View a markdown version of this page

Security Hub CSPM controls for Amazon Bedrock - Amazon Security Hub
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Security Hub CSPM controls for Amazon Bedrock

These Amazon Security Hub CSPM controls evaluate the Amazon Bedrock service and resources. The controls might not be available in all Amazon Web Services Regions. For more information, see Availability of controls by Region.

[Bedrock.1] Amazon Bedrock data sources should be encrypted with customer managed Amazon KMS keys

Category: Protect > Data protection > Encryption of data at rest

Severity: Medium

Resource type: AWS::Bedrock::DataSource

Amazon Config rule: bedrock-data-source-encryption-enabled

Schedule type: Change triggered

Parameters: None

This control checks whether an Amazon Bedrock data source is encrypted at rest with a customer managed Amazon KMS key. The control fails if the data source isn't encrypted with a customer managed KMS key.

By default, Amazon Bedrock encrypts data source content with Amazon managed keys. Using a customer managed KMS key gives you full control over the encryption key lifecycle, including rotation, access policies, and auditing through Amazon CloudTrail. This helps meet compliance requirements that mandate customer-controlled encryption for sensitive data ingested into knowledge bases.

Remediation

To encrypt your Amazon Bedrock data source with a customer managed KMS key, see Modify a data source for your Amazon Bedrock knowledge base in the Amazon Bedrock User Guide.