KMS key options for event bus encryption
EventBridge uses an Amazon owned key to encrypt Amazon service events stored on event buses.
For each event bus, you can choose the type of KMS key EventBridge uses to encrypt custom and partner events stored on that bus:
-
Amazon owned key
By default, EventBridge encrypts data using 256-bit Advanced Encryption Standard (AES-256) under an Amazon owned key, which helps secure your data from unauthorized access.
You can't view, manage, or use Amazon owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data.
In general, unless you are required to audit or control the encryption key that protects your resources, an Amazon owned key is a good choice. Amazon owned keys are completely free of charge (no monthly fees or usage fees), and they do not count against the Amazon KMS quotas for your account. You don't need to create or maintain the key or its key policy.
For more information, see Amazon owned keys in the Amazon Key Management Service Developer Guide.
-
Customer managed key
EventBridge supports the use of a symmetric customer managed key that you create, own, and manage. Because you have full control of this type of KMS key, you can perform such tasks as:
-
Establishing and maintaining key policies
-
Establishing and maintaining IAM policies and grants
-
Enabling and disabling key policies
-
Rotating key cryptographic material
-
Adding tags
-
Creating key aliases
-
Scheduling keys for deletion
For more information, see Customer managed keys in the Amazon Key Management Service Developer Guide.
EventBridge supports Multi-Region keys and cross account access of keys.
Customer managed keys incur a monthly fee. For details, see Amazon Key Management Service Pricing
, and Quotas in the Amazon Key Management Service Developer Guide. Note
EventBridge does not support the following features on event buses encrypted using customer managed keys:
For more information, see Encrypting events
-