Amazon Managed Service for Apache Flink (Amazon MSF) was previously known as Amazon Kinesis Data Analytics for Apache Flink.
Key management in Amazon Managed Service for Apache Flink
In Amazon MSF, you can choose to use either Amazon managed keys or your own customer managed keys (CMKs) to encrypt data. CMKs in Amazon Key Management Service (Amazon KMS) are encryption keys that you create, own, and manage yourself.
On this page
Transparent encryption in Amazon MSF
By default, Amazon MSF uses Amazon owned keys (AOKs) to encrypt your data in ephemeral (running application storage) and durable (durable application storage) storage. This means all data subject to a Flink checkpoint or snapshot will be encrypted by default. AOKs are the default encryption method in Amazon MSF and no additional set up is required. To encrypt data in transit, Amazon MSF uses TLS and HTTP+SSL by default and requires no additional set up or configuration.
Customer managed keys in Amazon MSF
In Amazon MSF, CMK is a feature where you can encrypt your application's data with a key that you create, own, and manage on Amazon KMS.
In this section
What is encrypted with CMKs?
In an Amazon MSF application, data subject to a Flink checkpoint or snapshot will be encrypted with a CMK you define for that application. Consquently, your CMK will encrypt data stored in either running application storage or durable application storage. The following sections describe the procedure to set up CMKs for your Amazon MSF applications.
Key rotation policy
Amazon MSF doesn't manage the key rotation policy for your CMKs. You're responsible for your own key rotation. This is because you create and maintain CMKs. For information about how to use your key rotation policy with CMK in Amazon MSF, see Key rotation policy.
What isn't encrypted with CMKs?
Sources and sinks
Encryption of data sources and sinks isn't managed by Amazon MSF. It's managed by your source or sink configuration or application connector configuration.
Retroactive application of encryption
CMK in Amazon MSF doesn't provide support to retroactively apply CMKs to an existing historic snapshot.
Log encryption
Currently, Amazon MSF doesn't support log encryption using KMS CMK for logs generated by your application code jar. You'll need to make sure logs don't contain data that require CMK encryption.
Encryption of data in transit
You can't use CMK to encrypt data in transit. By default, Amazon MSF encrypts all data in transit using TLS or HTTP and SSL.
Supported KMS key types
CMK in Amazon MSF supports symmetric keys.
KMS key permissions
CMK in Amazon MSF requires permission to perform the following KMS actions. These permissions are necessary to validate access, create CMK encrypted running application storage, and store CMK encrypted application state in durable application storage.
-
kms:DescribeKey
Grants permission to resolve a KMS key alias to the key ARN.
-
kms:Decrypt
Grants permission to accesses durable application state and provision running application storage.
-
kms:GenerateDataKey
Grants permission to store durable application state.
-
kms:GenerateDataKeyWithoutPlaintext
Grants permission to provision running application storage.
-
kms:CreateGrant
Grants permission to access running application storage.
KMS encryption context and constraints
CMK in Amazon MSF provides encryption context when accessing keys to read or write encrypted data, that is, kms:EncryptionContext:aws:kinesisanalytics:arn. In addition to encryption context, source contexts aws:SourceArn
and aws:SourceAccount are provided when reading or writing durable application storage.
When creating grant to provision encrypted running application storage, Amazon MSF CMK creates grants with constraint type EncryptionContextSubset ensuring that only Decrypt operation is allowed through "kms:GrantOperations": "Decrypt".
Key rotation policy
Amazon MSF doesn't manage the key rotation policy for your CMKs. You're responsible for your own key rotation because you create and maintain CMKs.
In KMS you use either automatic or manual key rotation to create new cryptographic material for your CMKs. For information about how to rotate your keys, see Rotate Amazon KMS keys in the Amazon Key Management Service Developer Guide.
When you rotate keys for CMKs in Amazon MSF, you must make sure that the operator (API caller) has permissions for both the previous and new key.
Note
An application can start from a snapshot which was encrypted with AOK after it's configured to use CMK. An application can also start from a snapshot which was encrypted with an older CMK. To start an application from a snapshot, the operator (API caller) must have permissions for both the old and new key.
In Amazon MSF, we recommend that you stop and restart your applications using CMK encryption. This ensures the new rotation master key is applied to all data in running application storage and durable application storage. If you don't stop and restart your application, the new key material will only be applied to durable application storage. Running application storage will continue to be encrypted using the previous rotation key material.
If you're changing the Amazon KMS key ARN used for CMK you should use UpdateApplication in Amazon MSF. This will ensure your Flink application will restart as part of UpdateApplication applying the CMK changes.
Note
When you provide an alias or alias ARN, Amazon MSF resolves the alias to key ARN and stores the key ARN as the configured key for the application.
Least-privileged key policy statements
For information about key policy statements, see Create a KMS key policy and Application lifecycle operator (API caller) permissions .
Example Amazon CloudTrail log entries
When Amazon MSF uses CMKs in Amazon KMS, Amazon CloudTrail automatically logs all Amazon KMS API calls and related details. These logs contain information, such as Amazon Web Services service making the request, KMS key ARN, API actions performed, and timestamps excluding the encrypted data. These logs provide essential audit trails for compliance, security monitoring, and troubleshooting by showing which services accessed your keys and when.
Example 1: Amazon KMS Decrypt API call using an assumed role in Amazon MSF
The following CloudTrail log shows Amazon MSF performing a test kms:Decrypt operation on a CMK. Amazon MSF makes this request using an Operator role while using the CreateApplication API. The following log includes essential details, such as the target KMS key ARN, associated Amazon MSF application (MyCmkApplication), and timestamp of the operation.
{ "eventVersion": "1.11", "userIdentity": { "type": "AssumedRole", "principalId": "REDACTED", "arn": "arn:aws-cn:sts::123456789012:assumed-role/Operator/CmkTestingSession", "accountId": "123456789012", "accessKeyId": "REDACTED", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "REDACTED", "arn": "arn:aws-cn:iam::123456789012:role/Operator", "accountId": "123456789012", "userName": "Operator" }, "attributes": { "creationDate": "2025-08-07T13:29:28Z", "mfaAuthenticated": "false" } }, "invokedBy": "kinesisanalytics.amazonaws.com" }, "eventTime": "2025-08-07T13:45:45Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "kinesisanalytics.amazonaws.com", "userAgent": "kinesisanalytics.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "encryptionContext": { "aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" }, "keyId": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "dryRun": true }, "responseElements": null, "additionalEventData": { "keyMaterialId": "REDACTED" }, "requestID": "56764d19-1eb1-48f1-8044-594aa7dd05c4", "eventID": "1371b402-f1dc-4c47-8f3a-1004e4803c5a", "readOnly": true, "resources": [ { "accountId": "123456789012", "type": "AWS::KMS::Key", "ARN": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" }
Example 2: Amazon KMS Decrypt API call in Amazon MSF with direct service authentication
The following CloudTrail log shows Amazon MSF performing a test kms:Decrypt operation on a CMK. Amazon MSF makes this request through direct Amazon service-to-service authentication instead of assuming a role. The following log includes essential details, such as the target KMS key ARN, associated Amazon MSF application (MyCmkApplication), and a shared event ID of the operation.
{ "eventVersion": "1.11", "userIdentity": { "type": "AWSService", "invokedBy": "kinesisanalytics.amazonaws.com" }, "eventTime": "2025-08-07T13:45:45Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "kinesisanalytics.amazonaws.com", "userAgent": "kinesisanalytics.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" }, "dryRun": true }, "responseElements": null, "additionalEventData": { "keyMaterialId": "REDACTED" }, "requestID": "5fe45ada-7519-4608-be2f-5a9b8ddd62b2", "eventID": "6206b08f-ce04-3011-9ec2-55951d357b2c", "readOnly": true, "resources": [ { "accountId": "123456789012", "type": "AWS::KMS::Key", "ARN": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "Application-account-ID", "sharedEventID": "acbe4a39-ced9-4f53-9f3c-21ef7e89dc37", "eventCategory": "Management" }