本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# Amazon Bedrock Flows 資源的加密
<a name="encryption-flows"></a>

Amazon Bedrock 會加密靜態資料。根據預設，Amazon Bedrock 會使用 AWS 受管金鑰加密此資料。或者，您可以使用客戶自管金鑰加密資料。

如需詳細資訊AWS KMS keys，請參閱《 *AWS Key Management Service開發人員指南*》中的[客戶受管金鑰](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk)。

如果使用自訂 KMS 金鑰加密資料，您必須設定下列身分型政策和資源型政策，以允許 Amazon Bedrock 代表您加密和解密資料。

1. 將下列身分型政策連接到 IAM 角色或具有撥打 Amazon Bedrock 流程 API 呼叫許可的使用者。此政策會驗證撥打 Amazon Bedrock 流程呼叫的使用者是否具有 KMS 許可。將 {{${region}}}、{{${account-id}}}、{{${flow-id}}} 和 {{${key-id}}} 取代為適當的值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "EncryptFlow",
               "Effect": "Allow",
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:{{us-east-1}}:{{123456789012}}:key/${key-id}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:{{us-east-1}}:{{123456789012}}:flow/${flow-id}",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------

1. 將下列的資源型政策連接至您的 KMS 金鑰。視需要變更許可權範圍。將 {{{IAM-USER/ROLE-ARN}}}、{{${region}}}、{{${account-id}}}、{{${flow-id}}} 和 {{${key-id}}} 取代為適當的值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "AllowRootModifyKMSId",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::{{123456789012}}:root"
               },
               "Action": "kms:*",
               "Resource": "arn:aws:kms:{{us-east-1}}:{{123456789012}}:key/KeyId"
           },
           {
               "Sid": "AllowRoleUseKMSKey",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::123456789012:role/RoleName"
               },
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:{{us-east-1}}:{{123456789012}}:key/${key-id}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:{{us-east-1}}:{{123456789012}}:flow/FlowId",
                       "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------

1. 對於[流程執行](flows-create-async.md)，請將下列身分型政策連接至[具有建立和管理流程許可的服務角色](flows-permissions.md)。此政策會驗證您的服務角色是否具有 AWS KMS許可。將 {{region}}、{{account-id}}、{{flow-id}} 和 {{key-id}} 取代為適當的值。

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "EncryptionFlows",
               "Effect": "Allow",
               "Action": [
                   "kms:GenerateDataKey",
                   "kms:Decrypt"
               ],
               "Resource": "arn:aws:kms:{{us-east-1}}:{{123456789012}}:key/{{key-id}}",
               "Condition": {
                   "StringEquals": {
                       "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:{{us-east-1}}:{{123456789012}}:flow/{{flow-id}}",
                       "kms:ViaService": "bedrock.{{us-east-1}}.amazonaws.com"
                   }
               }
           }
       ]
   }
   ```

------