Encryption at rest - Amazon IoT SiteWise
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Encryption at rest

Amazon IoT SiteWise stores your data in the Amazon Cloud and on gateways.

Data at rest in the Amazon Cloud

Amazon IoT SiteWise stores data in other Amazon services that encrypt data at rest by default. Encryption at rest integrates with Amazon Key Management Service (Amazon KMS) for managing the encryption key that is used to encrypt your asset property values and aggregate values in Amazon IoT SiteWise. You can choose to use a customer managed key to encrypt asset property values and aggregate values in Amazon IoT SiteWise. You can create, manage, and view your encryption key through Amazon KMS.

You can choose an Amazon owned key to encrypt your data, or choose a customer managed keyto encrypt your asset property values and aggregate values:

How it works

Encryption at rest integrates with Amazon KMS for managing the encryption key that is used to encrypt your data.

  • Amazon owned key – Default encryption key. Amazon IoT SiteWise owns this key. You can't view this key in your Amazon account. You also can't see operations on the key in Amazon CloudTrail logs. You can use this key at no additional charge.

  • Customer managed key – The key is stored in your account, which you create, own, and manage. You have full control over the KMS key. Additional Amazon KMS charges apply.

Amazon owned keys

Amazon owned keys aren't stored in your account. They're part of a collection of KMS keys that Amazon owns and manages for use in multiple Amazon accounts. Amazon services can use Amazon owned keys to protect your data.

You can't view, manage, use Amazon owned keys, or audit their use. However, you don't need to do any work or change any programs to protect the keys that encrypt your data.

You're not charged a monthly fee or a usage fee if you use Amazon owned keys, and they don't count against Amazon KMS quotas for your account.

Customer managed keys

Customer managed keys are KMS keys in your account that you create, own, and manage. You have full control over these KMS keys, such as the following:

  • Establishing and maintaining their key policies, IAM policies, and grants

  • Enabling and disabling them

  • Rotating their cryptographic material

  • Adding tags

  • Creating aliases that refer to them

  • Scheduling them for deletion

You can also use CloudTrail and Amazon CloudWatch Logs to track the requests that Amazon IoT SiteWise sends to Amazon KMS on your behalf.

If you're using customer managed keys, you need to grant Amazon IoT SiteWise access to the KMS key stored in your account. Amazon IoT SiteWise uses envelope encryption and key hierarchy to encrypt data. Your Amazon KMS encryption key is used to encrypt the root key of this key hierarchy. For more information, see Envelope encryption in the Amazon Key Management Service Developer Guide.

The following example policy grants Amazon IoT SiteWise permissions to a create customer managed key on your behalf. When you create your key, you need to allow the kms:CreateGrant and kms:DescribeKey actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1603902045292", "Action": [ "kms:CreateGrant", "kms:DescribeKey" ], "Effect": "Allow", "Resource": "*" } ] }

The encryption context for your created grant uses your aws:iotsitewise:subscriberId and account ID.

Data at rest on gateways

Amazon IoT SiteWise gateways store the following data on the local file system:

  • OPC-UA source configuration information

  • The set of OPC-UA data stream paths from connected OPC-UA sources

  • Industrial data cached when the gateway loses connection to the internet

Amazon IoT SiteWise gateways run on Amazon IoT Greengrass. Amazon IoT Greengrass relies on Unix file permissions and full-disk encryption (if enabled) to protect data at rest on the core. It's your responsibility to secure the file system and device.

However, Amazon IoT Greengrass does encrypt local copies of your OPC-UA server secrets retrieved from Secrets Manager. For more information, see Secrets encryption in the Amazon IoT Greengrass Version 1 Developer Guide.

For more information about encryption at rest on Amazon IoT Greengrass cores, see Encryption at rest in the Amazon IoT Greengrass Version 1 Developer Guide.