{"id":1879,"date":"2025-04-01T17:53:35","date_gmt":"2025-04-01T17:53:35","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/04\/01\/protect-data-privacy-in-amazon-bedrock-with-vault\/"},"modified":"2025-04-01T17:53:35","modified_gmt":"2025-04-01T17:53:35","slug":"protect-data-privacy-in-amazon-bedrock-with-vault","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2025\/04\/01\/protect-data-privacy-in-amazon-bedrock-with-vault\/","title":{"rendered":"Protect data privacy in Amazon Bedrock with Vault"},"content":{"rendered":"

You can use retrieval augmented generation (RAG) to refine and improve the output of a large language model (LLM) without retraining the model. However, many data sources include sensitive information, such as personal identifiable information (PII), that the LLM and its applications should not require or disclose \u2014 but sometimes they do. Sensitive information disclosure is one of the OWASP 2025 Top 10 Risks & Mitigations for LLMs and Gen AI Apps<\/a>. To mitigate this issue, OWASP recommends data sanitization, access control, and encryption.<\/p>\n

This post shows how HashiCorp Vault\u2019s transit secrets engine<\/a> can be configured to encrypt and protect sensitive data before sending it to an Amazon Bedrock Knowledge Base<\/a> created by Terraform. <\/p>\n

The sample dataset contains a list of vacation rentals from Airbnb<\/a>, which includes the names of the hosts. Not all applications require the names of the hosts, so the original application collecting the information encrypts the field using Vault before storing a rental listing in the database. As a result, running queries against the Amazon Bedrock Knowledge Base outputs the encrypted name and prevents the leakage of PII.<\/p>\n

Encrypt and upload data<\/h2>\n

The demo uses an HCP Vault<\/a> cluster with the transit secrets engine enabled. The host name for each rental gets encrypted by a key named listings with convergent encryption<\/a> enabled. Convergent encryption ensures that a plaintext host name results in the same ciphertext. This allows the LLM to analyze each rental listing for similarities between hosts without knowing the actual host name.<\/p>\n

resource “hcp_hvn” “rental” {
\n hvn_id = var.name
\n cloud_provider = “aws”
\n region = var.region
\n cidr_block = var.cidr_block
\n}<\/p>\n

resource “hcp_vault_cluster” “rental” {
\n cluster_id = var.name
\n hvn_id = hcp_hvn.rental.hvn_id
\n tier = “plus_small”
\n public_endpoint = true
\n}<\/p>\n

resource “hcp_vault_cluster_admin_token” “rental” {
\n cluster_id = hcp_vault_cluster.rental.cluster_id
\n}<\/p>\n

resource “vault_mount” “transit_rental” {
\n path = var.name
\n type = “transit”
\n description = “Key ring for rental information”
\n default_lease_ttl_seconds = 3600
\n max_lease_ttl_seconds = 86400
\n}<\/p>\n

resource “vault_transit_secret_backend_key” “listings” {
\n backend = vault_mount.transit_rental.path
\n name = “listings”
\n derived = true
\n convergent_encryption = true
\n deletion_allowed = true
\n}<\/p>\n

To process a CSV file<\/a> with a list of vacation rentals in New York City from January 2025, you would encrypt the name of the host as if it is sensitive data. Create a local script that uses the HVAC Python client for HashiCorp Vault<\/a> to access the encryption API endpoint in Vault.<\/p>\n

import base64
\nimport json
\nimport logging
\nimport os<\/p>\n

import boto3
\nimport hvac
\nimport pandas
\nfrom botocore.exceptions import ClientError
\nfrom langchain_community.document_loaders import CSVLoader<\/p>\n

from vardata import S3_BUCKET_NAME<\/p>\n

LISTINGS_FILE = “.\/data\/raw\/listings.csv”
\nENCRYPTED_LISTINGS_FILE = “.\/data\/listings.csv”
\nMOUNT_POINT = “rentals”
\nKEY_NAME = “listings”
\nCONTEXT = json.dumps({“location”: “New York City”, “field”: “host_name”})<\/p>\n

client = hvac.Client(
\n url=os.environ[“VAULT_ADDR”],
\n token=os.environ[“VAULT_TOKEN”],
\n namespace=os.getenv(“VAULT_NAMESPACE”),
\n)<\/p>\n

def encrypt_payload(payload):
\n try:
\n encrypt_data_response = client.secrets.transit.encrypt_data(
\n mount_point=MOUNT_POINT,
\n name=KEY_NAME,
\n plaintext=base64.b64encode(payload.encode()).decode(),
\n context=base64.b64encode(CONTEXT.encode()).decode(),
\n )
\n ciphertext = encrypt_data_response[“data”][“ciphertext”]
\n return ciphertext
\n except AttributeError:
\n return “”<\/p>\n

def encrypt_hostnames():
\n dataframe = pandas.read_csv(LISTINGS_FILE)
\n dataframe[“host_name”] = dataframe[“host_name”].apply(lambda x: encrypt_payload(x))
\n dataframe.to_csv(ENCRYPTED_LISTINGS_FILE, index=False)<\/p>\n

# omitted for clarity<\/p>\n

This example data would usually exist in a database. A separate application that adds the listing would encrypt and store the data in the database before it gets exported to CSV for reporting. While you could upload the CSV file in its entirety as a document, for this demo, continue processing the rental listings by uploading each record as its own document to debug and improve the LLM\u2019s responses. For more information on how to process semi-structured data for Amazon Bedrock, review the AWS samples repository<\/a>.<\/p>\n

Each entry in the CSV file gets written as its own document to the S3 bucket. This example uses LangChain<\/a> to convert each CSV record to a text file and upload it to S3.<\/p>\n

import base64
\nimport json
\nimport logging
\nimport os<\/p>\n

import boto3
\nimport hvac
\nimport pandas
\nfrom botocore.exceptions import ClientError
\nfrom langchain_community.document_loaders import CSVLoader<\/p>\n

from vardata import S3_BUCKET_NAME<\/p>\n

LISTINGS_FILE = “.\/data\/raw\/listings.csv”
\nENCRYPTED_LISTINGS_FILE = “.\/data\/listings.csv”
\nMOUNT_POINT = “rentals”
\nKEY_NAME = “listings”<\/p>\n

# omitted for clarity<\/p>\n

def create_documents():
\n loader = CSVLoader(ENCRYPTED_LISTINGS_FILE)
\n data = loader.load()
\n return data<\/p>\n

def upload_file(body, bucket, object):
\n s3_client = boto3.client(“s3”)
\n try:
\n s3_client.put_object(Body=body, Bucket=bucket, Key=object)
\n except ClientError as e:
\n logging.error(e)
\n return False
\n return True<\/p>\n

def main():
\n encrypt_hostnames()
\n docs = create_documents()
\n for i, doc in enumerate(docs):
\n upload_file(doc.page_content, S3_BUCKET_NAME, f”listings\/{i}”)<\/p>\n

if __name__ == “__main__”:
\n main()<\/p>\n

This script is intended for educational and testing purposes only. In a production use case, you can process data using AWS Sagemaker<\/a>. <\/p>\n

The script creates a text file with the name of the host in ciphertext. All other non-sensitive attributes, such as room type and listing ID, remain in plaintext.<\/p>\n

id: 1284789
\nname: Light-filled Brownstone Triplex with Roof Deck
\nhost_id: 5768571
\nhost_name: vault:v1:ocqgeegsqMeo2PawbxsK8lQ1Sqp5\/VVGqftD4DUbx1iKMw==
\nneighbourhood_group: Brooklyn
\nneighbourhood: Prospect Heights
\nlatitude: 40.67506
\nlongitude: -73.96423
\nroom_type: Entire home\/apt
\nprice:
\nminimum_nights: 30
\nnumber_of_reviews: 4
\nlast_review: 2023-07-28
\nreviews_per_month: 0.06
\ncalculated_host_listings_count: 1
\navailability_365: 0
\nnumber_of_reviews_ltm: 0
\nlicense:<\/p>\n

After processing the data, set up an Amazon Bedrock Knowledge Base to ingest the documents from S3 as a data source. If you stored the data in Amazon Aurora, Amazon Redshift, or Glue Data Catalog, you can set up a knowledge base to ingest from a structured data source<\/a>.<\/p>\n

Set up a vector store<\/h2>\n

Amazon Bedrock Knowledge Bases allow you to add proprietary information into applications using RAG. To ingest a data source from S3, Bedrock Knowledge Bases requires the following:<\/p>\n

Sufficient IAM policies to connect to S3
\nA supported vector store<\/a> for embeddings.<\/p>\n

This demo uses Amazon OpenSearch Serverless<\/a> to provision an OpenSearch cluster for vector embeddings. The cluster requires additional IAM policies to access collections and indexes that store the vector embeddings.<\/p>\n

Below are two security policies: one for the encryption of the collection with embeddings and a second for network access to the collection and dashboard. The security policy for network access to the collection and dashboard ensures that Terraform can properly create an index.<\/p>\n

resource “aws_opensearchserverless_security_policy” “rentals_encryption” {
\n name = var.name
\n type = “encryption”
\n policy = jsonencode({
\n “Rules” = [
\n {
\n “Resource” = [
\n “collection\/${var.name}”
\n ],
\n “ResourceType” = “collection”
\n },
\n ],
\n “AWSOwnedKey” = true
\n })
\n}<\/p>\n

resource “aws_opensearchserverless_security_policy” “rentals_network” {
\n name = var.name
\n type = “network”
\n policy = jsonencode([{
\n “Rules” = [
\n {
\n “Resource” = [
\n “collection\/${var.name}”
\n ],
\n “ResourceType” = “collection”
\n },
\n {
\n “Resource” = [
\n “collection\/${var.name}”
\n ],
\n “ResourceType” = “dashboard”
\n },
\n ],
\n “AllowFromPublic” = true,
\n }])
\n}<\/p>\n

The configuration below generates an access policy to allow Amazon Bedrock and your current AWS credentials in Terraform to read and write to the index with the collection of the embeddings.<\/p>\n

data “aws_caller_identity” “current” {}<\/p>\n

resource “aws_opensearchserverless_access_policy” “rentals” {
\n name = var.name
\n type = “data”
\n description = “read and write permissions”
\n policy = jsonencode([
\n {
\n Rules = [
\n {
\n ResourceType = “index”,
\n Resource = [
\n “index\/${var.name}\/*”
\n ],
\n Permission = [
\n “aoss:*”
\n ]
\n },
\n {
\n ResourceType = “collection”,
\n Resource = [
\n “collection\/${var.name}”
\n ],
\n Permission = [
\n “aoss:*”
\n ]
\n }
\n ],
\n Principal = [
\n aws_iam_role.bedrock.arn,
\n data.aws_caller_identity.current.arn
\n ]
\n }
\n ])
\n}<\/p>\n

After creating these policies, Terraform can now build the collection. For Amazon Bedrock Knowledge Bases, set the type to VECTORSEARCH.<\/p>\n

resource “aws_opensearchserverless_collection” “rentals” {
\n name = var.name
\n type = “VECTORSEARCH”<\/p>\n

depends_on = [
\n aws_opensearchserverless_security_policy.rentals_encryption,
\n aws_opensearchserverless_security_policy.rentals_network
\n ]
\n}<\/p>\n

Finally, you need to create an index for the vector embeddings collection in the OpenSearch cluster. Based on prerequisites for bringing your own vector store<\/a>, configure an index using the OpenSearch Provider for Terraform<\/a>. This example uses Amazon Titan<\/a> 2.0 embeddings, which have 1024 dimensions in the vector.<\/p>\n

provider “opensearch” {
\n url = aws_opensearchserverless_collection.rentals.collection_endpoint
\n healthcheck = false
\n}<\/p>\n

locals {
\n vector_field = “bedrock-knowledge-base-default-vector”
\n metadata_field = “AMAZON_BEDROCK_METADATA”
\n text_field = “AMAZON_BEDROCK_TEXT_CHUNK”
\n}<\/p>\n

resource “opensearch_index” “bedrock_knowledge_base” {
\n name = “bedrock-knowledge-base-default-index”
\n number_of_shards = “2”
\n number_of_replicas = “0”
\n index_knn = true
\n index_knn_algo_param_ef_search = “512”
\n mappings = <<-EOF
\n {
\n “properties”: {
\n “${local.vector_field}”: {
\n “type”: “knn_vector”,
\n “dimension”: 1024,
\n “method”: {
\n “name”: “hnsw”,
\n “engine”: “faiss”,
\n “parameters”: {
\n “m”: 16,
\n “ef_construction”: 512
\n },
\n “space_type”: “l2”
\n }
\n },
\n “${local.metadata_field}”: {
\n “type”: “text”,
\n “index”: “false”
\n },
\n “${local.text_field}”: {
\n “type”: “text”,
\n “index”: “true”
\n }
\n }
\n }
\n EOF
\n}<\/p>\n

After configuring the vector store, you can create an Amazon Bedrock Knowledge Base for the S3 bucket with rental listings.<\/p>\n

Configure RAG in Amazon Bedrock<\/h2>\n

In order to augment the responses from an LLM with rental listing information, you need to create an Amazon Bedrock Knowledge Base<\/a> to facilitate RAG. The knowledge base requires sufficient IAM access to the S3 bucket with rental listings and the OpenSearch collection. In addition to the data source and collection access, Amazon Bedrock\u2019s IAM role also needs permissions to invoke the model used for embeddings.<\/p>\n

resource “aws_iam_policy” “bedrock” {
\n name = “bedrock-${var.name}-s3”
\n path = “\/”
\n description = “Allow Bedrock Knowledge Base to access S3 bucket with rentals”<\/p>\n

policy = jsonencode({
\n Version = “2012-10-17”
\n Statement = [
\n {
\n Action = [
\n “s3:ListBucket”,
\n ],
\n Effect = “Allow”,
\n Resource = aws_s3_bucket.rentals.arn,
\n Condition = {
\n StringEquals = {
\n “aws:ResourceAccount” = data.aws_caller_identity.current.account_id
\n }
\n }
\n },
\n {
\n Action = [
\n “s3:GetObject”,
\n ],
\n Effect = “Allow”,
\n Resource = “${aws_s3_bucket.rentals.arn}\/*”,
\n Condition = {
\n StringEquals = {
\n “aws:ResourceAccount” = data.aws_caller_identity.current.account_id
\n }
\n }
\n },
\n {
\n Action = [
\n “aoss:APIAccessAll”
\n ],
\n Effect = “Allow”,
\n Resource = aws_opensearchserverless_collection.rentals.arn,
\n },
\n {
\n Action = [
\n “bedrock:InvokeModel”
\n ],
\n Effect = “Allow”,
\n Resource = data.aws_bedrock_foundation_model.embedding.model_arn,
\n }
\n ]
\n })
\n}<\/p>\n

resource “aws_iam_role” “bedrock” {
\n name_prefix = “bedrock-${var.name}-“<\/p>\n

assume_role_policy = jsonencode({
\n Version = “2012-10-17”
\n Statement = [
\n {
\n Action = “sts:AssumeRole”
\n Effect = “Allow”
\n Principal = {
\n Service = “bedrock.amazonaws.com”
\n },
\n Condition = {
\n StringEquals = {
\n “aws:SourceAccount” = data.aws_caller_identity.current.account_id
\n },
\n }
\n },
\n ]
\n })
\n}<\/p>\n

resource “aws_iam_role_policy_attachment” “bedrock” {
\n role = aws_iam_role.bedrock.name
\n policy_arn = aws_iam_policy.bedrock.arn
\n}<\/p>\n

Configure the Amazon Bedrock knowledge base in Terraform. It uses the IAM role with permissions to the S3 bucket, OpenSearch collection, and embedding model. It also defines the field mappings defined in the OpenSearch index for the vector embeddings.<\/p>\n

resource “aws_bedrockagent_knowledge_base” “rentals” {
\n name = var.name
\n role_arn = aws_iam_role.bedrock.arn
\n knowledge_base_configuration {
\n vector_knowledge_base_configuration {
\n embedding_model_arn = data.aws_bedrock_foundation_model.embedding.model_arn
\n }
\n type = “VECTOR”
\n }<\/p>\n

storage_configuration {
\n type = “OPENSEARCH_SERVERLESS”
\n opensearch_serverless_configuration {
\n collection_arn = aws_opensearchserverless_collection.rentals.arn
\n vector_index_name = opensearch_index.bedrock_knowledge_base.name
\n field_mapping {
\n vector_field = local.vector_field
\n text_field = local.text_field
\n metadata_field = local.metadata_field
\n }
\n }
\n }
\n}<\/p>\n

Create a data source for the knowledge base linked to the Amazon S3 bucket with rental listings.<\/p>\n

resource “aws_bedrockagent_data_source” “listings” {
\n knowledge_base_id = aws_bedrockagent_knowledge_base.rentals.id
\n name = “listings”
\n data_source_configuration {
\n type = “S3”
\n s3_configuration {
\n bucket_arn = aws_s3_bucket.rentals.arn
\n }
\n }
\n}<\/p>\n

After deploying this in Terraform, you can test the knowledge base with some requests.<\/p>\n

Test the knowledge base<\/h2>\n

When you ask questions to the knowledge base with information about rental listings, you should get responses with additional detail based on the listings.<\/p>\n

This example asks Anthropic Claude 3.7 Sonnet how many vacation rentals are in the Box House Hotel. It returned a response indicating that it searched the rental listings and found at least ten of them.<\/p>\n

Input:
\nHow many vacation rentals are in the Box House Hotel?<\/p>\n

Output:
\nBased on the search results, there are at least 10 vacation rentals listed at
\nthe Box House Hotel in Greenpoint, Brooklyn. These include various room types
\nsuch as Superior rooms, Lofts with Terraces, Duplex rooms with Terraces, and
\nmulti-bedroom options. All of these listings share the same host
\n(host_id: 417504) and are located at approximately the same coordinates in the
\nGreenpoint neighborhood of Brooklyn.<\/p>\n

Loading data into Amazon Bedrock improved the response by adding new information that the model did not have for training. Since you took additional steps to encrypt the names of the hosts and protect them as sensitive data, the model should not return information with the plaintext names of the hosts. <\/p>\n

The example below asks an additional question about the name of the host who owns these vacation rental listings. After some searching, the model responds that the host name is encrypted and it found 29 other listings with the same ciphertext.<\/p>\n

Input:
\nWhat is the name of the host for these vacation rental listings in the Box House Hotel?<\/p>\n

Output:
\nThe host name for Box House Hotel (host_id: 417504) appears to be encrypted in
\nthe database. In the search results, the host_name field for this host is shown
\nas “vault:v1:gCMhLikagB3DgHEzpcc0TJbnreYNrS39w9eiHwxUyMOVR5ClyzUaFEnqZC+Ohhk=”
\nacross all their listings.<\/p>\n

This host appears to manage multiple properties under the Box House Hotel brand in the Greenpoint neighborhood of Brooklyn, with 29 total listings according to the calculated_host_listings_count field.<\/p>\n

Convergent encryption ensures the same names of hosts result in the same ciphertext, which allows the LLM to still analyze the data and identify that the same host offers 29 rental properties. If an LLM application needs to respond with the plaintext name of the host, it can use the Vault transit secrets engine to decrypt the ciphertext before returning the response.<\/p>\n

Learn more<\/h2>\n

By encrypting sensitive data before augmenting a LLM with RAG, you can protect access to the data and prevent leakage of sensitive information. In this demo, an LLM in testing and other applications by default do not need access to the plaintext name of the host for the vacation rental. They can still analyze and provide other information without leaking the name of the host for each vacation rental listing.<\/p>\n

For applications that need access to the plaintext name of the host, they can implement additional code to decrypt the payload with Vault transit secrets engine<\/a>. This ensures that only authorized applications have access to Vault\u2019s decryption endpoint to reveal sensitive data. Vault offers additional advanced data protection techniques<\/a> such as format-preserving encryption<\/a>, masking, and data tokenization<\/a> using the transform secrets engine<\/a>. The transform secrets engine further masks or sanitizes sensitive information while allowing the LLM and its applications to process data.<\/p>\n

To learn more about Amazon Bedrock Knowledge Bases, check out its documentation<\/a>. The OWASP Top 10 Risks & Mitigations for LLMs and Gen AI Apps<\/a> includes a list of risks and mitigations for LLMs and Gen AI Apps, including some recommendations to prevent sensitive data disclosure. <\/p>","protected":false},"excerpt":{"rendered":"

You can use retrieval augmented generation (RAG) to refine and improve the output of a large language model (LLM) without […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[6],"tags":[],"class_list":["post-1879","post","type-post","status-publish","format-standard","hentry","category-terraform"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/1879","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=1879"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/1879\/revisions"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=1879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=1879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=1879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}