Encrypt an anomaly detector and its results with Amazon KMS
Anomaly detector data is always encrypted in CloudWatch Logs. By default, CloudWatch Logs uses server-side encryption for the data at rest. As an alternative, you can use Amazon Key Management Service for this encryption. If you do, the encryption is done using an Amazon KMS key. Encryption using Amazon KMS is enabled at the anomaly detector level, by associating a KMS key with an anomaly detector.
Important
CloudWatch Logs supports only symmetric KMS keys. Do not use an asymmetric key to encrypt the data in your log groups. For more information, see Using Symmetric and Asymmetric Keys.
Limits
-
To perform the following steps, you must have the following permissions:
kms:CreateKey
,kms:GetKeyPolicy
, andkms:PutKeyPolicy
. -
After you associate or disassociate a key from an anomaly detector, it can take up to five minutes for the operation to take effect.
-
If you revoke CloudWatch Logs access to an associated key or delete an associated KMS key, your encrypted data in CloudWatch Logs can no longer be retrieved.
Step 1: Create an Amazon KMS key
To create an KMS key, use the following create-key command:
aws kms create-key
The output contains the key ID and Amazon Resource Name (ARN) of the key. The following is example output:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "key-default-1",
"Description": "",
"KeyManager": "CUSTOMER",
"Enabled": true,
"CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1478910250.94,
"Arn": "arn:aws:kms:us-west-2:123456789012:key/key-default-1",
"AWSAccountId": "123456789012",
"EncryptionAlgorithms": [
"SYMMETRIC_DEFAULT"
]
}
}
Step 2: Set permissions on the KMS key
By default, all Amazon KMS keys are private. Only the resource owner can use it to encrypt and decrypt data. However, the resource owner can grant permissions to access the KMS key to other users and resources. With this step, you give the CloudWatch Logs service principal permission to use the key. This service principal must be in the same Amazon Region where the KMS key is stored.
As a best practice, we recommend that you restrict the use of the KMS key to only those Amazon accounts or anomaly detectors that you specify.
First, save the default policy for your KMS key as policy.json
using the
following get-key-policy command:
aws kms get-key-policy --key-id
key-id
--policy-name default --output text > ./policy.json
Open the policy.json
file in a text editor and add
the section in bold from one of the following statements. Separate the existing statement from
the new statement with a comma. These statements use Condition
sections
to enhance the security of the Amazon KMS key. For more information, see Amazon KMS keys and encryption context.
The Condition
section in this example limits the use of the
Amazon KMS key to the specified account, but it can be used
for any anomaly detector.
{ "Version": "2012-10-17", "Id": "key-default-1", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
Your_account_ID
:root" }, "Action": "kms:*", "Resource": "*" }, { "Effect": "Allow", "Principal": { "Service": "logs.REGION
.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ArnLike": { "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:REGION
:Your_account_ID
:anomaly-detector:*" } } }, { "Effect": "Allow", "Principal": { "Service": "logs.REGION
.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*", "Condition": { "ArnLike": { "kms:EncryptionContext:aws-crypto-ec:aws:logs:arn": "arn:aws:logs:REGION
:Your_account_ID
:anomaly-detector:*" } } } ] }
Finally, add the updated policy using the following put-key-policy command:
aws kms put-key-policy --key-id
key-id
--policy-name default --policy file://policy.json
Step 3: Associate a KMS key with an anomaly detector
You can associate a KMS key with an anomaly detector when you create it in the console or using the Amazon CLI or APIs.
Step 4: Disassociate key from an anomaly detector
After a key has been associated with an anomaly detector, you can't update the key. The only way to remove the key is to delete the anomaly detector, and then re-create it.