本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
加密 2025 年 1 月 22 日之前创建的代理的代理资源
如果您在 2025 年 1 月 22 日之后创建了代理,请按照以下说明进行操作 代理资源的加密
Amazon Bedrock 会加密代理的会话信息。默认情况下,Amazon Bedrock 使用 AWS 托管密钥对这些数据进行加密。或者,您可以使用客户托管式密钥来加密代理构件。
有关更多信息 AWS KMS keys,请参阅《AWS Key Management Service 开发人员指南》中的客户托管密钥。
如果使用自定义 KMS 密钥加密与代理的会话,则必须设置以下基于身份的策略和基于资源的策略,以允许 Amazon Bedrock 代表您加密和解密代理资源。
-
将以下基于身份的策略附加到具有 InvokeAgent
调用权限的 IAM 角色或用户。此策略会验证发出 InvokeAgent
调用的用户是否具有 KMS 权限。将${region}
、${account-id}
、和${agent-id}
,${key-id}
替换为相应的值。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EncryptDecryptAgents",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/key-id
",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1
:123456789012
:agent/agent-id
"
}
}
}
]
}
-
将以下基于资源的策略附加到 KMS 密钥。根据需要更改权限的范围。将${region}
、${account-id}
、和${agent-id}
,${key-id}
替换为相应的值。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012
:root"
},
"Action": "kms:*",
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/${key-id}
"
},
{
"Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/${key-id}
",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1
:123456789012
:agent/${agent-id}
"
}
}
},
{
"Sid": "Allow the service role to use the key to encrypt and decrypt Agent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012
:role/Role
"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/${key-id}
"
},
{
"Sid": "Allow the attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}