Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Encryption of Amazon Bedrock Flows resources

PDF
RSS
Focus mode
Encryption of Amazon Bedrock Flows resources - Amazon Bedrock

Amazon Bedrock encrypts your data at rest. By default, Amazon Bedrock encrypts this data using an AWS managed key. Optionally, you can encrypt the data using a customer managed key.

For more information about AWS KMS keys, see Customer managed keys in the AWS Key Management Service Developer Guide.

If you encrypt data with a custom KMS key, you must set up the following identity-based policy and resource-based policy to allow Amazon Bedrock to encrypt and decrypt data on your behalf.

  1. Attach the following identity-based policy to an IAM role or user with permissions to make Amazon Bedrock Flows API calls. This policy validates the user making Amazon Bedrock Flows calls has KMS permissions. Replace the ${region}, ${account-id}, ${flow-id}, and ${key-id} with the appropriate values.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Amazon Bedrock Flows to encrypt and decrypt data",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:${region}:${account-id}:flow/${flow-id}",
                    "kms:ViaService": "bedrock.${region}.amazonaws.com"
                }
            }
        }
    ]
}

  2. Attach the following resource-based policy to your KMS key. Change the scope of the permissions as necessary. Replace the {IAM-USER/ROLE-ARN}, ${region}, ${account-id}, ${flow-id}, and ${key-id} with the appropriate values.

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${account-id}:root"
            },
            "Action": "kms:*",
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}"
        },
        {
            "Sid": "Allow the IAM user or IAM role of Flows API caller to use the key to encrypt and decrypt data.",
            "Effect": "Allow",
            "Principal": {
                "AWS": "{IAM-USER/ROLE-ARN}"
            },
            "Action": [
                "kms:GenerateDataKey",
                "kms:Decrypt",
            ],
            "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:${region}:${account-id}:flow/${flow-id}",
                    "kms:ViaService": "bedrock.${region}.amazonaws.com"
                }
            }
        }
    ]
}

Related resources

Amazon Bedrock API Reference
AWS CLI commands for Amazon Bedrock
SDKs & Tools 

Related resources

Amazon Bedrock API Reference
AWS CLI commands for Amazon Bedrock
SDKs & Tools 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.