Amazon Bedrock Flows 資源的加密 - Amazon Bedrock

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

Amazon Bedrock Flows 資源的加密

Amazon Bedrock 會加密靜態資料。根據預設,Amazon Bedrock 會使用 AWS 受管金鑰加密此資料。或者,您可以使用客戶自管金鑰加密資料。

如需詳細資訊AWS KMS keys,請參閱《 AWS Key Management Service開發人員指南》中的客戶受管金鑰

如果使用自訂 KMS 金鑰加密資料,您必須設定下列身分型政策和資源型政策,以允許 Amazon Bedrock 代表您加密和解密資料。

  1. 將下列身分型政策連接到 IAM 角色或具有撥打 Amazon Bedrock 流程 API 呼叫許可的使用者。此政策會驗證撥打 Amazon Bedrock 流程呼叫的使用者是否具有 KMS 許可。將 ${region}${account-id}${flow-id}${key-id} 取代為適當的值。

    JSON
    {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "EncryptFlow",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/${flow-id}",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}

  2. 將下列的資源型政策連接至您的 KMS 金鑰。視需要變更許可權範圍。將 {IAM-USER/ROLE-ARN}${region}${account-id}${flow-id}${key-id} 取代為適當的值。

    JSON
    {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "AllowRootModifyKMSId",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId"
        },
        {
            "Sid": "AllowRoleUseKMSKey",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/RoleName"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/FlowId",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}

  3. 對於流程執行,請將下列身分型政策連接至具有建立和管理流程許可的服務角色。此政策會驗證您的服務角色是否具有 AWS KMS許可。將 regionaccount-idflow-idkey-id 取代為適當的值。

    JSON
    {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "EncryptionFlows",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/flow-id",
                    "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                }
            }
        }
    ]
}