# Configuring encryption on connections
<a name="encryption-connections-configure"></a>

You can specify the KMS key for EventBridge to use when you create or update a connection.

## Specifying Amazon KMS keys when creating connections
<a name="encryption-connections-create"></a>

Choosing the Amazon KMS key used for encryption is optional when creating a connection. By default, EventBridge uses an Amazon owned key. 

**To specify a customer managed key for encryption when creating a connection (console)**
+ Follow these instructions:

  [Creating connections](eb-target-connection-create.md).

**To specify a customer managed key for encryption when creating a connection (CLI)**
+ When calling `[create-connection](https://docs.amazonaws.cn/cli/latest/reference/events/create-connection.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption of the connection's secret.

## Updating Amazon KMS keys for connections
<a name="encryption-connections-update"></a>

You can update the KMS key being used for encrypting an existing connection. This includes:
+ Changing from the default Amazon owned key to a customer managed key.
+ Changing from a customer managed key to the default Amazon owned key.
+ Changing from one customer managed key to another.

When you update a connection to use a different KMS key , EventBridge decrypts the connection's secret and then encrypts it using the new key. Make sure the KMS key you specify has the necessary permissions. For more information, see [Connection key policy](encryption-connections.md#encryption-connections-key-policy).

**To update the KMS key used for encryption on a connection (console)**

1. Open the Amazon EventBridge console at [https://console.amazonaws.cn/events/](https://console.amazonaws.cn/events/).

1. In the navigation pane, choose **Integration**, and then choose **Connections**.

1. Choose the connection you want to update.

1. On the connection details page, under **Encryption**, choose the KMS key for EventBridge to use when encrypting the connection's secret:
   + Choose **Use Amazon owned key** for EventBridge to encrypt the secret using an Amazon owned key.

     This Amazon owned key is a KMS key that EventBridge owns and manages for use in multiple Amazon accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an Amazon owned key is a good choice. 

     This is the default.
   + Choose **Choose a different Amazon KMS key (advanced)** for EventBridge to encrypt the secret using the customer managed key that you specify or create.

     Customer managed keys are KMS keys in your Amazon account that you create, own, and manage. You have full control over these KMS keys.

     1. Specify an existing customer managed key, or choose **Create a new KMS key**.

       Make sure the KMS key you specify has the necessary permissions. For more information, see [Connection key policy](encryption-connections.md#encryption-connections-key-policy).

       EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key.

**To update the KMS key used for encryption on a connection (CLI)**
+ When calling `[update-connection](https://docs.amazonaws.cn/cli/latest/reference/events/update-connection.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting the connection secret.