加密 2025 年 1 月 22 日之前建立的代理程式資源

重要

如果您在 2025 年 1 月 22 日之後建立代理程式，請遵循 代理程式資源加密

Amazon Bedrock 會將您的代理程式工作階段資訊加密。根據預設，Amazon Bedrock 會使用 AWS 受管金鑰加密此資料。或者，您可以使用客戶自管金鑰加密代理程式成品。

如需 的詳細資訊 AWS KMS keys，請參閱《 AWS Key Management Service 開發人員指南》中的客戶受管金鑰。

如果您使用自訂 KMS 金鑰與代理程式加密工作階段，您必須設定下列身分型政策和資源型政策，以允許 Amazon Bedrock 代表您加密和解密代理程式資源。

1. 將下列身分型政策連接到 IAM 角色或具有撥打 InvokeAgent 通話許可權的使用者。此政策會驗證撥打 InvokeAgent 通話的使用者具有 KMS 許可權。以適當的值取代 ${region}、${account-id}、${agent-id} 和 ${key-id}。

   JSON

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "EncryptDecryptAgents",
               "Effect": "Allow",
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/agent-id"
                   }
               }
           }
       ]
   }
   

2. 將下列的資源型政策連接至您的 KMS 金鑰。視需要變更許可權範圍。以適當的值取代 ${region}、${account-id}、${agent-id} 和 ${key-id}。

   JSON

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::123456789012:root"
               },
               "Action": "kms:*",
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}"
           },
           {
               "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
               "Effect": "Allow",
               "Principal": {
                   "Service": "bedrock.amazonaws.com"
               },
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/${agent-id}"
                   }
               }
           },
           {
               "Sid": "Allow the service role to use the key to encrypt and decrypt Agent resources",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::123456789012:role/Role"
               },
               "Action": [
                   "kms:GenerateDataKey*",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}"
           },
           {
               "Sid": "Allow the attachment of persistent resources",
               "Effect": "Allow",
               "Principal": {
                   "Service": "bedrock.amazonaws.com"
               },
               "Action": [
                   "kms:CreateGrant",
                   "kms:ListGrants",
                   "kms:RevokeGrant"
               ],
               "Resource": "*",
               "Condition": {
                   "Bool": {
                       "kms:GrantIsForAWSResource": "true"
                   }
               }
           }
       ]
   }