As generative AI services like Amazon Bedrock become more widely adopted, data security and compliance have emerged as critical priorities for builders and enterprises alike. Whether you’re customizing foundation models, importing your own, or enabling memory and knowledge bases, you need confidence that your sensitive data stays protected.
In this post, I’ll walk through how Amazon Bedrock uses encryption at rest and in transit, how you can integrate AWS Key Management Service (KMS) for customer-controlled encryption, and how to apply best practices to fine-tuned models, agents, memory, and knowledge base artifacts.
Data Encryption in Transit
All requests to the Amazon Bedrock console and API are encrypted using TLS 1.2, ensuring secure transmission over HTTPS. Additionally, any inter-service communication within AWS uses encrypted transport protocols.
Access to Bedrock services occurs under the security model of IAM roles, which means permissioning, logging, and authorization are centralized under your existing AWS identity architecture.
Data Encryption at Rest (Default + CMK)
To get started with Amazon Verified Permissions:
By default, Amazon Bedrock encrypts all data at rest using AWS-owned keys—this includes model artifacts, input/output data, and logs. However, for stricter control and auditing, you can opt to bring your own customer managed key (CMK) via AWS KMS.
Resources that support CMK encryption include:
Model customization jobs & fine-tuned models
Agents and agent memory
Imported custom models
Data sources for knowledge bases
Amazon Bedrock Studio domains
Let’s break down a few of these.
Encrypting Custom Model Jobs
When you use Bedrock to fine-tune a foundational model, you can specify a KMS key using the customModelKmsKeyId field. Bedrock will create a grant to access this key on your behalf.
Here’s a minimal key policy to allow Bedrock to perform encryption:
{
"Sid": "PermissionsEncryptDecryptModel",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/BedrockModelRole"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:DescribeKey",
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": "bedrock.us-east-1.amazonaws.com"
}
}
}
Once the model is deleted, Bedrock automatically retires the associated KMS grant.
Encrypting Bedrock Agents (Post-Jan 2025)
As of January 22, 2025, agents now support CMK-based encryption.
During CreateAgent, specify the customerEncryptionKeyArn. Bedrock will handle grant creation. Ensure the key policy includes:
{
"Action": ["kms:GenerateDataKey", "kms:Decrypt"],
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:bedrock:arn": "arn:aws:bedrock:us-east-1:123456789012:agent/my-agent-id"
}
}
}
If you’re enabling long-term memory, additional KMS actions (ReEncrypt*, GenerateDataKeyWithoutPlainText) must be permitted.
Encrypting Knowledge Base Resources
Bedrock lets you attach S3, OpenSearch, or third-party vector stores to power RAG-style knowledge bases. You can encrypt:
S3 buckets using SSE-KMS
Vector stores with KMS (for OpenSearch collections)
Secrets for external stores via AWS Secrets Manager
When performing CreateDataSource, use the kmsKeyArn to specify your key.
Pro Tip: When encrypting secrets, include permissions like:
{
"Action": ["kms:Decrypt"],
"Resource": "arn:aws:kms:us-east-1:123456789012:key/key-id"
}
Monitoring KMS Usage with CloudTrail
To ensure encryption operations are traceable, monitor KMS API calls via AWS CloudTrail. For example, you’ll see events like CreateGrant for model customization jobs:
{
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"userAgent": "bedrock.amazonaws.com",
"requestParameters": {
"operations": ["Decrypt", "GenerateDataKey"]
}
}
You can also configure CloudWatch alerts on suspicious activity or permission changes related to your KMS keys.
Final Thoughts
Encryption in Amazon Bedrock is more than just a compliance checkbox—it’s a cornerstone of your data governance strategy. Whether you’re customizing models or handling agent memory, CMKs give you audit-ready control over sensitive data.
Stay tuned for Part 2, where I’ll explore IAM policies, identity-based access controls, and best practices for securing Amazon Bedrock workloads.
Have questions or want to dive deeper? Reach out on LinkedIn or drop a comment below!
