本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
当您将 AWS KMS 客户托管密钥与您的 Amazon Bedrock 资源一起使用时,您可以使用AWS CloudTrail或 Amazon CloudWatch Logs 来跟踪 Amaz on Bedrock 向其发送的请求。 AWS KMS
以下是 Amazon Bedrock CreateGrant为创建主拨款而调用的监控 AWS KMS 操作的示例 AWS CloudTrail 事件:
{
"eventVersion": "1.09",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAIGDTESTANDEXAMPLE:SampleUser01",
"arn": "arn:aws:sts::111122223333:assumed-role/RoleForModelImport/SampleUser01",
"accountId": "111122223333",
"accessKeyId": "EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAIGDTESTANDEXAMPLE",
"arn": "arn:aws:iam::111122223333:role/RoleForModelImport",
"accountId": "111122223333",
"userName": "RoleForModelImport"
},
"attributes": {
"creationDate": "2024-05-07T21:46:28Z",
"mfaAuthenticated": "false"
}
},
"invokedBy": "bedrock.amazonaws.com"
},
"eventTime": "2024-05-07T21:49:44Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-east-1",
"sourceIPAddress": "bedrock.amazonaws.com",
"userAgent": "bedrock.amazonaws.com",
"requestParameters": {
"granteePrincipal": "bedrock.amazonaws.com",
"retiringPrincipal": "bedrock.amazonaws.com",
"keyId": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE",
"operations": [
"Decrypt",
"CreateGrant",
"GenerateDataKey",
"DescribeKey"
]
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
"keyId": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"readOnly": false,
"resources": [
{
"accountId": "111122223333",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "111122223333",
"eventCategory": "Management"
}
按照创建策略中的步骤,将以下基于资源的策略附加到 KMS 密钥。该策略包含两个语句。
-
角色对模型自定义构件进行加密的权限。将导入 ARNs 的自定义模型构建器角色添加到该
Principal
字段。 -
角色在推理中使用导入的自定义模型的权限。将导入 ARNs 的自定义模型用户角色添加到该
Principal
字段。
{
"Version": "2012-10-17",
"Id": "KMS Key Policy",
"Statement": [
{
"Sid": "Permissions for imported model builders",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:user/role"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": "*"
},
{
"Sid": "Permissions for imported model users",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account-id:user/role"
},
"Action": "kms:Decrypt",
"Resource": "*"
}
}