# Data protection in Amazon Bedrock AgentCore Identity
<a name="identity-data-protection"></a>

The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon Bedrock AgentCore Identity. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. This content includes the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq).

For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with IAM. That way each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources.
+ Set up API and user activity logging with AWS CloudTrail.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon S3.

We strongly recommend that you never put sensitive identifying information, such as your customers' account numbers, into free-form fields such as a **Name** field. This includes when you work with Amazon Bedrock AgentCore Identity or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into Amazon Bedrock AgentCore Identity or other services might get picked up for inclusion in diagnostic logs. When you provide a URL to an external server, don’t include credentials information in the URL to validate your request to that server.

**Topics**
+ [Data encryption](identity-data-encryption.md)
+ [Set customer managed key policy](kms-key-policy-configuration.md)
+ [Configure with API operations or an AWS SDK](api-configuration-encryption.md)
+ [Configure KMS key for Token Vault on Console](console-configuration-encryption.md)

# Data encryption
<a name="identity-data-encryption"></a>

Data encryption typically falls into two categories: encryption at rest and encryption in transit.

## Encryption at rest
<a name="encryption-at-rest"></a>

Data within Amazon Bedrock AgentCore Identity is encrypted at rest in accordance with industry standards.

By default, Amazon Bedrock AgentCore Identity encrypts customer data in token vaults with AWS owned keys. You can also configure your token vaults to instead encrypt your information with customer managed keys.

 ** AWS owned key**   
Amazon Bedrock AgentCore Identity encrypts the data in your token vault with an AWS owned KMS key. Keys of this type aren’t visible in AWS KMS.

 **Customer managed key**   
Amazon Bedrock AgentCore Identity encrypts the data in your token vault with a customer managed key. You own the administration of customer managed key policies, rotation, and scheduled deletion.

### Things to know about token vault encryption with customer managed keys
<a name="token-vault-encryption-considerations"></a>
+ Data in your token vault (access tokens) are encrypted at rest with the customer managed key you configure. The token vault ARN is captured in the EncryptionContext.
+ All customer data in your token vault is encrypted at rest, even if you take no action to configure encryption settings.
+ You can’t configure token vault encryption at rest with [multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) or [asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) . Amazon Bedrock AgentCore Identity supports only single-region symmetric KMS keys for token vault encryption at rest.
+ You can configure token vault encryption only with a KMS key ARN, not an alias.
+ You can configure CMK for credential provider secrets using AWS Secrets Manager. [Learn more](https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_update-encryption-key.html).

The following procedures configure encryption at rest in your token vault. For more information about KMS key policies that delegate access to AWS services like Amazon Cognito, see [Permissions for AWS services in key policies](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-services.html).

# Set customer managed key policy
<a name="kms-key-policy-configuration"></a>

**Note**  
Currently we don’t support configuring CMK on token vault through console.

To use a customer managed key, your key must trust an Amazon Bedrock AgentCore Identity service principal to perform encryption and decryption operations on the key. Configure the [key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) of your KMS key as shown in the following example. The IAM principal that writes this policy must have write access to your KMS key, with `kms:PutKeyPolicy` permission.

# Configure with API operations or an AWS SDK
<a name="api-configuration-encryption"></a>

Set your key configuration in a `SetTokenVaultCMK` API request. The following partial example request body sets the token vault to use the provided customer managed key.

```
"KmsConfiguration": {
    "KeyType": "CUSTOMER_MANAGED_KEY",
    "KmsKeyArn": "arn:aws:kms:us-east-1:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
```

The following partial example request body sets a token vault to use an AWS owned key.

```
"KmsConfiguration": {
    "KeyType": "AWS_OWNED_KEY"
}
```

If your `GetTokenVault` response doesn’t include a `KmsConfiguration` parameter, your token vault is configured to encrypt data at rest with an AWS owned key.

# Configure KMS key for Token Vault on Console
<a name="console-configuration-encryption"></a>

The KMS key configuration determines how your token vault encrypts data at rest. You can choose between an AWS owned key or a customer managed key (stored in your account and managed through AWS KMS).

## To configure AWS KMS encryption for your token vault
<a name="configure-kms-encryption-steps"></a>
+ Open the [AgentCore Identity](https://console.aws.amazon.com/bedrock-agentcore/identity) console.
+ In the **KMS key (Token vault)** section, choose **Edit**.
+ In the KMS key selection section, your token vault is encrypted by default with a key that AWS owns and manages for you at a token vault level. To choose a different key, customize your encryption settings:
  +  ** AWS owned key (default)** : Leave the checkbox unselected. The KMS key is owned and managed by AWS.
  +  **Customer managed key** : Select the checkbox and provide the KMS key ARN. The key is stored in your account and is managed by AWS Key Management Service (AWS KMS).
+ Choose **Save changes** to update the KMS key configuration for your token vault.
+ To confirm the encryption type, check the **KMS key (Token vault)** details in the AgentCore Identity console.