用戶端記憶體的權限 - Amazon Bedrock

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

用戶端記憶體的權限

如果您已為客服啟用記憶體,並且使用客戶代管金鑰加密客服工作階段,則必須設定下列金鑰政策和呼叫身分 IAM 許可,以設定客戶受管金鑰。

客戶管理的金鑰政策

Amazon Bdrock 使用這些許可產生加密的資料金鑰,然後使用產生的金鑰加密代理程式記憶體。Amazon 基岩也需要許可,才能使用不同的加密環境重新加密產生的資料金鑰。當客戶管理的金鑰在另一個客戶管理金鑰或服務擁有的金鑰之間轉換時,也會使用重新加密權限。如需詳細資訊,請參閱階層式金鑰圈

$regionaccount-id、和取代為適當${caller-identity-role}的值。

{
    "Version": "2012-10-17",
    {
        "Sid": "Allow access for bedrock to enable long term memory",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "bedrock.amazonaws.com",
            ],
        },
        "Action": [
            "kms:GenerateDataKeyWithoutPlainText",
            "kms:ReEncrypt*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "$account-id"
            },
            "ArnLike": {
                "aws:SourceArn": "arn:aws:bedrock:$region:$account-id:agent-alias/*"
            }
        }
        "Resource": "*"
    },
    {
        "Sid": "Allow the caller identity control plane permissions for long term memory",
        "Effect": "Allow", 
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}"
        },
        "Action": [
            "kms:GenerateDataKeyWithoutPlainText",
            "kms:ReEncrypt*"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*"
            }
        }
    },
    {
        "Sid": "Allow the caller identity data plane permissions to decrypt long term memory",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}"
        },
        "Action": [
            "kms:Decrypt"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*",
                "kms:ViaService": "bedrock.$region.amazonaws.com" 
            }
        }
    }
}

IAM 許可,可加密和解密代理程式記憶體

身分呼叫代理程式 API 需要下列 IAM 權限,才能為已啟用記憶體的代理程式設定 KMS 金鑰。Amazon Bdrock 代理程式使用這些許可來確保呼叫者身分獲授權具有上述金鑰政策中提及的許可,以便 API 管理、訓練和部署模型。對於叫用代理程式的 API,Amazon 基岩代理程式會使用呼叫者身分的kms:Decrypt許可來解密記憶體。

$regionaccount-id、和取代為適當${key-id}的值。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Bedrock agents control plane long term memory permissions",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKeyWithoutPlaintext", 
                "kms:ReEncrypt*",
            ],
            "Resource": "arn:aws:kms:$region:$account-id:key/$key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*"
                }
            }
        },
        {
            "Sid": "Bedrock agents data plane long term memory permissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:$region:$account-id:key/$key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*"
                }
            }
        }
    ]
}}