Configure Data Deletion Policy for Knowledge Base Data

Risk Level: Medium (should be achieved)

To comply with industry regulations and preserve data for future analysis, ensure that vector store data is retained when deleting Amazon Bedrock knowledge base data sources.

Security

Operational
excellence

By default, the vector store data will be deleted when the Amazon Bedrock knowledge base data source is deleted. Setting the data deletion policy to "RETAIN" for your Amazon Bedrock knowledge base data sources ensures that your data and any associated metadata are preserved even after the data source is deleted. This can be mandatory for compliance with regulatory requirements, auditing, and historical analysis.

Audit

To check the data deletion policy for your Amazon Bedrock knowledge base data sources, perform the following operations:

Getting the deletion policy information for knowledge base data sources via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, under Builder tools, select Knowledge bases.

04 Select the Knowledge bases tab to list the Amazon Bedrock knowledge bases available in the current AWS region.

05 Click on the name (link) of the knowledge base that you want to examine, available in the Name column.

06 In the Data source section, click on the name (link) of the knowledge base data source that you want to examine, available in the Data source name column.

07 In the Data source overview section, check the Data deletion policy attribute value to determine the deletion policy configured for the selected data source. If the Data deletion policy attribute value is set to DELETE, the vector store data is not retained after the selected Amazon Bedrock knowledge base data source is deleted.

08 Repeat steps no. 6 and 7 for each data source configured for the selected knowledge base.

09 Repeat steps no. 5 - 8 for each Amazon Bedrock knowledge base available within the current AWS region.

10 Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Remediation / Resolution

To ensure that the vector store data is retained when your Amazon Bedrock knowledge base data sources are deleted, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

03 In the main navigation panel, under Builder tools, select Knowledge bases.

04 Select the Knowledge bases tab to list the Amazon Bedrock knowledge bases available in the current AWS cloud region.

05 Click on the name (link) of the knowledge base that you want to access, available in the Name column.

06 In the Data source section, select the knowledge base data source that you want to configure, and choose Edit to change the data source deletion policy.

07 Choose Advanced settings - optional, and select Retain from the Data deletion policy dropdown list, to set the data deletion policy to "RETAIN" for the selected Amazon Bedrock knowledge base data source.

08 Choose Submit to apply the configuration changes.

09 Repeat steps no. 14 - 16 for each data source configured for the selected knowledge base.

10 Repeat steps no. 13 - 17 for each Amazon Bedrock knowledge base available in the selected AWS region.

11 Change the AWS cloud region from the navigation bar to repeat the Remediation process for other regions.

References

Publication date Jun 13, 2024

Audit

Using AWS Console

Remediation / Resolution

Using AWS Console

References

Related Bedrock rules