Customer managed encryption keys

By default, Data Lake and FreeIPA's Amazon Elastic Block Store (EBS) volumes and Relational Database Service (RDS) are encrypted using a default key from Amazon’s KMS, but you can optionally configure encryption using Customer Managed Keys (CMK). Data Hubs inherit environment's encryption key by default but you have an option to specify a different CMK during Data Hub creation.

Amazon offers the option to encrypt EBS volumes and RDS instances using a default key from Amazon's Key Management System (KMS) or using an external customer-managed KMS. By default, Data Lake and FreeIPA are encrypted using the default key from Amazon’s KMS present in the region where the environment is running, but you can provide a customer-managed KMS key instead of the default key. Encryption is configured for block devices and root devices. When encryption is configured for a given cluster, it is automatically applied to all the disk devices of any new VM instances added as a result of cluster scaling or repair.

Environment and Data Hub encryption options

By default, Data Hubs use the same default key from Amazon’s KMS or CMK as the parent environment but you have an option to pass a different CMK during Data Hub creation.

All possible scenarios are summarized in the following table:

Encryption key during environment registration Encryption key during Data Hub creation Result
Absent Absent
  • EBS and RDS encryption for Data Lake, FreeIPA, and Data Hubs is with the default regional encryption key.

Present Absent
  • EBS and RDS encryption for Data Lake, FreeIPA, and all Data Hubs is with the CMK provided during environment registration.
Present Present
  • EBS and RDS encryption for Data Lake and FreeIPA is with the CMK provided during environment registration.

  • If a CMK is provided for a Data Hub, then EBS encryption for the Data Hub is with the CMK provided per host group during the Data Hub creation.

Absent Present
  • No EBS and RDS encryption is configured for Data Lake and FreeIPA.

  • EBS encryption for the specific Data Hub is with the default or CMK provided per host group during Data Hub creation.

Permissions for using encryption

If you are planning to use encryption, ensure that the cross-account IAM role used for the provisioning credential includes the following permissions:

EC2 permissions

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "ec2:CopyImage",
      "ec2:CreateSnapshot",
      "ec2:DeleteSnapshot",
      "ec2:DescribeSnapshots",
      "ec2:CreateVolume",
      "ec2:DeleteVolume",
      "ec2:DescribeVolumes",
      "ec2:DeregisterImage",
    ],
    "Resource": "*"
  }
}
KMS permissions
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": [
      "kms:DescribeKey",
      "kms:ListKeys",
      "kms:ListAliases"
    ],
    "Resource": "*"
  }
}

If planning to use encryption, ensure that your existing encryption key can be used or create a new encryption key.

Ensuring that an existing encryption key can be used

If you already have an existing encryption key, make sure that the key fulfills the following requirements.

If you have an existing encryption key that you would like to use with Data Hub, make sure that:

  • The following are attached as key user:

    • The AWSServiceRoleForAutoScaling built-in role.

    • Your IAM role or IAM user used for the cloud credential.

  • To check that these are attached, in the AWS Management Console, navigate to the KMS console > Customer managed keys, select your encryption key, and scroll to Key Users.

  • The encryption key is located in the same region where you would like to create clusters with encrypted volumes.

Creating a new encryption key on AWS

If you don't have an existing encryption key, use the following instructions to create one.

  1. In the AWS Management Console, navigate to KMS console.

  2. Select Customer managed keys.

  3. From the Region dropdown, select the region in which you would like to create and use the encryption key.

  4. Click Create key.

  5. In Step 1: Configure Key:

    1. Under Key type, choose Symmetric.

    2. Expand Advanced Options and under Key Material Origin, select “KMS” or “External”.

  6. In Step 2: Create Alias and Description:

    1. Enter an alias for your key.

    2. Defining tags is optional.

  7. In Step 3: Define Key Administrative Permissions, select the following:

    1. Choose your own IAM user/role used for logging into the AWS Management Console. Do not set AWSServiceRoleForAutoScaling or the cross-account IAM role as the key admin.

  8. In Step 4: Define Key Usage Permissions:

    1. Select the AWSServiceRoleForAutoScaling built-in role.

    2. Select the cross-account IAM role.

  9. In Step 5: Review and edit key policy, you may optionally tweak the key policy as desired, or simply leave it as generated by AWS.

  10. Navigate to the last page of the wizard and then click Finish to create an encryption key.