How to Intermediate · 3 min read

AWS Bedrock encryption explained

Quick answer
AWS Bedrock encrypts data both in transit and at rest using industry-standard AWS Key Management Service (KMS) keys. This ensures that all AI model inputs, outputs, and stored data remain secure and compliant with enterprise-grade encryption standards.

PREREQUISITES

  • Python 3.8+
  • AWS CLI configured with appropriate permissions
  • boto3 installed (pip install boto3)

Setup

To interact with AWS Bedrock encryption features, ensure you have the AWS CLI configured with credentials that have permissions for KMS and Bedrock services. Install the boto3 Python SDK for API access.

bash
pip install boto3
output 
Collecting boto3
  Downloading boto3-1.28.0-py3-none-any.whl (134 kB)
Installing collected packages: boto3
Successfully installed boto3-1.28.0

Step by step

This example demonstrates how to verify encryption settings for AWS Bedrock using boto3. It shows how to retrieve the KMS key used for encrypting Bedrock data.

python
import os
import boto3

# Initialize Bedrock client
client = boto3.client('bedrock-runtime', region_name='us-east-1')

# Example: Describe encryption key configuration (pseudo-code, as Bedrock encryption is managed by AWS)
# AWS Bedrock automatically encrypts data with KMS keys managed by AWS or customer-managed keys.

# To check KMS keys, use KMS client
kms_client = boto3.client('kms', region_name='us-east-1')

# List keys (to find your customer-managed keys)
keys = kms_client.list_keys()
print('Available KMS keys:')
for key in keys['Keys']:
    print(f"KeyId: {key['KeyId']}")

# You can describe a specific key to check its usage
key_id = keys['Keys'][0]['KeyId'] if keys['Keys'] else None
if key_id:
    key_info = kms_client.describe_key(KeyId=key_id)
    print('Key description:', key_info['KeyMetadata']['Description'])
else:
    print('No KMS keys found.')
output 
Available KMS keys:
KeyId: 1234abcd-12ab-34cd-56ef-1234567890ab
Key description: Customer managed key for Bedrock encryption

Common variations

AWS Bedrock encryption is automatic and transparent. You can use either AWS-managed keys or customer-managed keys (CMKs) via AWS KMS. For enhanced control, specify CMKs when configuring Bedrock resources. Encryption applies to data at rest and in transit using TLS.

For asynchronous or streaming Bedrock API calls, encryption remains enforced by AWS infrastructure without additional developer action.

Troubleshooting

  • If you receive AccessDeniedException errors, verify your IAM role has kms:Decrypt and kms:Encrypt permissions for the relevant KMS keys.
  • Ensure your Bedrock client region matches the region of your KMS keys.
  • For network issues, confirm TLS connections are allowed and not blocked by firewalls.

Key Takeaways

  • AWS Bedrock encrypts all data in transit with TLS and at rest using AWS KMS keys.
  • You can use AWS-managed or customer-managed KMS keys to control encryption.
  • Encryption is automatic and requires no extra steps during API calls.
  • Proper IAM permissions are essential to avoid encryption-related access errors.
Verified 2026-04
Verify ↗

People also ask

🛠 AWS Bedrock for enterprise explained aws-bedrock-enterprise 🛠 AWS Bedrock Provisioned Throughput explained aws-bedrock-enterprise 🐛 AWS Bedrock rate limits explained AWS Bedrock 🛠 AgentOps dashboard explained agentops 🛠 AgentOps session tracking explained agentops

Up next

🛠 AWS Bedrock enterprise features 🛠 AWS Bedrock enterprise pricing 🛠 AWS Bedrock for enterprise explained 🛠 AWS Bedrock Guardrails for enterprise

More in Guides

🛠 AWS Bedrock audit logging 🛠 AWS Bedrock CloudTrail integration 🛠 AWS Bedrock compliance certifications 🛠 AWS Bedrock cost monitoring with CloudWatch