01 Sign in to the AWS Management Console.
02 To create your own KMS Customer Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.
03 In the main navigation panel, choose Customer managed keys.
04 Choose Create Key to initiate the key setup process.
05 For Step 1 Configure key, perform the following actions:
- Choose Symmetric for Key type.
- Select KMS for Key usage.
- Choose Advanced options, select KMS - recommended for Key material origin, and choose whether to allow your KMS key to be replicated into other AWS cloud regions. If Single-Region key is selected, the AWS region must match the region of your knowledge base data sources.
- Select Next to continue the key setup process.
06 For Step 2 Add labels, provide the following details:
- Provide a unique name (alias) for your KMS key in the Alias box.
- (Optional) Enter a short description in the Description box.
- (Optional) Choose Add tag from the Tags - optional section to create any necessary tag sets. Tags can be used to categorize and identify your KMS keys and help you track your AWS costs.
- Select Next to continue the setup.
07 For Step 3 Define key administrative permissions, perform the following operations:
- For Key administrators, select which IAM users and/or roles can administer your new key through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS Management Console.
- For Key deletion, choose whether to allow key administrators to delete your KMS key.
- Select Next to continue the setup process.
08 For Step 4 Define key usage permissions, perform the following actions:
- For Key users, select which IAM users and/or roles can use your KMS key in cryptographic operations.
- (Optional) For Other AWS accounts section, specify the AWS accounts that can use your key. To configure cross-account access, choose Add another AWS account and enter the ID of the AWS cloud account that can use your KMS key for cryptographic operations. The administrators of the AWS accounts you specify at this step are responsible for managing the permissions that allow their IAM users and/or roles to use your key.
- Select Next to continue the setup.
09 For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer Managed Key (CMK).
10 Once your new KMS Customer Managed Key (CMK) is available, navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.
11 In the main navigation panel, under Builder tools, select Knowledge bases.
12 Select the Knowledge bases tab to list the Amazon Bedrock knowledge bases available in the current AWS cloud region.
13 Click on the name (link) of the knowledge base that you want to access, available in the Name column.
14 In the Data source section, select the knowledge base data source that you want to configure, and choose Edit.
15 Choose Advanced settings - optional, select Customize encryption settings (Advanced) under KMS Key for transient data storage, and choose the ID of the Amazon KMS Customer Managed Key (CMK) created earlier in the Remediation process, from the Choose an AWS KMS key - optional dropdown list.
16 Choose Submit to apply the configuration changes.
17 Repeat steps no. 14 - 16 for each data source configured for the selected knowledge base.
18 Repeat steps no. 13 - 17 for each Amazon Bedrock knowledge base available in the selected AWS region.
19 Change the AWS cloud region from the navigation bar to repeat the Remediation process for other regions.