Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in TrendAI Vision One™ Cloud Risk Management. For details, please refer to Upgrade to TrendAI Vision One™
Logo of TrendAI
Use the Knowledge Base AI to help improve your Cloud Posture

Use Customer-Managed Keys to Encrypt Agent Sessions

TrendAI Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1400 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: Bedrock-001

Ensure that your Amazon Bedrock agent session data is encrypted with Amazon KMS Customer Managed Keys (CMKs) instead of AWS managed keys. This method grants you more granular control over the data encryption at rest and helps meet compliance requirements.

Security
Operational
excellence

By default, Amazon Bedrock encrypts your agent's session data using an AWS-managed key. If you use your own KMS Customer Managed Keys (CMKs) for data encryption, you have full control over who can use the encryption keys to access your session data. This improves data security posture and compliance by adhering to strict encryption requirements for sensitive data. The Amazon KMS service allows you to easily create, rotate, disable, and audit Customer Managed Keys for your Bedrock agent session data.

Audit

To obtain the encryption configuration information available for your Amazon Bedrock agents, perform the following operations:

Getting the encryption configuration information for Bedrock agents via AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

  3. In the main navigation panel, under Builder tools, select Agents.

  4. In the Agents section, click on the name (link) of the agent that you want to examine, available in the Name column.

  5. In the Agent overview section, check the KMS key attribute value to identify the Amazon KMS key used to encrypt the session data for the selected Amazon Bedrock agent. If the KMS key attribute does not have a value, your Amazon Bedrock agent session data is encrypted using an AWS-managed key (default key provided by AWS) instead of using a Customer Managed Key (CMK).

  6. Repeat steps no. 4 and 5 for each Bedrock agent available within the current AWS region.

  7. Change the AWS cloud region from the navigation bar to repeat the Audit process for other regions.

Remediation / Resolution

To encrypt your Amazon Bedrock agent session data using your own KMS Customer Master Key (CMK), you must reconfigure your Bedrock agents, by performing the following operations:

Enabling encryption for Amazon Bedrock agents using AWS Command Line Interface (CLI) is not currently supported.

Using AWS Console

  1. Sign in to the AWS Management Console.

  2. To create your own KMS Customer Managed Key (CMK), navigate to Key Management Service (KMS) console available at https://console.aws.amazon.com/kms/.

  3. In the main navigation panel, choose Customer managed keys.

  4. Choose Create Key to initiate the key setup process.

  5. For Step 1 Configure key, perform the following actions:

    1. Choose Symmetric for Key type.
    2. Select KMS for Key usage.
    3. Choose Advanced options, select KMS - recommended for Key material origin, and choose whether to allow your KMS key to be replicated into other AWS cloud regions. If Single-Region key is selected, the AWS region must match the region of your Amazon Bedrock agent.
    4. Select Next to continue the key setup process.

  6. For Step 2 Add labels, provide the following details:

    1. Provide a unique name (alias) for your KMS key in the Alias box.
    2. (Optional) Enter a short description in the Description box.
    3. (Optional) Choose Add tag from the Tags - optional section to create any necessary tag sets. Tags can be used to categorize and identify your KMS keys and help you track your AWS costs.
    4. Select Next to continue the setup.

  7. For Step 3 Define key administrative permissions, perform the following operations:

    1. For Key administrators, select which IAM users and/or roles can administer your new key through the KMS API. You may need to add additional permissions for the users or roles to administer the key from the AWS Management Console.
    2. For Key deletion, choose whether to allow key administrators to delete your KMS key.
    3. Select Next to continue the setup process.

  8. For Step 4 Define key usage permissions, perform the following actions:

    1. For Key users, select which IAM users and/or roles can use your KMS key in cryptographic operations.
    2. (Optional) For Other AWS accounts section, specify the AWS accounts that can use your key. To configure cross-account access, choose Add another AWS account and enter the ID of the AWS cloud account that can use your KMS key for cryptographic operations. The administrators of the AWS accounts you specify at this step are responsible for managing the permissions that allow their IAM users and/or roles to use your key.
    3. Select Next to continue the setup.

  9. For Step 5 Review, review the key configuration and key policy, then choose Finish to create your new Amazon KMS Customer Managed Key (CMK).

  10. Once your new KMS Customer Managed Key (CMK) is available, navigate to Amazon Bedrock console available at https://console.aws.amazon.com/bedrock/.

  11. In the main navigation panel, under Builder tools, select Agents.

  12. In the Agents section, select the Amazon Bedrock agent that you want to configure, and choose Edit.

  13. To be able to encrypt agent sessions with your Amazon KMS Customer Managed Key (CMK), you must configure the agent service role permissions to allow Amazon Bedrock to encrypt and decrypt agent resources on your behalf. To add the necessary permissions, perform the following actions:

    1. In the Agent overview section, click on the ARN (link) of the service role associated with the agent, available under Permissions, to open the role page in Amazon IAM.
    2. Select the Permissions tab, choose Add permissions, select Create inline policy, choose the JSON tab, and paste the policy document listed below (JSON format). Replace \<aws-region\>, \<aws-account-id\>, \<kms-key-id\>, and \<agent-id\> with your own AWS resource information.
    3. Choose Next, provide a unique name for your new inline policy in the Policy name box, and choose Create policy to create an attach the identity-based policy to your agent service role. 
      	{
		"Version": "2012-10-17",
		"Statement": [
			{
				"Effect": "Allow",
				"Action": [
					"kms:GenerateDataKey",
					"kms:Decrypt"
				],
				"Resource": "arn:aws:kms:<aws-region>:<aws-account-id>:key/<kms-key-id>",
				"Condition": {
					"StringEquals": {
						"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:<aws-region>:<aws-account-id>:agent/<agent-id>"
					}
				}
			}
		]
	}

  14. Navigate back to the Bedrock agent configuration page to apply the encryption key. In the KMS key selection section, check the Customize encryption settings (advanced) setting checkbox, and choose the ID of the Amazon KMS Customer Managed Key (CMK) created earlier in the Remediation process, from the Choose an AWS KMS key dropdown list.

  15. Choose Save and exit to apply the configuration changes and return to the Agents listing page.

  16. Repeat steps no. 12 - 15 for each Amazon Bedrock agent that you want to encrypt, available in the current AWS region.

  17. Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.

References

Publication date Jun 13, 2024

Related Bedrock rules