Profile Applicability:

  • Level 2

Description:

Amazon Bedrock is a fully managed service that allows you to build and deploy generative AI applications. It provides logging for model invocations to track interactions with the AI models. These logs can contain sensitive information, and it is essential to encrypt them to ensure that the data is protected both in transit and at rest. This SOP ensures that Amazon Bedrock model invocation logs are encrypted with KMS (Key Management Service), providing an additional layer of security and compliance.

Rationale:

  • Data Security: Enabling KMS encryption ensures that logs containing sensitive or personally identifiable information (PII) are protected from unauthorized access. This is critical for safeguarding customer data and meeting compliance requirements.

  • Compliance: Various regulatory standards, such as HIPAA, PCI-DSS, and SOC 2, require encryption of sensitive logs and data to ensure data privacy and security.

  • Audit and Tracking: With encrypted logs, organizations can safely store logs for auditing and troubleshooting purposes without risking exposure to unauthorized entities.

Impact:

Pros:

  • Enhanced Data Security: Encrypting logs with KMS ensures that the logs are secure, even if an unauthorized user gains access to the storage.

  • Regulatory Compliance: Ensures that you meet the encryption requirements of various compliance frameworks (e.g., HIPAA, PCI-DSS, SOC 2).

  • Auditability: Provides a secure mechanism for tracking interactions with AI models without exposing sensitive data.

Cons:

  • Management Overhead: Implementing and managing KMS keys adds a layer of administrative overhead, including key rotation and permissions management.

  • Potential Latency: Encryption and decryption of logs with KMS may introduce slight latency, though the impact is typically minimal.

Default Value:

By default, Amazon Bedrock may not have model invocation logs encrypted with KMS. The logs may be stored in plain text unless encryption is explicitly enabled during the setup.

Pre-requisite:

  • AWS IAM Permissions:

    • bedrock:DescribeModel

    • bedrock:UpdateModel

    • kms:Encrypt

    • kms:Decrypt

    • kms:CreateKey

  • AWS CLI installed and configured.

  • KMS Key created for encryption, and appropriate IAM policies in place to allow access to the KMS key.

  • Access to Amazon Bedrock and an existing AI model deployed for logging and encryption configuration.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock under Services.

  3. In the Amazon Bedrock Console, go to the Model Settings for the model that needs to have logs encrypted.

  4. Review the model invocation log settings:

    • If logs are not encrypted, navigate to the encryption settings and choose Enable encryption with KMS.

    • Select the KMS Key to use for encryption or create a new key.

  5. Save the configuration and confirm that the logs are now encrypted with KMS.

  6. Verify by reviewing logs in CloudWatch and ensuring they are encrypted.

Using AWS CLI:

  1. To check if KMS encryption is enabled for model invocation logs, run the following command:

    aws bedrock describe-model --model-id <model-id> --query 'Model.InvocationLogs.Encryption'

  2. Review the output:

  • If Encryption is set to KMS, the model invocation logs are encrypted with KMS.

  • If Encryption is not set to KMS, proceed with enabling KMS encryption.

  1. To enable KMS encryption for model invocation logs, run:

    aws bedrock update-model --model-id <model-id> --log-encryption-type KMS --kms-key-id <kms-key-id>

  2. Verify that the KMS encryption is enabled by running:

    aws bedrock describe-model --model-id <model-id> --query 'Model.InvocationLogs.Encryption'

Implementation Steps:

Using AWS Console:

  1. Log in to the AWS Management Console and navigate to Amazon Bedrock.

  2. In the Amazon Bedrock Console, go to the Model Settings for the AI model you want to configure.

  3. Enable KMS encryption for model invocation logs:

    • Under the Logging Configuration, select Encrypt with KMS and choose the KMS Key to be used for encryption.

  4. Save the changes and confirm that the KMS encryption is applied to the logs.

  5. Ensure that logs are securely encrypted by checking logs in CloudWatch.

Using AWS CLI:

  1. To enable KMS encryption for model invocation logs, use the following command:
     aws bedrock update-model --model-id <model-id> --log-encryption-type KMS --kms-key-id <kms-key-id>

  2. Verify the update by checking the encryption status:
     aws bedrock describe-model --model-id <model-id> --query 'Model.InvocationLogs.Encryption'

Backout Plan:

Using AWS Console:

  1. If enabling KMS encryption causes issues, sign in to the AWS Management Console.

  2. Navigate to Amazon Bedrock, and go to Model Settings or Logging.

  3. Disable KMS encryption and save the changes.

  4. Verify that the logs are no longer encrypted with KMS.

Using AWS CLI:

  1. To disable KMS encryption, run:

    aws bedrock put-model-invocation-logging --model-id <MODEL_ID> --log-encryption-kms-key ""

  2. Verify that the KMS encryption has been disabled:

    aws bedrock describe-model-invocation-logs --region <REGION>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.