(Optional) Create a customer managed key for your guardrail for additional security
You encrypt your guardrails with customer managed AWS KMS keys. Any user with
CreateKey
permissions can create customer managed keys by using the
AWS Key Management Service (AWS KMS) console or CreateKey operation. In
these situations,
make
sure to create a symmetric encryption key.
After you create your key, configure the following permission policies.
-
Do the following to create a resource-based key policy:
-
Create a key policy to create a resource-based policy for your KMS key.
-
Add the following policy statements to grant permissions to guardrails users and guardrails creators. Replace each
with the role that you want to allow to carry out the specified actions.role
-
-
Attach the following identity-based policy to a role to allow it to create and manage guardrails. Replace the
with the ID of the KMS key that you created.key-id
-
Attach the following identity-based policy to a role to allow it to use the guardrail you encrypted during model inference or while invoking an agent. Replace the
with the ID of the KMS key that you created.key-id