代理资源的加密

Amazon Bedrock 会加密代理的会话信息。默认情况下，Amazon Bedrock 使用 AWS 托管密钥对这些数据进行加密。或者，您可以使用客户托管式密钥来加密代理构件。

有关更多信息 AWS KMS keys，请参阅《AWS Key Management Service 开发人员指南》中的客户托管密钥。

如果您使用自定义 KMS 密钥加密与代理的会话，则必须设置以下基于身份的策略和基于资源的策略，以允许 Amazon Bedrock 代表您加密和解密代理资源。

将以下基于身份的策略附加到具有 InvokeAgent 调用权限的 IAM 角色或用户。此策略会验证发出 InvokeAgent 调用的用户是否具有 KMS 权限。将 $ {region}、$ {account-id}、$ {agent-id} 和 $ {key-id} 替换为相应的值。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent/${agent-id}"
                }
            }
        }
    ]
}

将以下基于资源的策略附加到 KMS 密钥。根据需要更改权限的范围。将 $ {region}、$ {account-id}、$ {agent-id} 和 $ {key-id} 替换为相应的值。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account-id}:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}"
        },
        {
            "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent/${agent-id}"
                }
            }
        },
        {
            "Sid": "Allow the service role to use the key to encrypt and decrypt Agent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account-id}:role/${role}"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt",
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}"
},
        {
           "Sid": "Allow the attachment of persistent resources",
           "Effect": "Allow",
           "Principal": {
               "Service": "bedrock.amazonaws.com"
           },
           "Action": [
               "kms:CreateGrant",
               "kms:ListGrants",
               "kms:RevokeGrant"
           ],
           "Resource": "*",
           "Condition": {
               "Bool": {
                   "kms:GrantIsForAWSResource": "true"
               }
           }
         }
    ]
}

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

文档惯例

监控您的 Amazon Bedrock 服务的加密密钥

代理内存权限