Enabling Customer Managed Keys (CMK) on Amazon Web Services (AWS)

Learn how to use customer managed keys (CMK) enabled environments for Cloudera Data Engineering (CDE) services deployed on AWS using CMK-based data at rest encryption for Amazon Relational Database Service (RDS), Kubernetes secrets, and data at rest encryption.

To perform these steps, you must be a CDE Admin and obtain your Customer-managed key from your Amazon Key Management Service (KMS). This CMK that you obtain will be associated with the environment for the steps below.

Add the CMK

Once you've obtained the CMK, complete the following steps:

  1. Go to the Cloudera Management Console.
  2. Click Environments.
  3. Click the environment where your CDE Service is deployed.
  4. In the Customer Managed Encryption Key section, click Edit.
  5. Toggle Enable Customer-Managed Keys.
  6. Select the Select Encryption Key field.
  7. Click Save. Once saved, the key is associated with the environment and you are unable to change the CMK. Now, any CDE Service deployed using this CMK enabled environment uses the CMK-based data at rest encryption for EFS.