Encrypting events with Amazon KMS keys in EventBridge - Amazon EventBridge
Event bus encryption contextEvent bus key policy
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Encrypting events with Amazon KMS keys in EventBridge

You can specify that EventBridge use a Amazon KMS to encrypt your data (custom and partner events) stored on an event bus, rather than use an Amazon owned key as is the default. You can specify a customer managed key when you create or update an event bus. You can also update the default event bus to use a customer managed key for custom and partner events as well. For more information, see KMS key options.

If you specify a customer managed key for an event bus, you have the option of specifying a dead-letter queue (DLQ) for the event bus. EventBridge then delivers any custom or partner events that generate encryption or decryption errors to that DLQ. For more information, see DLQs for encrypted events.

Note

Schema discovery is not supported for event buses encrypted using a customer managed key. To enable schema discovery on an event bus, choose to use an Amazon owned key. For more information, see KMS key options.

Event bus encryption context

An encryption context is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, Amazon KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context.

You can also use the encryption context as a condition for authorization in policies and grants.

If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as Amazon CloudTrail and Amazon CloudWatch Logs.

For event buses, EventBridge uses the same encryption context in all Amazon KMS cryptographic operations. The context includes a single key–value pair, which contains the event bus ARN. 

"encryptionContext": {
    "kms:EncryptionContext:aws:events:event-bus:arn": "event-bus-arn"
}

Amazon KMS key policy for event bus

The following example key policy provides the required permissions for an event bus:

  • kms:DescribeKey

  • kms:GenerateDataKey

  • kms:Decrypt

As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see Security considerations.

{
  "Sid": "Allow EventBridge to validate key permission",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "kms:DescribeKey"
  ]
  "Resource": "*"
},
{
  "Sid": "Allow EventBridge to encrypt events",
  "Effect": "Allow",
  "Principal": {
    "Service": "events.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey",
    "kms:Decrypt"
  ]
  "Resource": "*",
  "Condition": {
    "StringEquals": {
        "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:region:account-id:event-bus/event-bus-arn",
        "aws:SourceArn": "arn:aws:events:region:account-id:event-bus/event-bus-name"
    }
  }
}