本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon Bedrock 会对您的静态数据进行加密。默认情况下,Amazon Bedrock 使用 AWS 托管式密钥对这些数据进行加密。或者,您可以使用客户管理的密钥对数据进行加密。
有关更多信息 AWS KMS keys,请参阅《AWS Key Management Service 开发人员指南》中的客户托管密钥。
如果您使用自定义 KMS 密钥加密数据,则必须设置以下基于身份的策略和基于资源的策略,以允许 Amazon Bedrock 代表您加密和解密数据。
-
将以下基于身份的策略附加到有权调用 Amazon Bedrock Flows API 的 IAM 角色或用户。此策略验证发出 Amazon Bedrock Flows 调用的用户是否具有 KMS 权限。将
${region}、${account-id}、和${flow-id},${key-id}替换为相应的值。{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Amazon Bedrock Flows to encrypt and decrypt data", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:${region}:${account-id}:flow/${flow-id}", "kms:ViaService": "bedrock.${region}.amazonaws.com" } } } ] } -
将以下基于资源的策略附加到 KMS 密钥。根据需要更改权限的范围。用相应的值替换
{IAM-USER/ROLE-ARN}${region}${account-id}${flow-id}、、、和${key-id}。{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow account root to modify the KMS key, not used by Amazon Bedrock.", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::${account-id}:root" }, "Action": "kms:*", "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}" }, { "Sid": "Allow the IAM user or IAM role of Flows API caller to use the key to encrypt and decrypt data.", "Effect": "Allow", "Principal": { "AWS": "{IAM-USER/ROLE-ARN}" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt", ], "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:${region}:${account-id}:flow/${flow-id}", "kms:ViaService": "bedrock.${region}.amazonaws.com" } } } ] }
