazon Bedrock 會使用 AWS 受管金鑰加密此資料。或者,您可以使用客戶受管金鑰來加密資料。

如需 的詳細資訊 AWS KMS keys,請參閱《 AWS Key Management Service 開發人員指南》中的客戶受管金鑰

如果您使用自訂 KMS 金鑰加密資料,則必須設定下列身分型政策和資源型政策,以允許 Amazon Bedrock 代表您加密和解密資料。

  1. 將下列身分型政策連接至具有許可進行 Amazon Bedrock Flows API 呼叫的 IAM 角色或使用者。此政策會驗證發出 Amazon Bedrock Flows 呼叫的使用者具有 KMS 許可。以適當的值取代 ${region}${account-id}${flow-id}${key-id}

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Amazon Bedrock Flows to encrypt and decrypt data",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:${region}:${account-id}:flow/${flow-id}",
                    "kms:ViaService": "bedrock.${region}.amazonaws.com"
                }
            }
        }
    ]
}

  2. 將下列的資源型政策連接至您的 KMS 金鑰。視需要變更許可權範圍。以適當的值取代 {IAM-USER/ROLE-ARN}${region}${account-id}${flow-id}${key-id}

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account-id}:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}"
        },
        {
            "Sid": "Allow the IAM user or IAM role of Flows API caller to use the key to encrypt and decrypt data.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "{IAM-USER/ROLE-ARN}"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt",
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:${region}:${account-id}:flow/${flow-id}",
                    "kms:ViaService": "bedrock.${region}.amazonaws.com"
                }
            }
        }
    ]
}

  3. 對於流程執行,請將下列身分型政策連接至具有建立和管理流程許可的服務角色。此政策會驗證您的服務角色是否具有 AWS KMS 許可。以適當的值取代 regionaccount-idflow-idkey-id

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow data encryption and decryption with flow executions in Amazon Bedrock.",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:region:account-id:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:region:account-id:flow/flow-id",
                    "kms:ViaService": "bedrock.region.amazonaws.com"
                }
            }
        }
    ]
}