Encryption of Amazon Bedrock Studio
Amazon Bedrock Studio is in preview release for Amazon Bedrock and is subject to change. |
Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements.
Amazon Bedrock Studio uses default AWS-owned keys to automatically encrypt your data at rest. You can't view, manage, or audit the use of AWS owned keys. For more information, see AWS owned keys.
While you can't disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing AWS owned encryption keys by choosing a customer-managed key when you create your Amazon Bedrock Studio domains. Amazon Bedrock Studio supports the use of a symmetric customer managed keys that you can create, own, and manage to add a second layer of encryption over the existing AWS owned encryption. Because you have full control of this layer of encryption, in it you can perform the following tasks:
-
Establish and maintain key policies
-
Establish and maintain IAM policies and grants
-
Enable and disable key policies
-
Rotate key cryptographic material
-
Add tags
-
Create key aliases
-
Schedule keys for deletion
For more information, see Customer managed keys.
Note
Amazon Bedrock Studio automatically enables encryption at rest using AWS owned keys to protect customer data at no charge.
AWS KMS charges apply for using a customer managed keys. For more information about
pricing, see AWS Key Management Service
Pricing
Create a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs.
To create a symmetric customer managed key, follow the steps for Creating symmetric customer managed key in the AWS Key Management Service Developer Guide.
Key policy - key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see Managing access to customer managed keys in the AWS Key Management Service Developer Guide.
Note
If you use a customer managed key, be sure to tag the AWS KMS key with the key
EnableBedrock and a value of true. For more information, see
Tagging keys.
To use your customer managed key with your Amazon Bedrock Studio resources, the following API operations must be permitted in the key policy:
-
kms:CreateGrant – adds a grant to a customer managed key. Grants control access to a specified KMS key, which allows access to grant operations Amazon Bedrock Studio requires. For more information about Using Grants, see the AWS Key Management Service Developer Guide.
-
kms:DescribeKey – provides the customer managed key details to allow Amazon Bedrock Studio to validate the key.
-
kms:GenerateDataKey – returns a unique symmetric data key for use outside of AWS KMS.
-
kms:Decrypt – decrypts ciphertext that was encrypted by a KMS key.
The following is a policy statement example that you can add for Amazon Bedrock Studio. To use the policy, do the following:
-
Replace instances of
\{FIXME:REGION\}with the AWS Region that you are using and\{FIXME:ACCOUNT_ID\}with your AWS account ID. The invalid\characters in the JSON indicate where you need to make updates. For example"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:\{FIXME:REGION\}:\{FIXME:ACCOUNT_ID\}:agent/*"would become"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:use-east-1:111122223333:agent/*" -
Change
\{provisioning role name\}to the name of the provisioning role that you will use for the workspace that uses the key. Change
\{Admin Role Name\}to the name of the IAM role that will have administration privileges for the key.
{ "Version": "2012-10-17", "Statement": [{ "Sid": "Enable IAM User Permissions Based on Tags", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyPair", "kms:GenerateDataKeyPairWithoutPlaintext", "kms:GenerateDataKeyWithoutPlaintext", "kms:Encrypt" ], "Resource": "\{FIXME:KMS_ARN\}", "Condition": { "StringEquals": { "aws:PrincipalTag/AmazonBedrockManaged": "true", "kms:CallerAccount" : "\{FIXME:ACCOUNT_ID\}" }, "StringLike": { "aws:PrincipalTag/AmazonDataZoneEnvironment": "*" } } }, { "Sid": "Allow Amazon Bedrock to encrypt and decrypt Agent resources on behalf of authorized users", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "\{FIXME:KMS_ARN\}", "Condition": { "StringLike": { "kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:\{FIXME:REGION\}:\{FIXME:ACCOUNT_ID\}:agent/*" } } }, { "Sid": "Allows AOSS list keys", "Effect": "Allow", "Principal": { "Service": "aoss.amazonaws.com" }, "Action": "kms:ListKeys", "Resource": "*" }, { "Sid": "Allows AOSS to create grants", "Effect": "Allow", "Principal": { "Service": "aoss.amazonaws.com" }, "Action": [ "kms:DescribeKey", "kms:CreateGrant" ], "Resource": "\{FIXME:KMS_ARN\}", "Condition": { "StringEquals": { "kms:ViaService": "aoss.\{FIXME:REGION\}.amazonaws.com" }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Sid": "Enable Decrypt, GenerateDataKey for DZ execution role", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::\{FIXME:ACCOUNT_ID\}:root" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "\{FIXME:KMS_ARN\}", "Condition": { "StringLike": { "kms:EncryptionContext:aws:datazone:domainId": "*" } } }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RetireGrant" ], "Resource": "*", "Condition": { "StringLike": { "kms:CallerAccount": "\{FIXME:ACCOUNT_ID\}" }, "Bool": { "kms:GrantIsForAWSResource": "true" } } }, { "Sid": "AllowPermissionForEncryptedGuardrailsOnProvisioningRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::\{FIXME:ACCOUNT_ID\}:role/\{provisioning role name\}" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt", "kms:DescribeKey", "kms:CreateGrant", "kms:Encrypt" ], "Resource": "*" }, { "Sid": "Allow use of CMK to encrypt logs in their account", "Effect": "Allow", "Principal": { "Service": "logs.\{FIXME:REGION\}.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:GenerateDataKey", "kms:GenerateDataKeyPair", "kms:GenerateDataKeyPairWithoutPlaintext", "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ArnLike": { "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:\{FIXME:REGION\}:\{FIXME:ACCOUNT_ID\}:log-group:*" } } }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::\{FIXME:ACCOUNT_ID\}:role/\{Admin Role Name\}" }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" } ] }
For more information about specifying permissions in a policy, see the AWS Key Management Service Developer Guide.
For more information about troubleshooting key access, see the AWS Key Management Service Developer Guide.
