本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
加密 2025 年 1 月 22 日之前建立的代理程式資源
如果您在 2025 年 1 月 22 日之後建立代理程式,請遵循 代理程式資源加密
Amazon Bedrock 會將您的代理程式工作階段資訊加密。根據預設,Amazon Bedrock 會使用 AWS 受管金鑰加密此資料。或者,您可以使用客戶自管金鑰加密代理程式成品。
如需 的詳細資訊 AWS KMS keys,請參閱《 AWS Key Management Service 開發人員指南》中的客戶受管金鑰。
如果您使用自訂 KMS 金鑰與代理程式加密工作階段,您必須設定下列身分型政策和資源型政策,以允許 Amazon Bedrock 代表您加密和解密代理程式資源。
-
將下列身分型政策連接到 IAM 角色或具有撥打 InvokeAgent
通話許可權的使用者。此政策會驗證撥打 InvokeAgent
通話的使用者具有 KMS 許可權。以適當的值取代 ${region}
、${account-id}
、${agent-id}
和 ${key-id}
。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EncryptDecryptAgents",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/key-id
",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1
:123456789012
:agent/agent-id
"
}
}
}
]
}
-
將下列的資源型政策連接至您的 KMS 金鑰。視需要變更許可權範圍。以適當的值取代 ${region}
、${account-id}
、${agent-id}
和 ${key-id}
。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012
:root"
},
"Action": "kms:*",
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/${key-id}
"
},
{
"Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/${key-id}
",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1
:123456789012
:agent/${agent-id}
"
}
}
},
{
"Sid": "Allow the service role to use the key to encrypt and decrypt Agent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012
:role/Role
"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Decrypt"
],
"Resource": "arn:aws:kms:us-east-1
:123456789012
:key/${key-id}
"
},
{
"Sid": "Allow the attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}