Key management - Amazon IoT SiteWise
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Key management

Amazon IoT SiteWise cloud key management

By default, Amazon IoT SiteWise uses Amazon managed keys to protect your data in the Amazon Cloud. You can update your settings to use a customer managed key to encrypt some data in Amazon IoT SiteWise. You can create, manage, and view your encryption key through Amazon Key Management Service (Amazon KMS).

Amazon IoT SiteWise supports server-side encryption with customer managed keys stored in Amazon KMS to encrypt the following data:

  • Asset property values

  • Aggregate values


Other data and resources are encrypted using the default encryption with keys managed by Amazon IoT SiteWise. This key is stored in the Amazon IoT SiteWise account.

For more information, see What is Amazon Key Management Service? in the Amazon Key Management Service Developer Guide.

Enable encryption using customer managed keys

To use customer managed keys with Amazon IoT SiteWise, you need to update your Amazon IoT SiteWise settings.

To enable encryption using KMS keys

  1. Navigate to the Amazon IoT SiteWise console.

  2. Choose Account Settings and choose Edit to open the Edit account settings page.

  3. For Encryption key type, choose Choose a different Amazon KMS key. This enables encryption with customer managed keys stored in Amazon KMS.


    Currently, you can only use customer managed key encryption for asset property values and aggregate values.

  4. Choose your KMS key with one of the following options:

    • To use an existing KMS key – Choose your KMS key alias from the list.

    • To create a new KMS key – Choose Create an Amazon KMS key.


      This opens the Amazon KMS dashboard. For more information about creating a KMS key, see Creating keys in the Amazon Key Management Service Developer Guide.

  5. Choose Save to update your settings.

Amazon IoT Greengrass gateway key management

Amazon IoT SiteWise gateways run on Amazon IoT Greengrass, and Amazon IoT Greengrass core devices use public and private keys to authenticate with the Amazon Cloud and encrypt local secrets, such as OPC-UA authentication secrets. For more information, see Key management in the Amazon IoT Greengrass Version 1 Developer Guide.