Recommendation encryption
When you specify a kmsKeyArn on a recommendation, the service encrypts the recommendation configuration and recommendation result using envelope encryption with the AWS Encryption SDK. All other recommendation metadata (name, type, status) remains encrypted with the AWS owned key.
The kmsKeyArn is specified at creation time via StartRecommendation.
How it works
Recommendation encryption uses the AWS Encryption SDK for envelope encryption. When the service writes or reads recommendation data, it calls KMS to generate or decrypt data keys. The recommendation result is also stored in S3 with SSE-KMS using the same customer managed key.
At API time, the service validates that the caller has KMS permissions using a dry-run check (Forward Access Sessions). This catches permission issues immediately rather than failing asynchronously during the recommendation workflow.
When the recommendation workflow runs asynchronously, the service principal (bedrock-agentcore.amazonaws.com) decrypts the configuration and encrypts the result. The service principal must have kms:GenerateDataKey and kms:Decrypt permission in the key policy.
AgentCore optimizations supports only symmetric encryption KMS keys. The KMS key must be in the same AWS Region as the recommendation.
Configuring permissions to use a customer managed KMS key
The following key policy provides the minimum permissions required for recommendation encryption. The policy has three statements:
-
AllowCallerAccess – Allows the IAM user or role to validate the key via
DescribeKey. -
AllowCallerCryptoOps – Allows the IAM user or role to encrypt and decrypt, scoped by encryption context.
-
AllowServicePrincipalAccess – Allows the AgentCore service principal to encrypt and decrypt recommendation data during the asynchronous recommendation workflow, scoped by source account and source ARN.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowCallerAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/MyRecommendationRole" }, "Action": "kms:DescribeKey", "Resource": "*" }, { "Sid": "AllowCallerCryptoOps", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/MyRecommendationRole" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:aws:bedrock-agentcore:recommendationArn": "arn:aws:bedrock-agentcore:us-east-1:111122223333:recommendation/*" } } }, { "Sid": "AllowServicePrincipalAccess", "Effect": "Allow", "Principal": { "Service": "bedrock-agentcore.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "111122223333" }, "ArnLike": { "aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:111122223333:recommendation/*" } } } ] }
The policy contains the following statements:
-
AllowCallerAccess – Grants the IAM role
kms:DescribeKeypermission for key validation at recommendation creation time. Replace111122223333with your account ID andMyRecommendationRolewith the IAM role or user that starts recommendations. -
AllowCallerCryptoOps – Grants the IAM role
kms:GenerateDataKeyandkms:Decryptpermissions, scoped by theaws:bedrock-agentcore:recommendationArnencryption context. Replace111122223333,MyRecommendationRole, andus-east-1with your values. To allow access to all recommendations in your account, use a wildcard withStringLike:arn:aws:bedrock-agentcore:us-east-1:111122223333:recommendation/*. -
AllowServicePrincipalAccess – Grants the AgentCore service principal
kms:GenerateDataKeyandkms:Decryptpermissions for encrypting and decrypting recommendation data during the asynchronous workflow. Scoped by source account and source ARN (aws:SourceArn) to prevent confused deputy attacks. Replaceus-east-1and111122223333with your region and account ID.
Scoping down access to the customer managed KMS key
You can use the encryption context to scope down access to the customer managed key. AgentCore optimizations includes the following encryption context in all KMS operations:
{ "aws:bedrock-agentcore:recommendationArn": "arn:aws:bedrock-agentcore:us-east-1:111122223333:recommendation/recommendation-id" }
You can use this encryption context in key policy conditions to restrict KMS operations to specific recommendations, as shown in the AllowCallerCryptoOps statement in the example key policy above. Note that AllowServicePrincipalAccess uses aws:SourceArn for scoping rather than encryption context.
Starting a recommendation with a customer managed KMS key
Specify the kmsKeyArn parameter when calling StartRecommendation:
Example
Monitoring KMS usage for recommendations
The following CloudTrail event names appear for recommendation KMS operations:
-
GenerateDataKey— When starting a recommendation (encrypting configuration) and when the recommendation workflow completes (encrypting the result). TheencryptionContextfield containsaws:bedrock-agentcore:recommendationArn. -
Decrypt— When the recommendation workflow processes the configuration, or when retrieving recommendation results. -
DescribeKey— When validating the key at recommendation creation time.
Behavior when a key becomes unavailable
If you disable or delete the customer managed KMS key used by a recommendation:
-
StartRecommendation — Fails at validation with
ValidationException. -
GetRecommendation — Fails with
ValidationExceptionindicating the KMS key is disabled or deleted. -
ListRecommendations — Succeeds because listing returns metadata only and does not require KMS operations.
-
DeleteRecommendation — Succeeds because deletion does not require decrypting recommendation data.