Merge branch 'main' into chore/refactor-airflow-dags-module

awslabs · Jun 17, 2024 · b6a6ddf · b6a6ddf
2 parents eaf98a6 + d77573d
commit b6a6ddf
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### **Changed**
 - remove explicit module manifest account/region mappings from `fmops-qna-rag`
 - changed ECR encryption to KMS_MANAGED
+- changed encryption for each bucket to KMS_MANAGED
 - refactor `airflow-dags` module to use Pydantic
 
 ## v1.2.0

diff --git a/manifests/bedrock-finetuning-modules.yaml b/manifests/bedrock-finetuning-modules.yaml
@@ -4,8 +4,6 @@ targetAccount: primary
 parameters:
   - name: bedrock-base-model-ID
     value: amazon.titan-text-express-v1
-  - name: bucket-name
-    value: sample_bucket_name
   - name: vpc_id
     valueFrom:
       moduleMetadata:
@@ -17,4 +15,4 @@ parameters:
       moduleMetadata:
         group: networking
         name: networking
-        key: PrivateSubnetIds
+        key: PrivateSubnetIds
diff --git a/manifests/mlops-sagemaker-multiacc/storage-modules.yaml b/manifests/mlops-sagemaker-multiacc/storage-modules.yaml
@@ -14,6 +14,6 @@ path: git::https://github.com/awslabs/idf-modules.git//modules/storage/buckets?r
 targetAccount: dev
 parameters:
   - name: encryption-type
-    value: SSE
+    value: KMS
   - name: retention-type
     value: DESTROY
diff --git a/modules/fmops/bedrock-finetuning/lib/bedrock-finetuning-stack.ts b/modules/fmops/bedrock-finetuning/lib/bedrock-finetuning-stack.ts
@@ -35,11 +35,11 @@ export class AmazonBedrockFinetuningStack extends cdk.Stack {
     const inputBucket = props?.bucketName
       ? s3.Bucket.fromBucketName(this, "ExistingBucket", props.bucketName)
       : new s3.Bucket(this, "BedrockBucket", {
-          bucketName: `bedrock-input-data-${props.deploymentName}-${props.moduleName}`,
+          bucketName: `${props.deploymentName}-${props.moduleName}-${this.account}`,
           removalPolicy: cdk.RemovalPolicy.RETAIN,
           eventBridgeEnabled: true,
           enforceSSL: true,
-          encryption: s3.BucketEncryption.S3_MANAGED,
+          encryption: s3.BucketEncryption.KMS_MANAGED,
         });
     this.bucketName = inputBucket.bucketName;
 
@@ -72,7 +72,13 @@ export class AmazonBedrockFinetuningStack extends cdk.Stack {
     });
     const KMSKeyPolicyStatement = new iam.PolicyStatement({
       effect: iam.Effect.ALLOW,
-      actions: ["kms:*"],
+      actions: [
+        "kms:Encrypt",
+        "kms:ReEncrypt*",
+        "kms:GenerateDataKey*",
+        "kms:Decrypt",
+        "kms:DescribeKey",
+      ],
       resources: [key.keyArn],
       conditions: {
         StringEquals: {