|
3 | 3 | Stack, |
4 | 4 | StackProps, |
5 | 5 | RemovalPolicy, |
6 | | - Fn, |
7 | 6 | CfnOutput |
8 | 7 | } from "aws-cdk-lib" |
9 | 8 | import { |
@@ -108,10 +107,17 @@ export class EpsAssistMeStack extends Stack { |
108 | 107 | objectOwnership: ObjectOwnership.BUCKET_OWNER_ENFORCED |
109 | 108 | }) |
110 | 109 |
|
111 | | - // Define the S3 bucket for knowledge base documents |
| 110 | + // Create a customer-managed KMS key |
| 111 | + const kbDocsKey = new Key(this, "KbDocsKey", { |
| 112 | + enableKeyRotation: true, |
| 113 | + description: "KMS key for encrypting knowledge base documents" |
| 114 | + }) |
| 115 | + |
| 116 | + // Use the KMS key in your S3 bucket |
112 | 117 | const kbDocsBucket = new Bucket(this, "EpsAssistDocsBucket", { |
113 | 118 | blockPublicAccess: BlockPublicAccess.BLOCK_ALL, |
114 | 119 | encryption: BucketEncryption.KMS, |
| 120 | + encryptionKey: kbDocsKey, |
115 | 121 | removalPolicy: RemovalPolicy.DESTROY, |
116 | 122 | autoDeleteObjects: true, |
117 | 123 | enforceSSL: true, |
@@ -168,7 +174,15 @@ export class EpsAssistMeStack extends Stack { |
168 | 174 | bedrockExecutionRole.addToPolicy(s3AccessGetPolicy) |
169 | 175 | bedrockExecutionRole.addToPolicy(bedrockKBDeleteRolePolicy) |
170 | 176 |
|
171 | | - // ==== Bedrock Guardrail and Version ==== |
| 177 | + // Grant Bedrock permission to decrypt |
| 178 | + kbDocsKey.addToResourcePolicy(new iam.PolicyStatement({ |
| 179 | + effect: iam.Effect.ALLOW, |
| 180 | + principals: [new iam.ArnPrincipal(bedrockExecutionRole.roleArn)], |
| 181 | + actions: ["kms:Decrypt", "kms:DescribeKey"], |
| 182 | + resources: ["*"] |
| 183 | + })) |
| 184 | + |
| 185 | + // Create bedrock Guardrails for the slack bot |
172 | 186 | const guardrail = new CfnGuardrail(this, "EpsGuardrail", { |
173 | 187 | name: "eps-assist-guardrail", |
174 | 188 | description: "Guardrail for EPS Assist Me bot", |
@@ -197,6 +211,7 @@ export class EpsAssistMeStack extends Stack { |
197 | 211 | } |
198 | 212 | }) |
199 | 213 |
|
| 214 | + // Add a dependency for the guardrail to the bedrock execution role |
200 | 215 | const guardrailVersion = new CfnGuardrailVersion(this, "EpsGuardrailVersion", { |
201 | 216 | guardrailIdentifier: guardrail.attrGuardrailId, |
202 | 217 | description: "v1.0" |
|
0 commit comments