Maintaining Amazon KMS encryption key access in EventBridge - Amazon EventBridge
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Maintaining Amazon KMS encryption key access in EventBridge

To ensure EventBridge always retains access to the necessary customer managed key:

  • Do not delete a customer managed key until you are sure all events encrypted with it have been processed.

    When you perform any of the following operations, retain the previous key material to ensure EventBridge can continue to use it for previously-encrypted events:

    In general, If you are considering deleting a Amazon KMS key, disable it first and set a CloudWatch alarm or similar mechanism to be certain that you'll never need to use the key to decrypt encrypted data.

  • Do not delete the key policy that provides EventBridge the permissions to use the key.

Other considerations include:

  • Specify customer managed keys for rule targets, as appropriate.

    When EventBridge sends an event to a rule target, the event is sent using Transport layer Security (TLS). However, what encryption is applied to the event as it is stored on the target depends on the encryption you have configured on the target itself.