Encrypting events with customer managed keys - Amazon EventBridge
Specifying a Amazon KMS key when creating an event busChanging the Amazon KMS key used on an event busCustomer managed keys encryption
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypting events with customer managed keys

You can specify that EventBridge use a Amazon KMS to encrypt your data (custom and partner events) stored on an event bus, rather than use an Amazon owned key as is the default. You can specify a customer managed key when you create or update an event bus. You can also update the default event bus to use a customer managed key for custom and partner events as well. For more information, see KMS key options for event bus encryption.

If you specify a customer managed key for an event bus, you have the option of specifying a dead-letter queue (DLQ) for the event bus. EventBridge then delivers any custom or partner events that generate encryption or decryption errors to that DLQ. For more information, see Using dead-letter queues to capture encrypted event errors.

Specifying the Amazon KMS key used for encryption when creating an event bus

Choosing the Amazon KMS key used for encryption is part of creating an event bus. The default is to use the Amazon owned key provided by EventBridge.

To specify a customer managed key for encryption when creating an event bus (console)
To specify a customer managed key for encryption when creating an event bus (CLI)

  • When calling create-event-bus, use the kms-key-identifier option to specify the customer managed key for EventBridge to use for encryption on the event bus.

    Optionally, use dead-letter-config to specify a dead-letter queue (DLQ).

Changing the Amazon KMS key used for encryption on an event bus

You can change the Amazon KMS key being used for encryption at rest on an existing event bus. This includes changing from the default Amazon owned key to a customer managed key, from a customer managed key to the default Amazon owned key, or from one customer managed key to another.

To change the KMS key used for encryption on an event bus (console)

  1. Open the Amazon EventBridge console at https://console.amazonaws.cn/events/.

  2. In the navigation pane, choose Event buses.

  3. Choose the event bus you want to update.

  4. On the events bus details page, choose the Encryption tab.

  5. Choose the KMS key for EventBridge to use when encrypting the event data stored on the event bus:

    • Choose Use Amazon owned key for EventBridge to encrypt the data using an Amazon owned key.

      This Amazon owned key is a KMS key that EventBridge owns and manages for use in multiple Amazon accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an Amazon owned key is a good choice.

      This is the default.

    • Choose Use customer managed key for EventBridge to encrypt the data using the customer managed key that you specify or create.

      Customer managed keys are KMS keys in your Amazon account that you create, own, and manage. You have full control over these KMS keys.

      1. Specify an existing customer managed key, or choose Create a new KMS key.

        EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key.

      2. Choose the Amazon SQS queue to use as the dead-letter queue (DLQ) for this event bus, if any.

        EventBridge sends events that aren't successfully encrypted to the DLQ, if configured, so you can process them later.

To change the KMS key used for encryption on an event bus (CLI)

  • When calling update-event-bus, use the kms-key-identifier option to specify the customer managed key for EventBridge to use for encryption on the event bus.

    Optionally, use dead-letter-config to specify a dead-letter queue (DLQ).

To change the KMS key used for encryption on the default event bus, using CloudFormation

Because EventBridge provisions the default event bus into your account automatically, you cannot create it using a CloudFormation template, as you normally would for any resource you wanted to include in a CloudFormation stack. To include the default event bus in a CloudFormation stack, you must first import it into a stack. Once you have imported the default event bus into a stack, you can then update the event bus properties as desired.