加密 2025 年 1 月 22 日之前创建的代理的代理资源 - Amazon Bedrock

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

加密 2025 年 1 月 22 日之前创建的代理的代理资源

重要

如果您在 2025 年 1 月 22 日之后创建了代理,请按照以下说明进行操作 代理资源的加密

Amazon Bedrock 会加密代理的会话信息。默认情况下,Amazon Bedrock 使用 AWS 托管密钥对这些数据进行加密。或者,您可以使用客户托管式密钥来加密代理构件。

有关更多信息 AWS KMS keys,请参阅《AWS Key Management Service 开发人员指南》中的客户托管密钥

如果使用自定义 KMS 密钥加密与代理的会话,则必须设置以下基于身份的策略和基于资源的策略,以允许 Amazon Bedrock 代表您加密和解密代理资源。

  1. 将以下基于身份的策略附加到具有 InvokeAgent 调用权限的 IAM 角色或用户。此策略会验证发出 InvokeAgent 调用的用户是否具有 KMS 权限。将${region}${account-id}、和${agent-id}${key-id}替换为相应的值。

    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EncryptDecryptAgents",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/agent-id"
                }
            }
        }
    ]
}

  2. 将以下基于资源的策略附加到 KMS 密钥。根据需要更改权限的范围。将${region}${account-id}、和${agent-id}${key-id}替换为相应的值。

    JSON
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}"
        },
        {
            "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/${agent-id}"
                }
            }
        },
        {
            "Sid": "Allow the service role to use the key to encrypt and decrypt Agent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:role/Role"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}"
        },
        {
            "Sid": "Allow the attachment of persistent resources",
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": [
                "kms:CreateGrant",
                "kms:ListGrants",
                "kms:RevokeGrant"
            ],
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": "true"
                }
            }
        }
    ]
}