本文属于机器翻译版本。若本译文内容与英语原文存在差异，则一律以英文原文为准。

# Amazon Bedrock 流资源加密
<a name="encryption-flows"></a>

Amazon Bedrock 始终加密您的静态数据。默认情况下，Amazon Bedrock 使用 AWS 托管式密钥对这些数据进行加密。或者，您也可以使用客户自主管理型密钥对数据进行加密。

有关更多信息AWS KMS keys，请参阅《*AWS Key Management Service开发人员指南》*中的[客户托管密钥](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。

如果您使用自定义 KMS 密钥来加密数据，则必须设置以下基于身份的策略和基于资源的策略，以允许 Amazon Bedrock 代表您加密和解密数据。

1. 将以下基于身份的策略附加到具有 Amazon Bedrock 流 API 调用权限的 IAM 角色或用户。此策略会验证发出 Amazon Bedrock 流调用的用户是否具有 KMS 权限。将 *\$1\$1region\$1*、*\$1\$1account-id\$1*、*\$1\$1flow-id\$1* 和 *\$1\$1key-id\$1* 替换为相应值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "EncryptFlow",
               "Effect": "Allow",
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/${flow-id}",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------

1. 将以下基于资源的策略附加到 KMS 密钥。根据需要更改权限的范围。将*\$1IAM-USER/ROLE-ARN\$1*、、*\$1\$1region\$1**\$1\$1account-id\$1*、和*\$1\$1flow-id\$1*，*\$1\$1key-id\$1*替换为相应的值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "AllowRootModifyKMSId",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::123456789012:root"
               },
               "Action": "kms:*",
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/KeyId"
           },
           {
               "Sid": "AllowRoleUseKMSKey",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::123456789012:role/RoleName"
               },
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/${key-id}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/FlowId",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------

1. 对于[流执行](flows-create-async.md)，请将以下基于身份的策略附加到[具有创建和管理流权限的服务角色](flows-permissions.md)。此策略验证您的服务角色是否具有AWS KMS权限。将 *region*、*account-id*、*flow-id* 和 *key-id* 替换为相应值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "EncryptionFlows",
               "Effect": "Allow",
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:us-east-1:123456789012:flow/flow-id",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------