Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Keys to Encrypt Amazon Bedrock Studio Workspaces

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Bedrock-006

Ensure that your Amazon Bedrock Studio workspaces are encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys. This grants you more granular control over the data encryption at rest and helps meet compliance requirements.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Operational
excellence

Amazon Bedrock Studio workspaces are collaborative environments used for developing, training, and deploying machine learning (ML) models on AWS. By default, Amazon Bedrock Studio encrypts your workspace data with an AWS-managed key. When you use your own KMS Customer Managed Keys (CMKs) to protect your data, you have full control over who can use the encryption keys to access your data. Encrypting your Studio workspaces is necessary to protect sensitive data and ensure compliance with security standards and regulations. The Amazon KMS service allows you to easily create, rotate, disable, and audit Customer Managed Keys for your Amazon Bedrock Studio workspaces.

Audit

To obtain the encryption configuration available for your Amazon Bedrock Studio Workspaces, perform the following operations:

Getting the workspace encryption configuration information via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, select Bedrock Studio Preview.

04 Click on the name (link) of the Amazon Bedrock Studio workspace that you want to examine, available in the Name column.

05 Choose the Overview tab to access the configuration information available for the selected workspace.

06 In the Workspace details section, check the KMS Identifier attribute value to identify the Amazon KMS key used to encrypt the data managed by the selected workspace. If the KMS Identifier attribute is not listed in the Workspace details section, the data managed by the selected Amazon Bedrock Studio workspace is encrypted using an AWS-managed key (default key provided by AWS) instead of using a Customer Managed Key (CMK).

07 Repeat steps no. 5 and 6 for each model customization job available within the current AWS region.

08 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Remediation / Resolution

To encrypt your Amazon Bedrock Studio workspaces using your own KMS Customer Master Key (CMK), you must re-create your workspaces with the necessary encryption configuration, by performing the following operations:

Encrypting your Amazon Bedrock Studio workspaces using AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 To create your own KMS Customer Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.

03 In the main navigation panel, choose Customer managed keys.

04 Choose Create Key to initiate the key setup process.

05 For Step 1 Configure key, perform the following actions:

  1. Choose Symmetric for Key type.
  2. Select KMS for Key usage.
  3. Choose Advanced options, select KMS - recommended for Key material origin, and choose whether to allow your KMS key to be replicated into other AWS cloud regions. If Single-Region key is selected, the AWS region must match the region of your Studio workspace.
  4. Select Next to continue the key setup process.

06 For Step 2 Add labels, provide the following details:

  1. Provide a unique name (alias) for your KMS key in the Alias box.
  2. (Optional) Enter a short description in the Description box.
  3. (Optional) Choose Add tag from the Tags - optional section to create any necessary tag sets. Tags can be used to categorize and identify your KMS keys and help you track your AWS costs.
  4. Select Next to continue the setup.

07 For Step 3 Define key administrative permissions, perform the following operations:

  1. For Key administrators, select which IAM users and/or roles can administer your new key through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS Management Console.
  2. For Key deletion, choose whether to allow key administrators to delete your KMS key.
  3. Select Next to continue the setup process.

08 For Step 4 Define key usage permissions, perform the following actions:

  1. For Key users, select which IAM users and/or roles can use your KMS key in cryptographic operations.
  2. (Optional) For Other AWS accounts section, specify the AWS accounts that can use your key. To configure cross-account access, choose Add another AWS account and enter the ID of the AWS cloud account that can use your KMS key for cryptographic operations. The administrators of the AWS accounts you specify at this step are responsible for managing the permissions that allow their IAM users and/or roles to use your key.
  3. Select Next to continue the setup.

09 For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer Managed Key (CMK).

10 Once your new KMS Customer Managed Key (CMK) is available, navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

11 In the main navigation panel, select Bedrock Studio Preview.

12 Click on the name (link) of the Amazon Bedrock Studio workspace that you want to re-create (i.e. source workspace), and note the workspace configuration information such as default models, service access role, provisioning role, and so on.

13 Navigate back to the Bedrock Studio page, choose Create workspace, and perform the following actions to create your new Bedrock Studio workspace:

  1. For Workspace details, provide a unique name for your new workspace in the Name column and enter a short description in the Description - optional box.
  2. To create your workspace, you will need a service role and a provisioning role that lets Amazon Bedrock access other AWS cloud services and Bedrock Studio resources on your behalf. For Permissions and roles, choose an existing service role from the Service role dropdown list and select an existing provisioning role from the Provisioning role list (must match the IAM roles used by the source workspace).
  3. For Tags, create any required user-defined tag sets, according to the source workspace tagging scheme. User-defined tags attached to a workspace don't propagate to the workspace's resources.
  4. For KMS key selection - optional, check the Customize encryption settings (advanced) checkbox and select the ID of the Amazon KMS Customer Managed Key (CMK) created earlier in the Remediation process, from the Choose an AWS KMS key list.
  5. For Default models - optional, select the default generative model and embedding model for your new workspace (must match the default models used by the source workspace).
  6. Choose Create to create your new, encrypted Amazon Bedrock Studio workspace.

14 Repeat steps no. 12 and 13 for each Bedrock Studio workspace that you want to re-create, available within the current AWS region.

15 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

References

Publication date Jun 13, 2024

Related Bedrock rules