01 Define the IAM policy that enables the selected users and/or roles to manage your new KMS Customer Managed Key (CMK), and to encrypt/decrypt your data using the KMS API. Create a new policy document (JSON format), name the file guardrail-kms-key-policy.json, and paste the following content (replace \<aws-account-id\> and \<role-name\> with your own AWS details):
{
"Id": "aws-sagemaker-cmk-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion",
"kms:RotateKeyOnDemand"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<aws-account-id>:role/service-role/<role-name>"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) with the policy document created at the previous step (i.e.guardrail-kms-key-policy.json) as value for the --policy parameter, to create your new Amazon KMS Customer Managed Key (CMK):
aws kms create-key
--region us-east-1
--description 'KMS CMK for Amazon Bedrock guardrail encryption'
--policy file://guardrail-kms-key-policy.json
--query 'KeyMetadata.Arn'
03 The command output should return the ARN of the new Customer Managed Key (CMK):
"arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
04 Run create-alias command (OSX/Linux/UNIX) to attach an alias to your new Customer Managed Key (CMK). The alias must start with the prefix "alias/" (the command does not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/BedrockGuardrailCMK
--target-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
05 Run update-guardrail command (OSX/Linux/UNIX) with the name of the Amazon Bedrock guardrail that you want to configure as the identifier parameter, to encrypt the selected guardrail with your new Amazon KMS Customer Managed Key (CMK). Use the --kms-key-id command paramater to specify the ARN of the Customer Managed Key (CMK) with which to encrypt your guardrail:
aws bedrock update-guardrail
--region us-east-1
--guardrail-identifier arn:aws:bedrock:us-east-1:123456789012:guardrail/abcd1234abcd
--name tm-project5-ai-guardrail
--content-policy-config 'filtersConfig=[{type="VIOLENCE",inputStrength="HIGH",outputStrength="NONE"},{type="HATE",inputStrength="HIGH",outputStrength="NONE"}]'
--blocked-input-messaging "Sorry, the model cannot answer this question."
--blocked-outputs-messaging "Sorry, the model cannot answer this question."
--kms-key-id arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
06 The command output should return the identification details available for the configured guardrail:
{
"guardrailId": "abcd1234abcd",
"guardrailArn": "arn:aws:bedrock:us-east-1:123456789012:guardrail/abcd1234abcd",
"version": "DRAFT",
"updatedAt": "2024-06-10T12:06:16.668203+00:00"
}
07 Repeat steps no. 5 and 6 for each Amazon Bedrock guardrail available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.