Encrypting data written by DataBrew jobs
DataBrew jobs can write to encrypted Amazon S3 targets and encrypted Amazon CloudWatch Logs.
Topics
Setting up DataBrew to use encryption
Follow this procedure to set up your DataBrew environment to use encryption.
To set up your DataBrew environment to use encryption
-
Create or update your Amazon KMS keys to give Amazon KMS permissions to the Amazon Identity and Access Management (IAM) roles that are passed to DataBrew jobs. These IAM roles are used to encrypt CloudWatch Logs and Amazon S3 targets. For more information, see Encrypt Log Data in CloudWatch Logs Using Amazon KMS in the Amazon CloudWatch Logs User Guide.
In the following example,
,"role1"
, and"role2"
are IAM roles that are passed to DataBrew jobs. This policy statement describes a KMS key policy that gives permission to the listed IAM roles to encrypt and decrypt with this KMS key."role3"
{ "Effect": "Allow", "Principal": { "Service": "logs.
region
.amazonaws.com", "AWS": [ "role1
", "role2
", "role3
" ] }, "Action": [ "kms:Encrypt*", "kms:Decrypt*", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:Describe*" ], "Resource": "*" }The
Service
statement, shown as"Service": "logs.
, is required if you use the key to encrypt CloudWatch Logs.region
.amazonaws.com" -
Ensure that the Amazon KMS key is set to
ENABLED
before it is used.
For more information about specifying permissions using Amazon KMS key policies, see
Using key
policies in Amazon KMS
Creating a route to Amazon KMS for VPC jobs
You can connect directly to Amazon KMS through a private endpoint in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and Amazon KMS is conducted entirely within the Amazon network.
You can create an Amazon KMS VPC endpoint within a VPC. Without this step,
your DataBrew jobs might fail with a kms timeout
. For detailed instructions, see Connecting to Amazon KMS Through a VPC
Endpoint in the Amazon Key Management Service Developer Guide.
As you follow these instructions, on the VPC console
Choose Enable Private DNS name.
For Security group, choose the security group (including a self-referencing rule) that you use for your DataBrew job that accesses Java Database Connectivity (JDBC).
When you run a DataBrew job that accesses JDBC data stores, DataBrew must have a route to the Amazon KMS endpoint. You can provide the route with a network address translation (NAT) gateway or with an Amazon KMS VPC endpoint. To create a NAT gateway, see NAT Gateways in the Amazon VPC User Guide.
Setting up encryption with Amazon KMS keys
When you enable encryption on a job, it applies to both Amazon S3 and CloudWatch. The IAM role that is passed must have the following Amazon KMS permissions.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": [ "kms:GenerateDataKey*" ], "Resource": "arn:aws:kms:
region
:account-id
:key/key-id
" } }
For more information, see the following topics in the Amazon Simple Storage Service User Guide:
-
For information about
SSE-S3
, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3). -
For information about
SSE-KMS
, see Protecting Data Using Server-Side Encryption with Amazon KMS–Managed Keys (SSE-KMS).