Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™

Encrypt Bedrock Managed Prompts with Customer-Managed Keys

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)

Ensure that your Amazon Bedrock Managed Prompts (prompt resources created and stored using Bedrock Prompt management) are encrypted using Amazon KMS Customer-Managed Keys (CMKs) instead of the default AWS-managed key. Prompt templates created with Prompt management contain the core instructions, system prompts, variables, and (optionally) tool configurations that shape foundation model behavior across your application.

Security

Prompt templates often encode sensitive business logic, proprietary instructions, guardrail-bypassing safety language, or references to internal systems and data. An identity or automation with the bedrock:UpdatePrompt permission can modify a prompt's template directly, for example injecting malicious instructions that alter model behavior across every workflow that consumes the prompt. Using your own Amazon KMS Customer-Managed Key (CMK) to encrypt your Managed Prompts provides an additional layer of protection: you can enforce strict key policies to control precisely which principals can use the key to encrypt or decrypt prompt data, you can disable or revoke the key independently of the Bedrock resource to immediately cut off access, and every use of the key is recorded in AWS CloudTrail, giving you an audit trail of all encryption and decryption operations performed against your prompt data.


Audit

To determine if your Amazon Bedrock Managed Prompts are encrypted using KMS Customer-Managed Keys (CMKs), perform the following operations:

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

  3. In the main navigation panel, under Build, select Prompt Management.

  4. In the Prompts section, click on the name (link) of the prompt that you want to examine, available in the Name column.

  5. On the Prompt details page, in the Overview section, check the Encryption settings field. If the value is Customer managed (accompanied by a Customer Key ARN value), the selected prompt is encrypted with a Customer-Managed Key (CMK). If the Encryption settings value is AWS managed, the selected prompt is encrypted using the default AWS-managed key rather than a Customer-Managed Key (CMK), and it is non-compliant.

  6. Repeat steps no. 4 and 5 for each Amazon Bedrock prompt available within the current AWS region.

  7. Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Using AWS CLI

  1. Run list-prompts command (OSX/Linux/UNIX) to list the identifier (ID) of each Amazon Bedrock Managed Prompt available in the selected AWS cloud region:

    aws bedrock-agent list-prompts
      --region us-east-1
      --query 'promptSummaries[*].id'
    
  2. The command output should return the requested prompt identifiers (IDs):

    [
    	"PROMPT12345",
    	"PROMPT67890"
    ]
    
  3. Run get-prompt command (OSX/Linux/UNIX) with the ID of the Amazon Bedrock prompt that you want to examine as the identifier parameter and a custom output filter to describe the ARN of the KMS key used to encrypt the selected prompt:

    aws bedrock-agent get-prompt
      --region us-east-1
      --prompt-identifier PROMPT12345
      --query 'customerEncryptionKeyArn'
    
  4. The command output should return the ARN of the KMS key used to encrypt the selected prompt:

    "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd"
    

    If instead the get-prompt command output returns null, the selected Amazon Bedrock prompt is encrypted using the default AWS-managed key rather than a Customer-Managed Key (CMK), and it is non-compliant:

    null
    
  5. Repeat steps no. 3 and 4 for each Amazon Bedrock Managed Prompt available in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat steps no. 1 - 5 to perform the Audit process for other regions.

Remediation / Resolution

To encrypt your Amazon Bedrock Managed Prompts with your own KMS Customer-Managed Key (CMK), create a CMK (if you don't already have one) and update each non-compliant prompt to use it, by performing the following operations:

Managed Prompts support changing the KMS key without recreating the prompt: the UpdatePrompt API and update-prompt CLI command accept a customerEncryptionKeyArn parameter directly. However, update-prompt performs a full replacement of the prompt configuration (an HTTP PUT) — the AWS documentation instructs you to "include both fields that you want to keep and fields that you want to replace." Only --prompt-identifier and --name are required parameters, but any field you omit (--variants, --default-variant, --description) is removed from the prompt. Because --variants holds the prompt's actual template content, you must re-supply it (along with --default-variant) or the prompt template will be wiped. Before running update-prompt, use get-prompt to retrieve the prompt's current name, defaultVariant, and variants, then re-supply them alongside the new --customer-encryption-key-arn.

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. To create your own KMS Customer-Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.

  3. In the main navigation panel, choose Customer managed keys.

  4. Choose Create Key to initiate the key setup process.

  5. For Step 1 Configure key, choose Symmetric for Key type and Encrypt and decrypt for Key usage, then select Next.

  6. For Step 2 Add labels, provide a unique name (alias) for your KMS key in the Alias box, then select Next.

  7. For Step 3 Define key administrative permissions, select the IAM users and/or roles that can administer the key, then select Next.

  8. For Step 4 Define key usage permissions, select the IAM users and/or roles (including the Amazon Bedrock service role) that can use your KMS key in cryptographic operations, then select Next.

  9. For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer-Managed Key (CMK).

  10. Once your new KMS CMK is available, navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

  11. In the main navigation panel, under Build, select Prompt Management.

  12. In the Prompts section, click on the name (link) of the non-compliant prompt that you want to configure, available in the Name column (see Audit section to identify the right resource).

  13. Choose Edit to modify the prompt's configuration.

  14. In the KMS key selection section, choose Customize encryption settings (advanced), then select the Customer-Managed Key (CMK) created earlier in the Remediation process from the Choose an AWS KMS key dropdown list.

  15. Choose Save to apply the new encryption configuration to the prompt.

  16. Repeat steps no. 12 - 15 for each Amazon Bedrock Managed Prompt that you want to re-encrypt with a Customer-Managed Key (CMK), available in the current AWS region.

  17. Change the AWS cloud region from the navigation bar to repeat the Remediation process for other regions.

Using AWS CLI

  1. Run get-prompt command (OSX/Linux/UNIX) with the ID of the non-compliant prompt as the identifier parameter to retrieve its current configuration. Capture the name, defaultVariant, and variants values — all of which must be re-supplied in the following update-prompt request, since it replaces the entire prompt:

    aws bedrock-agent get-prompt
      --region us-east-1
      --prompt-identifier PROMPT12345
      --query '{name:name,defaultVariant:defaultVariant,variants:variants}'
    
  2. The command output should return the prompt's current name, default variant, and variants (the template content):

    {
    	"name": "tm-project5-managed-prompt",
    	"defaultVariant": "default",
    	"variants": [
    		{
    			"name": "default",
    			"templateType": "TEXT",
    			"modelId": "amazon.titan-text-premier-v1:0",
    			"templateConfiguration": {
    				"text": {
    					"text": "Summarize the following in  words or less: 
    
    			
    1. Sign in to the AWS Management Console.

    2. To create your own KMS Customer-Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.

    3. In the main navigation panel, choose Customer managed keys.

    4. Choose Create Key to initiate the key setup process.

    5. For Step 1 Configure key, choose Symmetric for Key type and Encrypt and decrypt for Key usage, then select Next.

    6. For Step 2 Add labels, provide a unique name (alias) for your KMS key in the Alias box, then select Next.

    7. For Step 3 Define key administrative permissions, select the IAM users and/or roles that can administer the key, then select Next.

    8. For Step 4 Define key usage permissions, select the IAM users and/or roles (including the Amazon Bedrock service role) that can use your KMS key in cryptographic operations, then select Next.

    9. For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer-Managed Key (CMK).

    10. Once your new KMS CMK is available, navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

    11. In the main navigation panel, under Build, select Prompt Management.

    12. In the Prompts section, click on the name (link) of the non-compliant prompt that you want to configure, available in the Name column (see Audit section to identify the right resource).

    13. Choose Edit to modify the prompt's configuration.

    14. In the KMS key selection section, choose Customize encryption settings (advanced), then select the Customer-Managed Key (CMK) created earlier in the Remediation process from the Choose an AWS KMS key dropdown list.

    15. Choose Save to apply the new encryption configuration to the prompt.

    16. Repeat steps no. 12 - 15 for each Amazon Bedrock Managed Prompt that you want to re-encrypt with a Customer-Managed Key (CMK), available in the current AWS region.

    17. Change the AWS cloud region from the navigation bar to repeat the Remediation process for other regions.

    ", "inputVariables": [ { "name": "length" }, { "name": "content" } ] } } } ] }
  3. Run update-prompt command (OSX/Linux/UNIX) with the ID of the non-compliant prompt as the identifier parameter, re-supplying the existing --name, --default-variant, and --variants values retrieved at the previous step, to encrypt the selected prompt with your new Amazon KMS Customer-Managed Key (CMK). Use the --customer-encryption-key-arn parameter to specify the ARN of your KMS CMK. Omitting --variants or --default-variant would remove the prompt's template content:

    aws bedrock-agent update-prompt
      --region us-east-1
      --prompt-identifier PROMPT12345
      --name tm-project5-managed-prompt
      --default-variant default
      --variants '[{"name":"default","templateType":"TEXT","modelId":"amazon.titan-text-premier-v1:0","templateConfiguration":{"text":{"text":"Summarize the following in  words or less: 
    
    			
    1. Sign in to the AWS Management Console.

    2. To create your own KMS Customer-Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.

    3. In the main navigation panel, choose Customer managed keys.

    4. Choose Create Key to initiate the key setup process.

    5. For Step 1 Configure key, choose Symmetric for Key type and Encrypt and decrypt for Key usage, then select Next.

    6. For Step 2 Add labels, provide a unique name (alias) for your KMS key in the Alias box, then select Next.

    7. For Step 3 Define key administrative permissions, select the IAM users and/or roles that can administer the key, then select Next.

    8. For Step 4 Define key usage permissions, select the IAM users and/or roles (including the Amazon Bedrock service role) that can use your KMS key in cryptographic operations, then select Next.

    9. For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer-Managed Key (CMK).

    10. Once your new KMS CMK is available, navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

    11. In the main navigation panel, under Build, select Prompt Management.

    12. In the Prompts section, click on the name (link) of the non-compliant prompt that you want to configure, available in the Name column (see Audit section to identify the right resource).

    13. Choose Edit to modify the prompt's configuration.

    14. In the KMS key selection section, choose Customize encryption settings (advanced), then select the Customer-Managed Key (CMK) created earlier in the Remediation process from the Choose an AWS KMS key dropdown list.

    15. Choose Save to apply the new encryption configuration to the prompt.

    16. Repeat steps no. 12 - 15 for each Amazon Bedrock Managed Prompt that you want to re-encrypt with a Customer-Managed Key (CMK), available in the current AWS region.

    17. Change the AWS cloud region from the navigation bar to repeat the Remediation process for other regions.

    ","inputVariables":[{"name":"length"},{"name":"content"}]}}}]' --customer-encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd
  4. The command output should return the updated prompt details, confirming the new KMS key ARN:

    {
    	"id": "PROMPT12345",
    	"arn": "arn:aws:bedrock:us-east-1:123456789012:prompt/PROMPT12345",
    	"name": "tm-project5-managed-prompt",
    	"customerEncryptionKeyArn": "arn:aws:kms:us-east-1:123456789012:key/1234abcd-1234-abcd-1234-abcd1234abcd",
    	"version": "DRAFT",
    	"updatedAt": "2024-07-11T12:37:48.329055+00:00"
    }
    
  5. Repeat steps no. 1 - 4 for each Amazon Bedrock Managed Prompt that you want to re-encrypt with a Customer-Managed Key (CMK), available in the selected AWS region.

  6. Change the AWS cloud region by updating the --region command parameter value and repeat the Remediation process for other regions.

References

Publication date Jul 13, 2026