本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# Amazon Bedrock Flows 資源的加密
<a name="encryption-flows"></a>

Amazon Bedrock 會加密靜態資料。根據預設，Amazon Bedrock 會使用 AWS 受管金鑰加密此資料。或者，您可以使用客戶自管金鑰加密資料。

如需詳細資訊AWS KMS keys，請參閱《 *AWS Key Management Service開發人員指南*》中的[客戶受管金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。

如果使用自訂 KMS 金鑰加密資料，您必須設定下列身分型政策和資源型政策，以允許 Amazon Bedrock 代表您加密和解密資料。

1. 將下列身分型政策連接到 IAM 角色或具有撥打 Amazon Bedrock 流程 API 呼叫許可的使用者。此政策會驗證撥打 Amazon Bedrock 流程呼叫的使用者是否具有 KMS 許可。將 *\$1\$1region\$1*、*\$1\$1account-id\$1*、*\$1\$1flow-id\$1* 和 *\$1\$1key-id\$1* 取代為適當的值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "EncryptFlow",
               "Effect": "Allow",
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/${flow-id}",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------

1. 將下列的資源型政策連接至您的 KMS 金鑰。視需要變更許可權範圍。將 *\$1IAM-USER/ROLE-ARN\$1*、*\$1\$1region\$1*、*\$1\$1account-id\$1*、*\$1\$1flow-id\$1* 和 *\$1\$1key-id\$1* 取代為適當的值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "AllowRootModifyKMSId",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::123456789012:root"
               },
               "Action": "kms:*",
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId"
           },
           {
               "Sid": "AllowRoleUseKMSKey",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::123456789012:role/RoleName"
               },
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/FlowId",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------

1. 對於[流程執行](flows-create-async.md)，請將下列身分型政策連接至[具有建立和管理流程許可的服務角色](flows-permissions.md)。此政策會驗證您的服務角色是否具有 AWS KMS許可。將 *region*、*account-id*、*flow-id* 和 *key-id* 取代為適當的值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "EncryptionFlows",
               "Effect": "Allow",
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/flow-id",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------