# Encrypting data written by DataBrew jobs
DataBrew jobs can write to encrypted Amazon S3 targets and encrypted Amazon CloudWatch Logs.
**Topics**
+ [Setting up DataBrew to use encryption](#encryption-setup-DataBrew)
+ [Creating a route to Amazon KMS for VPC jobs](#encryption-kms-vpc-endpoint)
+ [Setting up encryption with Amazon KMS keys](#console-security-configurations-wizard)
## Setting up DataBrew to use encryption
Follow this procedure to set up your DataBrew environment to use encryption.
**To set up your DataBrew environment to use encryption**
1. Create or update your Amazon KMS keys to give Amazon KMS permissions to the Amazon Identity and Access Management (IAM) roles that are passed to DataBrew jobs. These IAM roles are used to encrypt CloudWatch Logs and Amazon S3 targets. For more information, see [Encrypt Log Data in CloudWatch Logs Using Amazon KMS](https://docs.amazonaws.cn/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html) in the *Amazon CloudWatch Logs User Guide*.
In the following example, {{`"role1"`}}, {{`"role2"`}}, and {{`"role3"`}} are IAM roles that are passed to DataBrew jobs. This policy statement describes a KMS key policy that gives permission to the listed IAM roles to encrypt and decrypt with this KMS key.
```
{
"Effect": "Allow",
"Principal": {
"Service": "logs.{{region}}.amazonaws.com",
"AWS": [
"{{role1}}",
"{{role2}}",
"{{role3}}"
]
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
}
```
The `Service` statement, shown as `"Service": "logs.{{region}}.amazonaws.com"`, is required if you use the key to encrypt CloudWatch Logs.
1. Ensure that the Amazon KMS key is set to `ENABLED` before it is used.
For more information about specifying permissions using Amazon KMS key policies, see [Using key policies in Amazon KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html).
## Creating a route to Amazon KMS for VPC jobs
You can connect directly to Amazon KMS through a private endpoint in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC endpoint, communication between your VPC and Amazon KMS is conducted entirely within the Amazon network.
You can create an Amazon KMS VPC endpoint within a VPC. Without this step, your DataBrew jobs might fail with a `kms timeout`. For detailed instructions, see [Connecting to Amazon KMS Through a VPC Endpoint](https://docs.amazonaws.cn/kms/latest/developerguide/kms-vpc-endpoint.html) in the *Amazon Key Management Service Developer Guide*.
As you follow these instructions, on the [VPC console](https://console.amazonaws.cn//vpc), make sure to do the following:
+ Choose **Enable Private DNS name**.
+ For **Security group**, choose the security group (including a self-referencing rule) that you use for your DataBrew job that accesses Java Database Connectivity (JDBC).
When you run a DataBrew job that accesses JDBC data stores, DataBrew must have a route to the Amazon KMS endpoint. You can provide the route with a network address translation (NAT) gateway or with an Amazon KMS VPC endpoint. To create a NAT gateway, see [NAT Gateways](https://docs.amazonaws.cn/vpc/latest/userguide/vpc-nat-gateway.html) in the *Amazon VPC User Guide*.
## Setting up encryption with Amazon KMS keys
When you enable encryption on a job, it applies to both Amazon S3 and CloudWatch. The IAM role that is passed must have the following Amazon KMS permissions.
For more information, see the following topics in the *Amazon Simple Storage Service User Guide*:
+ For information about `SSE-S3`, see [Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3)](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingServerSideEncryption.html).
+ For information about `SSE-KMS`, see [Protecting Data Using Server-Side Encryption with Amazon KMS–Managed Keys (SSE-KMS)](https://docs.amazonaws.cn/AmazonS3/latest/userguide/UsingKMSEncryption.html).