# Key management in Amazon Managed Service for Apache Flink Key management in Amazon MSF In Amazon MSF, you can choose to use either [Amazon managed keys](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html) or your own [customer managed keys (CMKs)](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#customer-mgn-key) to encrypt data. CMKs in Amazon Key Management Service (Amazon KMS) are encryption keys that you create, own, and manage yourself. **Topics** + [ ## Transparent encryption in Amazon MSF ](#transparent-encryption-flink) + [ ## Customer managed keys in Amazon MSF ](#cmk-flink) + [ # Using customer managed keys in Amazon MSF ](use-cmk-flink.md) + [ # Managing CMK using Amazon Web Services Management Console ](manage-cmk-console.md) + [ # Managing CMK using APIs ](manage-cmk-api.md) ## Transparent encryption in Amazon MSF By default, Amazon MSF uses Amazon owned keys (AOKs) to encrypt your data in ephemeral (running application storage) and durable (durable application storage) storage. This means all data subject to a Flink [checkpoint](how-fault.md) or [snapshot](how-snapshots.md) will be encrypted by default. AOKs are the default encryption method in Amazon MSF and no additional set up is required. To encrypt data in transit, Amazon MSF uses TLS and HTTP\$1SSL by default and requires no additional set up or configuration. ## Customer managed keys in Amazon MSF In Amazon MSF, CMK is a feature where you can encrypt your application's data with a key that you create, own, and manage on Amazon KMS. **Topics** + [ ### What is encrypted with CMKs? ](#what-is-encrypted-cmk) + [ ### What isn't encrypted with CMKs? ](#what-is-not-encrypted-cmk) + [ ### Supported KMS key types ](#supported-kms-key-types) + [ ### KMS key permissions ](#kms-key-permissions) + [ ### KMS encryption context and constraints ](#kms-encryption-context-constraints) + [ ### Key rotation policy ](#kms-key-rotation-policy) + [ ### Least-privileged key policy statements ](#kms-least-privilege-policy-examples) + [ ### Example Amazon CloudTrail log entries ](#kms-cloudtrail-log-entries) ### What is encrypted with CMKs? In an Amazon MSF application, data subject to a Flink checkpoint or snapshot will be encrypted with a CMK you define for that application. Consquently, your CMK will encrypt data stored in either running application storage or durable application storage. The [following sections](manage-cmk-api.md) describe the procedure to set up CMKs for your Amazon MSF applications. **Key rotation policy** Amazon MSF doesn't manage the key rotation policy for your CMKs. You're responsible for your own key rotation. This is because you create and maintain CMKs. For information about how to use your key rotation policy with CMK in Amazon MSF, see [Key rotation policy](#kms-key-rotation-policy). ### What isn't encrypted with CMKs? **Sources and sinks** Encryption of data sources and sinks isn't managed by Amazon MSF. It's managed by your source or sink configuration or application connector configuration. **Retroactive application of encryption** CMK in Amazon MSF doesn't provide support to retroactively apply CMKs to an existing historic snapshot. **Log encryption** Currently, Amazon MSF doesn't support log encryption using KMS CMK for logs generated by your application code jar. You'll need to make sure logs don't contain data that require CMK encryption. **Encryption of data in transit** You can't use CMK to encrypt data in transit. By default, Amazon MSF encrypts all data in transit using TLS or HTTP and SSL. ### Supported KMS key types CMK in Amazon MSF supports [symmetric keys](https://docs.amazonaws.cn/kms/latest/developerguide/symm-asymm-choose-key-spec.html#symmetric-cmks). ### KMS key permissions CMK in Amazon MSF requires permission to perform the following KMS actions. These permissions are necessary to validate access, create CMK encrypted running application storage, and store CMK encrypted application state in durable application storage. + **[kms:DescribeKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_DescribeKey.html)** Grants permission to resolve a KMS key alias to the key ARN. + **[kms:Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html)** Grants permission to accesses durable application state and provision running application storage. + **[kms:GenerateDataKey](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKey.html)** Grants permission to store durable application state. + **[kms:GenerateDataKeyWithoutPlaintext](https://docs.amazonaws.cn/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html)** Grants permission to provision running application storage. + **[kms:CreateGrant](https://docs.amazonaws.cn/kms/latest/APIReference/API_CreateGrant.html)** Grants permission to access running application storage. ### KMS encryption context and constraints CMK in Amazon MSF provides encryption context when accessing keys to read or write encrypted data, that is, `kms:EncryptionContext:aws:kinesisanalytics:arn`. In addition to encryption context, source contexts [aws:SourceArn](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [aws:SourceAccount](https://docs.amazonaws.cn/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) are provided when reading or writing durable application storage. When creating grant to provision encrypted running application storage, Amazon MSF CMK creates grants with constraint type [EncryptionContextSubset](https://docs.amazonaws.cn/kms/latest/developerguide/create-grant-overview.html#grant-constraints) ensuring that only [Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) operation is allowed through `"kms:GrantOperations": "Decrypt"`. ### Key rotation policy Amazon MSF doesn't manage the key rotation policy for your CMKs. You're responsible for your own key rotation because you create and maintain CMKs. In KMS you use either automatic or manual key rotation to create new cryptographic material for your CMKs. For information about how to rotate your keys, see [Rotate Amazon KMS keys](https://docs.amazonaws.cn/kms/latest/developerguide/rotate-keys.html) in the *Amazon Key Management Service Developer Guide*. When you rotate keys for CMKs in Amazon MSF, you must make sure that the operator (API caller) has permissions for both the previous and new key. **Note** An application can start from a snapshot which was encrypted with AOK after it's configured to use CMK. An application can also start from a snapshot which was encrypted with an older CMK. To start an application from a snapshot, the operator (API caller) must have permissions for both the old and new key. In Amazon MSF, we recommend that you stop and restart your applications using CMK encryption. This ensures the new rotation master key is applied to all data in running application storage and durable application storage. If you don't stop and restart your application, the new key material will only be applied to durable application storage. Running application storage will continue to be encrypted using the previous rotation key material. If you're changing the Amazon KMS key ARN used for CMK you should use [UpdateApplication](https://docs.amazonaws.cn/managed-flink/latest/apiv2/API_UpdateApplication.html) in Amazon MSF. This will ensure your Flink application will restart as part of `UpdateApplication` applying the CMK changes. **Note** When you provide an alias or alias ARN, Amazon MSF resolves the alias to key ARN and stores the key ARN as the configured key for the application. ### Least-privileged key policy statements For information about key policy statements, see [Create a KMS key policy](manage-cmk-api.md#create-cmk-kms-key-policy) and [Application lifecycle operator (API caller) permissions](manage-cmk-api.md#create-cmk-kms-api-caller-permissions). ### Example Amazon CloudTrail log entries When Amazon MSF uses CMKs in Amazon KMS, Amazon CloudTrail automatically logs all Amazon KMS API calls and related details. These logs contain information, such as Amazon Web Services service making the request, KMS key ARN, API actions performed, and timestamps excluding the encrypted data. These logs provide essential audit trails for compliance, security monitoring, and troubleshooting by showing which services accessed your keys and when. **Example 1: Amazon KMS Decrypt API call using an assumed role in Amazon MSF** The following CloudTrail log shows Amazon MSF performing a test [kms:Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) operation on a CMK. Amazon MSF makes this request using an **Operator** role while using the [CreateApplication](https://docs.amazonaws.cn/managed-flink/latest/apiv2/API_CreateApplication.html) API. The following log includes essential details, such as the target KMS key ARN, associated Amazon MSF application (*MyCmkApplication*), and timestamp of the operation. ``` { "eventVersion": "1.11", "userIdentity": { "type": "AssumedRole", "principalId": "REDACTED", "arn": "arn:aws-cn:sts::123456789012:assumed-role/Operator/CmkTestingSession", "accountId": "123456789012", "accessKeyId": "REDACTED", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "REDACTED", "arn": "arn:aws-cn:iam::123456789012:role/Operator", "accountId": "123456789012", "userName": "Operator" }, "attributes": { "creationDate": "2025-08-07T13:29:28Z", "mfaAuthenticated": "false" } }, "invokedBy": "kinesisanalytics.amazonaws.com" }, "eventTime": "2025-08-07T13:45:45Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "kinesisanalytics.amazonaws.com", "userAgent": "kinesisanalytics.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "encryptionContext": { "aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" }, "keyId": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "dryRun": true }, "responseElements": null, "additionalEventData": { "keyMaterialId": "REDACTED" }, "requestID": "56764d19-1eb1-48f1-8044-594aa7dd05c4", "eventID": "1371b402-f1dc-4c47-8f3a-1004e4803c5a", "readOnly": true, "resources": [ { "accountId": "123456789012", "type": "AWS::KMS::Key", "ARN": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "123456789012", "eventCategory": "Management" } ``` **Example 2: Amazon KMS Decrypt API call in Amazon MSF with direct service authentication** The following CloudTrail log shows Amazon MSF performing a test [kms:Decrypt](https://docs.amazonaws.cn/kms/latest/APIReference/API_Decrypt.html) operation on a CMK. Amazon MSF makes this request through direct Amazon service-to-service authentication instead of assuming a role. The following log includes essential details, such as the target KMS key ARN, associated Amazon MSF application (*MyCmkApplication*), and a shared event ID of the operation. ``` { "eventVersion": "1.11", "userIdentity": { "type": "AWSService", "invokedBy": "kinesisanalytics.amazonaws.com" }, "eventTime": "2025-08-07T13:45:45Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-east-1", "sourceIPAddress": "kinesisanalytics.amazonaws.com", "userAgent": "kinesisanalytics.amazonaws.com", "errorCode": "DryRunOperationException", "errorMessage": "The request would have succeeded, but the DryRun option is set.", "requestParameters": { "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "encryptionContext": { "aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" }, "dryRun": true }, "responseElements": null, "additionalEventData": { "keyMaterialId": "REDACTED" }, "requestID": "5fe45ada-7519-4608-be2f-5a9b8ddd62b2", "eventID": "6206b08f-ce04-3011-9ec2-55951d357b2c", "readOnly": true, "resources": [ { "accountId": "123456789012", "type": "AWS::KMS::Key", "ARN": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "Application-account-ID", "sharedEventID": "acbe4a39-ced9-4f53-9f3c-21ef7e89dc37", "eventCategory": "Management" } ``` # Using customer managed keys in Amazon MSF Using customer managed keys You need to consider the following factors when establishing, managing, and operating Amazon MSF applications subject to a CMK policy. **Customer managed key** This is the [key policy](https://docs.amazonaws.cn/kms/latest/developerguide/key-policies.html) and [key material](https://docs.amazonaws.cn/kms/latest/developerguide/concepts.html#key-material). You'll need to create a key which is used to encrypt your application state in running application storage and durable application storage. **Application lifecycle operator (API caller)** This is the **Operator** IAM user or role. The Operator can be a human or an automation, such as a CI/CD pipeline that will create, deploy, and run the Amazon MSF application. The application lifecycle Operator can either be an IAM role or user. **Note** It's possible that the key administrator and operator are the same person. In this case, we recommend that you always use separate roles or users. **Application** This is the Amazon MSF application you create. The application execution (IAM) role requires no changes to use CMK. For more information about IAM in Amazon MSF, see [Identity and Access Management for Amazon Managed Service for Apache Flink](security-iam.md). **Dependencies between policies** There are interdependencies between the key policy assigned to the CMK, and the IAM policy defining the permissions of the application lifecycle operator. You might want to create them in the following order: Create the Operator IAM user or role without IAM policy defining permissions for CMK. The Operator creates the application with AOK. Create the key administrator with permissions to manage KMS keys. The key administrator creates the CMK. The key policy references to the Operator and administrator role ARNs, and to the application ARN. For more information, see [Create a KMS key policy](manage-cmk-api.md#create-cmk-kms-key-policy). Create an IAM policy for the Operator allowing to manage CMK for the application. For more information, see [Application lifecycle operator (API caller) permissions](manage-cmk-api.md#create-cmk-kms-api-caller-permissions). Attach the new IAM policy to the Operator. The Operator updates the application enabling CMK. For more information, see [Update an existing application to use CMK](manage-cmk-api.md#update-existing-app-use-cmk-api). If the application doesn’t exist, create the application without CMK. The following illustration shows how CMK is implemented in Amazon MSF. ![\[Implementation of customer managed keys in Amazon MSF.\]](http://docs.amazonaws.cn/en_us/managed-flink/latest/java/images/MSF_CMK_architecture.png) 1. **Customer managed key (CMK)**: Comprises key policy and key material. 1. **Key administrator**: The `KeyAdmin` IAM user or role. 1. **Application lifecycle operator (API caller)**: The operator IAM user or role. 1. **Application**: Has an execution (IAM) role attached. # Managing CMK using Amazon Web Services Management Console Managing CMK using console This topic describes how to create and update your KMS CMKs using the Amazon Web Services Management Console. To follow the procedures described in this topic, you must have permission to manage the KMS key and the Amazon MSF application. The procedures in this topic use a permissive key policy, which is for demonstration and testing purposes only. We **don't recommend** using such a permissive key policy for production workloads. For production workloads, you can use the console, but in real-life scenarios, roles, permissions, and workflows are isolated. Before you start, create a KMS key. For information about creating a KMS key, see [Create a KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html) in the *Amazon Key Management Service Developer Guide*. ## Create and assign KMS keys 1. Sign in to the Amazon Web Services Management Console, and open the Amazon MSF console at https://console.aws.amazon.com/flink. 1. On the **Streaming applications** page, choose **Create streaming application**. 1. For **Apache Flink version**, make sure that you choose **Apache Flink 1.20**. 1. For **Encryption**, choose **Use customer managed key**. 1. If you don't have a KMS key, choose **Create an Amazon KMS key**, and create a KMS key. For information about how to create the key, see [Using the Amazon KMS console](https://docs.amazonaws.cn/kms/latest/developerguide/create-symmetric-cmk.html) in the *Amazon Key Management Service Developer Guide*. 1. If you don't have a KMS key, choose **Create an Amazon KMS key**, and create a KMS key. For information about how to create the key using console, see [Create a symmetric encryption KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/create-symmetric-cmk.html). 1. Choose the key in the selector you want to use. Remember only the key with **Enabled** status is allowed. ## Update an existing application to use CMK 1. Sign in to the Amazon Web Services Management Console, and open the Amazon MSF console at https://console.aws.amazon.com/flink. 1. On the **Streaming applications** page, choose an application with Flink version 1.20. 1. Choose **Configure**. 1. For **Encryption**, choose **Use customer managed key**. 1. If you don't have a KMS key, choose **Create an Amazon KMS key**, and create a KMS key. For information about how to create the key using console, see [Create a symmetric encryption KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/create-symmetric-cmk.html). 1. Choose the key in the selector you want to use. Remember only the key with **Enabled** status is allowed. ## Switch from CMK to an Amazon owned key 1. Sign in to the Amazon Web Services Management Console, and open the Amazon MSF console at https://console.aws.amazon.com/flink. 1. On the **Streaming applications** page, choose an application with Flink version 1.20. 1. Choose **Configure**. 1. For **Encryption**, choose **Use Amazon owned key**. # Managing CMK using APIs This topic describes how to create, and update your KMS CMKs using Amazon MSF APIs. To follow the procedures described in this topic, you must have permission to manage the KMS key and the Amazon MSF application. The procedures in this topic use a permissive key policy, which is for demonstration and testing purposes only. We **don't recommend** using such a permissive key policy for production workloads. In real-life scenarios for production workloads, roles, permissions, and workflows are isolated. **Topics** + [ ## Create and assign KMS keys ](#create-assign-cmk-api) + [ ## Update an existing application to use CMK ](#update-existing-app-use-cmk-api) + [ ## Revert from CMK to Amazon owned key ](#revert-cmk-to-aok-api) ## Create and assign KMS keys Before you start, create a KMS key. For information about creating a KMS key, see [Create a KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/create-keys.html) in the *Amazon Key Management Service Developer Guide*. **Topics** + [ ### Create a KMS key policy ](#create-cmk-kms-key-policy) + [ ### Application lifecycle operator (API caller) permissions ](#create-cmk-kms-api-caller-permissions) ### Create a KMS key policy To use CMK in Amazon MSF, you must add the following service principals to your key policy: `kinesisanalytics.amazonaws.com` and `infrastructure.kinesisanalytics.amazonaws.com`. Amazon MSF uses these service principals for validation and resource access. If you don't include these service principals, Amazon MSF rejects the request. The following KMS key policy enables Amazon MSF to use a CMK for the application, *MyCmkApplication*. This policy grants necessary permissions to both the **Operator** role and Amazon MSF service principals, `kinesisanalytics.amazonaws.com` and `infrastructure.kinesisanalytics.amazonaws.com`, to perform the following operations: + Describe the CMK + Encrypt the application data + Decrypt the application data + Create grants for the key The following example uses IAM roles. You can create the key policy for the KMS key using the following example as template, but make sure to do the following: + Replace `arn:aws-cn:iam::123456789012:role/Operator` with the **Operator** role. You must create the **Operator** role or user before creating the key policy. Failing to do this will cause the failure of your request. + Replace `arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication` with your application's ARN. + Replace `kinesisanalytics.us-east-1.amazonaws.com` with a service value for the corresponding Region. + Replace *123456789012* with your account idKey policy for CMK. + Add additional policy statements to [allow key administrators to administer the KMS key](https://docs.amazonaws.cn/kms/latest/developerguide/key-policy-default.html#key-policy-default-allow-administrators). Failing to do this will cause loss of access to manage the key. The following key policy statements are large because they are intended to be explicit and show the conditions that each action requires. ``` { "Version":"2012-10-17", "Id": "MyMsfCmkApplicationKeyPolicy", "Statement": [ { "Sid": "AllowOperatorToDescribeKey", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::123456789012:role/Operator" }, "Action": "kms:DescribeKey", "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" } } }, { "Sid": "AllowOperatorToConfigureAppToUseKeyForApplicationState", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::123456789012:role/Operator" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" } } }, { "Sid": "AllowOperatorToConfigureAppToCreateGrantForRunningState", "Effect": "Allow", "Principal": { "AWS": "arn:aws-cn:iam::123456789012:role/Operator" }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:GrantConstraintType": "EncryptionContextSubset" }, "ForAllValues:StringEquals": { "kms:GrantOperations": "Decrypt" } } }, { "Sid": "AllowMSFServiceToDescribeKey", "Effect": "Allow", "Principal": { "Service": [ "kinesisanalytics.amazonaws.com", "infrastructure.kinesisanalytics.amazonaws.com" ] }, "Action": "kms:DescribeKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "aws:SourceAccount": "123456789012" } } }, { "Sid": "AllowMSFServiceToGenerateDataKeyForDurableState", "Effect": "Allow", "Principal": { "Service": "kinesisanalytics.amazonaws.com" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "aws:SourceAccount": "123456789012" } } }, { "Sid": "AllowMSFServiceToDecryptForDurableState", "Effect": "Allow", "Principal": { "Service": "kinesisanalytics.amazonaws.com" }, "Action": [ "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMSFServiceToUseKeyForRunningState", "Effect": "Allow", "Principal": { "Service": [ "infrastructure.kinesisanalytics.amazonaws.com" ] }, "Action": [ "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMSFServiceToCreateGrantForRunningState", "Effect": "Allow", "Principal": { "Service": [ "infrastructure.kinesisanalytics.amazonaws.com" ] }, "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:GrantConstraintType": "EncryptionContextSubset" }, "ForAllValues:StringEquals": { "kms:GrantOperations": "Decrypt" } } } ] } ``` ### Application lifecycle operator (API caller) permissions The following IAM policy ensures that the application lifecycle operator has the necessary permissions to assign a KMS key to the application, *MyCmkApplication*. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowMSFAPICalls", "Effect": "Allow", "Action": "kinesisanalytics:*", "Resource": "*" }, { "Sid": "AllowPassingServiceExecutionRole", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws-cn:iam::123456789012:role/MyCmkApplicationRole" }, { "Sid": "AllowDescribeKey", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" } } }, { "Sid": "AllowMyCmkApplicationKeyOperationsForDurableState", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMyCmkApplicationKeyOperationsForRunningState", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" } } }, { "Sid": "AllowMyCmkApplicationCreateGrantForRunningState", "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab", "Condition": { "ForAllValues:StringEquals": { "kms:GrantOperations": "Decrypt" }, "StringEquals": { "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", "kms:EncryptionContext:aws:kinesisanalytics:arn": "arn:aws-cn:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", "kms:GrantConstraintType": "EncryptionContextSubset" } } } ] } ``` ------ ## Update an existing application to use CMK In Amazon MSF, you can apply a CMK policy to an existing application that uses Amazon owned keys (AOKs). By default, Amazon MSF uses AOKs to encrypt all your data in ephemeral (running application storage) and durable (durable application storage) storage. This means all data subject to a Flink [checkpoint](how-fault.md) or [snapshot](how-snapshots.md) are encrypted using AOKs by default. When you replace the AOK with a CMK, new checkpoints and snapshots are encrypted with CMK. However, historic snapshots will remain encrypted with the AOK. **To update an existing application to use CMK** 1. Create a JSON file with the following configuration. Make sure that you replace the value of `CurrentApplicationVersionId` to the current version number of the application. You can get the current version number of your application, using [DescribeApplication](https://docs.amazonaws.cn/managed-flink/latest/apiv2/API_DescribeApplication.html). In this JSON configuration, remember to replace the *sample* values with the actual values. ``` { "ApplicationName": "MyCmkApplication", "CurrentApplicationVersionId": 1, "ApplicationConfigurationUpdate": { "ApplicationEncryptionConfigurationUpdate": { "KeyTypeUpdate": "CUSTOMER_MANAGED_KEY", "KeyIdUpdate": "arn:aws-cn:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab" } } } ``` 1. Save this file. For example, save it with the name **enable-cmk.json**. 1. Run the [update-application](https://docs.amazonaws.cn/cli/latest/reference/kinesisanalyticsv2/update-application.html) Amazon CLI command as shown in the following example. In this command, provide the JSON configuration file you created in the previous steps as the file argument. ``` aws kinesisanalyticsv2 update-application \ --cli-input-json file://enable-cmk.json ``` The preceding configuration is accepted to update the application for using CMK only if the following conditions are met: + API caller has a policy statement that allows access to the key. + Key policy has a policy statement that allows API caller access to the key. + Key policy has a policy statement that allows the Amazon MSF service principal, for example, `kinesisanalytics.amazonaws.com` access to the key. ## Revert from CMK to Amazon owned key **To revert from CMK to an AOK** 1. Create a JSON file with the following configuration. In this JSON configuration, remember to replace the *sample* values with the actual values. ``` { "ApplicationName": "MyCmkApplication", "CurrentApplicationVersionId": 1, "ApplicationConfigurationUpdate": { "ApplicationEncryptionConfigurationUpdate": { "KeyTypeUpdate": "AWS_OWNED_KEY" } } } ``` 1. Save this file. For example, save it with the name **disable-cmk.json**. 1. Run the [update-application](https://docs.amazonaws.cn/cli/latest/reference/kinesisanalyticsv2/update-application.html) Amazon CLI command as shown in the following example. In this command, provide the JSON configuration file you created in the previous steps as the file argument. ``` aws kinesisanalyticsv2 update-application \ --cli-input-json file://disable-cmk.json ```