代理程式資源加密

Amazon Bedrock 會將您的代理程式工作階段資訊加密。根據預設，Amazon 基岩會使用受管金鑰加密此資料。 AWS 或者，您可以使用客戶自管金鑰加密代理程式成品。

如需詳細資訊 AWS KMS keys，請參閱AWS Key Management Service 開發人員指南中的客戶管理金鑰。

如果您使用自訂 KMS 金鑰與代理程式加密工作階段，則必須設定下列身分型政策和以資源為基礎的政策，以允許 Amazon Bedrock 代表您加密和解密代理程式資源。

將下列身分型政策連接到 IAM 角色或具有撥打 InvokeAgent 通話許可權的使用者。此政策會驗證撥打 InvokeAgent 通話的使用者具有 KMS 許可權。將 $ {區域}，$ {帳戶 ID}，$ {代理 ID} 和 $ {密鑰 ID} 替換為適當的值。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent/${agent-id}"
                }
            }
        }
    ]
}

將下列的資源型政策連接至您的 KMS 金鑰。視需要變更許可權範圍。將 $ {區域}，$ {帳戶 ID}，$ {代理 ID} 和 $ {密鑰 ID} 替換為適當的值。


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account-id}:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}"
        },
        {
            "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users",
            "Effect": "Allow",
            "Principal": {
                "Service": "bedrock.amazonaws.com"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent/${agent-id}"
                }
            }
        },
        {
            "Sid": "Allow the service role to use the key to encrypt and decrypt Agent resources",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account-id}:role/${role}"
            },
            "Action": [
                "kms:GenerateDataKey*",
                "kms:Decrypt",
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}"
},
        {
           "Sid": "Allow the attachment of persistent resources",
           "Effect": "Allow",
           "Principal": {
               "Service": "bedrock.amazonaws.com"
           },
           "Action": [
               "kms:CreateGrant",
               "kms:ListGrants",
               "kms:RevokeGrant"
           ],
           "Resource": "*",
           "Condition": {
               "Bool": {
                   "kms:GrantIsForAWSResource": "true"
               }
           }
         }
    ]
}

您的瀏覽器已停用或無法使用 Javascript。

您必須啟用 Javascript，才能使用 AWS 文件。請參閱您的瀏覽器說明頁以取得說明。

文件慣用形式

監控 Amazon 基岩服務的加密金鑰

用戶端記憶體的權限