AWS Key Management Service (KMS)

Suggest edits

Before you can create TDE-enabled clusters with an AWS Key Management Service key, an administrator must install and configure AWS KMS for the Hybrid Manager instance.

This example creates a symmetric customer-managed key in AWS, configures the KMS provider in the Hybrid Manager, and then uses the key to enable TDE for provisioning a new database cluster with encryption enabled.

If you are running the Hybrid Manager on Amazon Elastic Kubernetes Service (EKS), it can be practical to use AWS KMS for key management, as it provides a native integration and alignment with the AWS ecosystem's best practices.

Prerequisites

Ensure you have set the parameter for AWS KMS in the values.yaml of the Hybrid Manager. See Adding KMS support to enable it.

Creating the AWS KMS key

Create a symmetric customer-managed key using AWS Console, AWS CLI or AWS API in the same AWS account and region where the Hybrid Manager is installed.

Use the following configuration for the new key:

  • Key type: Symmetric

  • Key usage: Encrypt and decrypt

  • Alias: Assign a user-friendly alias for the key (do not enter sensitive information)

  • Key policy: Ensure the main IAM user or role configured for the Hybrid Manager in the Kubernetes cluster has permissions to encrypt and decrypt keys.

    {
    "Sid": "Allow HM identity to use this KMS key",
    "Effect": "Allow",
    "Principal": {
        "AWS": "<IAM-user-or-role-arn>"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt"
    ],
    "Resource": "*"
}

Now that you have created a customer-managed KMS key, add it to a project in the Console.

Assigning the AWS KMS key to a project

Add the created key to a project:

  1. On the Console, go to the project under which you'll create TDE-enabled clusters. You can use a key for several clusters in a project, but we recommend setting up a new key per additional Hybrid Manager project.

  2. On the left-side navigation, select SettingsSecurity, and then + Add a key.

  3. Select a location to configure the key.

  4. Select AWS under Select key management system provider.

  5. In Enter AWS Key Management System ARN, enter the AWS KMS key ARN. See Find the key ID and key ARN in AWS KMS documentation.

  6. If desired, you can enter an alternative key name that is easy to remember in (Optional) Enter a friendly name for your key.

  7. Select Add Key.

You can now use this key if you want to enable encryption when you create clusters. The added key will appear as an option when you enable TDE during cluster creation.

← Prev

HashiCorp Vault

↑ Up

Enabling Key Management Systems for TDE

Next →

Google Cloud Key Management Service (Cloud KMS)

Could this page be better? Report a problem or suggest an addition!