Required Key policy elements to encrypt your model evaluation job using AWS KMS - Amazon Bedrock

Required Key policy elements to encrypt your model evaluation job using AWS KMS

Every AWS KMS key must have exactly one key policy. The statements in the key policy determine who has permission to use the AWS KMS key and how they can use it. You can also use IAM policies and grants to control access to the AWS KMS key, but every AWS KMS key must have a key policy.

Required AWS KMS key policy elements in Amazon Bedrock

  • kms:Decrypt — For files that you've encrypted with your AWS Key Management Service key, provides Amazon Bedrock with permissions to access and decrypt those files.

  • kms:GenerateDataKey — Controls permission to use the AWS Key Management Service key to generate data keys. Amazon Bedrock uses GenerateDataKey to encrypt the temporary data it stores for the evaluation job.

  • kms:DescribeKey — Provides detailed information about a KMS key.

You must add the following statement to your existing AWS KMS key policy. It provides Amazon Bedrock with permissions to temporarily store your data in a Amazon Bedrock service bucket using the AWS KMS that you've specified.

{
	"Effect": "Allow",
	"Principal": {
	    "Service": "bedrock.amazonaws.com"
	},
	"Action": [
	    "kms:GenerateDataKey",
	    "kms:Decrypt",
	    "kms:DescribeKey"
	],
	"Resource": "*",
	"Condition": {
	    "StringLike": {
	        "kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*",
	        "aws:SourceArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*"
	    }
	}
}

The following is an example of a complete AWS KMS policy.

{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
    {
        "Sid": "EnableIAMUserPermissions",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::{{CustomerAccountId}}:root"
        },
        "Action": "kms:*",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "bedrock.amazonaws.com"
        },
        "Action": [
            "kms:GenerateDataKey",
            "kms:Decrypt",
            "kms:DescribeKey"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*",
                "aws:SourceArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*"
            }
        }
    }
]
}