During the model evaluation job, Amazon Bedrock makes a copy of your data that exists temporarily. Amazon Bedrock deletes the data after the job finishes. It uses an AWS KMS key to encrypt it. It either uses an AWS KMS key that you specify or an Amazon Bedrock owned key to encrypt the data.
When you create a model evaluation job using the either the AWS Management Console, AWS CLI, or a supported AWS SDK you can choose to use an Amazon Bedrock owned KMS key or your own customer managed key. If no customer managed key is specified then an Amazon Bedrock owned key is used by default.
To use a customer managed key, you must add the required IAM actions and resources to the IAM service role's policy. You must also add the required AWS KMS key policy elements.
Topics
