AWS bedrock documentation change
Summary
Updated encryption documentation for imported custom models, clarifying two creation methods (import jobs vs Amazon Nova models) and refining encryption key descriptions
Security assessment
The changes enhance documentation about encryption mechanisms (AWS-owned vs customer-managed keys) and key revocation processes, which are security features. However, there's no evidence of addressing a specific vulnerability or security incident.
Diff
diff --git a/bedrock/latest/userguide/encryption-import-model.md b/bedrock/latest/userguide/encryption-import-model.md index 0c92ab9ae..ee161fb9b 100644 --- a//bedrock/latest/userguide/encryption-import-model.md +++ b//bedrock/latest/userguide/encryption-import-model.md @@ -7 +7 @@ How Amazon Bedrock uses grants in AWS KMS -# Encryption of custom model import +# Encryption of imported custom models @@ -9 +9 @@ How Amazon Bedrock uses grants in AWS KMS -Amazon Bedrock supports creating a custom model by using the custom model import feature to import models that you have created in other environments, such as Amazon SageMaker AI. Your custom imported models are managed and stored by AWS. For more information, see [Import a model](https://docs.aws.amazon.com/bedrock/latest/userguide/model-customization-import-model.html). +Amazon Bedrock supports creating custom models through two methods that both use the same encryption approach. Your custom models are managed and stored by AWS: @@ -11 +11 @@ Amazon Bedrock supports creating a custom model by using the custom model import -For encryption of your custom imported model, Amazon Bedrock provides the following options: + * **Custom model import jobs** — For importing customized open-source foundation models (such as Mistral AI or Llama models). @@ -13 +13,8 @@ For encryption of your custom imported model, Amazon Bedrock provides the follow - * **AWS owned keys** – By default, Amazon Bedrock encrypts custom imported models with AWS owned keys. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the _AWS Key Management Service Developer Guide_. + * **Create custom model** — For importing Amazon Nova models that you customized in SageMaker AI. + + + + +For encryption of your custom models, Amazon Bedrock provides the following options: + + * **AWS owned keys** – By default, Amazon Bedrock encrypts imported custom models with AWS owned keys. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the _AWS Key Management Service Developer Guide_. @@ -40 +47 @@ For more information, see [customer managed keys](https://docs.aws.amazon.com/km -For all the custom models you import, Amazon Bedrock automatically enables encryption at rest using AWS owned keys to protect customer data at no charge. If you use a customer managed key, AWS KMS charges apply. For more information about pricing, see [AWS Key Management Service Pricing.](https://docs.aws.amazon.com/). +For all the custom models that you import, Amazon Bedrock automatically enables encryption at rest using AWS owned keys to protect customer data at no charge. If you use a customer managed key, AWS KMS charges apply. For more information about pricing, see [AWS Key Management Service Pricing.](https://docs.aws.amazon.com/). @@ -59 +66 @@ Amazon Bedrock requires the primary grant to use your customer managed key for t -You have full access to your customer managed AWS KMS key. You can revoke access to the grant by following the steps at [Retiring and revoking grants](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) in the _AWS Key Management Service Developer Guide_. or remove the service’s access to your customer managed key at any time by modifying the key policy. If you do so, Amazon Bedrock won’t be able to access the imported model encrypted by your key. +You have full access to your customer managed AWS KMS key. You can revoke access to the grant by following the steps at [Retiring and revoking grants](https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) in the _AWS Key Management Service Developer Guide_ or remove the service’s access to your customer managed key at any time by modifying the key policy. If you do so, Amazon Bedrock won’t be able to access the imported model encrypted by your key. @@ -76 +83 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Encryption of model customization resources +Encryption of custom models