(選用) 為您的防護機制建立客戶受管金鑰,以提高安全性
您可以使用客戶自管 AWS KMS keys 來加密防護機制。任何具有 CreateKey 權限的使用者都可以使用 AWS Key Management Service (AWS KMS) 主控台或 CreateKey 操作來建立客戶自管金鑰。在這些情況中,請確保建立對稱加密金鑰。
建立金鑰後,請設定下列許可政策。
-
執行下列動作以建立資源型金鑰政策:
-
建立金鑰政策,為您的 KMS 金鑰建立資源型政策。
-
新增下列政策陳述式,將許可授予防護機制使用者和防護機制建立者。將每個 role
- JSON
-
-
{
"Version":"2012-10-17",
"Id": "KMS key policy",
"Statement": [
{
"Sid": "PermissionsForGuardrailsCreators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/role"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "PermissionsForGuardrailsUsers",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:user/role"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
-
將下列身分型政策連接至角色,以允許其建立及管理防護機制。將 key-id
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRoleToCreateAndManageGuardrails",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey",
"kms:CreateGrant"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}
]
}
-
將下列身分型政策連接至角色,以允許其使用您在模型推論或調用代理程式時加密的防護機制。將 key-id
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowRoleToUseEncryptedGuardrailDuringInference",
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}
]
}
