Amazon Nova 模型自訂任務和成品的加密 - Amazon Nova
自訂 Amazon Nova 模型的權限和金鑰政策設定用於加密和調用自訂模型的金鑰權限

Amazon Nova 模型自訂任務和成品的加密

如需有關 Amazon Bedrock 中模型自訂任務和成品加密的資訊,請參閱模型自訂任務和成品的加密

自訂 Amazon Nova 模型的權限和金鑰政策

以下是建立 KMS 金鑰權限的必要陳述式。

PermissionsModelCustomization 陳述式

Principal 欄位中,將您要允許 DecryptGenerateDataKeyDescribeKeyCreateGrant 作業的帳戶新增至 AWS 子欄位對應的清單。如果您使用 kms:ViaService 條件金鑰,您可以為每個區域新增一行,或使用 * 取代 ${region},以允許支援 Amazon Bedrock 的所有區域。

{
    "Sid": "PermissionsModelCustomization",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::${account-id}:role/${customization-role}"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:DescribeKey",
        "kms:CreateGrant"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:ViaService": [
                "bedrock.${region}.amazonaws.com"
            ] 
        }
    }
}

PermissionsModelInvocation 陳述式

Principal 欄位中,將您要允許 DecryptGenerateDataKey 作業的帳戶新增至 AWS 子欄位對應的清單。如果您使用 kms:ViaService 條件金鑰,您可以為每個區域新增一行,或使用 * 取代 ${region},以允許支援 Amazon Bedrock 的所有區域。

{
    "Sid": "PermissionsModelInvocation",
    "Effect": "Allow",
    "Principal": {
        "AWS": [
            "arn:aws:iam::${account-id}:user/${invocation-role}"
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
        "StringLike": {
            "kms:ViaService": [
                "bedrock.${region}.amazonaws.com"
            ] 
        }
    }
}

PermissionsNovaProvisionedThroughput 陳述式

當您為自訂 Amazon Nova 模型建立佈建輸送量時,Amazon Bedrock 會在模型上執行推論和部署最佳化。在此程序中,Amazon Bedrock 會使用與建立自訂模型相同的 KMS 金鑰,以維持與自訂模型本身相同的最高層級安全性。

{
    "Sid": "PermissionsNovaProvisionedThroughput",
    "Effect": "Allow",
    "Principal": {
        "Service": [
            "bedrock.amazonaws.com",
        ]
    },
    "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey"
    ],
    "Resource": "*",
    "Condition": {
        "ForAnyValue:StringEquals": {
            "kms:EncryptionContextKeys": "aws:bedrock:custom-model"
        }
    }
 }

設定用於加密和調用自訂模型的金鑰權限

如果您計劃加密使用 KMS 金鑰自訂的模型,則該金鑰的金鑰政策將依使用案例而有所不同。展開對應您的使用案例的區段:

如果將調用自訂模型的角色與將自訂模型的角色相同,您只需要來自權限陳述式的 PermissionsModelCustomizationPermissionsNovaProvisionedThroughput 陳述式。

  1. Principal 欄位中,將您要允許自訂並調用自訂模型的帳戶新增至 PermissionsModelCustomization 陳述式中 AWS 子欄位對應的清單。

  2. 依預設,應將 PermissionsNovaProvisionedThroughput 陳述式新增至金鑰政策,並以使用 kms:EncryptionContextKeys 為條件,將 bedrock.amazonaws.com 作為允許的服務主體。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Id": "PermissionsCustomModelKey",
    "Statement": [
        {
            "Sid": "PermissionsModelCustomization",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:role/customize-and-invoke-role"
                ]
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "bedrock.us-east-1.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "PermissionsNovaProvisionedThroughput",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "bedrock.amazonaws.com"
                ]
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "kms:EncryptionContextKeys": "aws:bedrock:custom-model"
                }
            }
        }
    ]
}

如果將調用自訂模型的角色與將自訂模型的角色不同,您需要所有三個權限陳述式。修改下列政策範本中的陳述式,如下所示:

  1. Principal 欄位中,將您要允許僅自訂自訂模型的帳戶新增至 PermissionsModelCustomization 陳述式中 AWS 子欄位對應的清單。

  2. Principal 欄位中,將您想要允許僅調用自訂模型的帳戶新增至 PermissionsModelInvocation 陳述式中 AWS 子欄位對應的清單。

  3. 依預設,應將 PermissionsNovaProvisionedThroughput 陳述式新增至金鑰政策,並以使用 kms:EncryptionContextKeys 為條件,將 bedrock.amazonaws.com 作為允許的服務主體。

JSON
{
    "Version":"2012-10-17",		 	 	 
    "Id": "PermissionsCustomModelKey",
    "Statement": [
        {
            "Sid": "PermissionsModelCustomization",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/customization-role"
                ]
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:DescribeKey",
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "bedrock.us-east-1.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "PermissionsModelInvocation",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:user/invocation-role"
                ]
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "kms:ViaService": [
                        "bedrock.us-east-1.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "PermissionsNovaPermissionedThroughput",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "bedrock.amazonaws.com"
                ]
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "kms:EncryptionContextKeys": "aws:bedrock:custom-model"
                }
            }
        }
    ]
}