Data encryption
The following information explains where Amazon Personalize uses data encryption to protect your data.
Encryption at rest
Any data stored within Amazon Personalize is always encrypted at rest with Amazon Personalize managed Amazon Key Management Service (Amazon KMS) keys. If you provide your own Amazon KMS key during resource creation, Amazon Personalize uses the key to encrypt your data and store it. For example, if you provide a Amazon KMS ARN in the CreateDatasetGroup operation, Amazon Personalize uses the key to encrypt and store data you import into any datasets that you create in that dataset group.
You must grant Amazon Personalize and your Amazon Personalize IAM service role permission to use your key. For more information, see Giving Amazon Personalize permission to use your Amazon KMS key.
For information about data encryption in Amazon S3 see Protecting data using encryption in the Amazon Simple Storage Service User Guide. For information about managing your own Amazon KMS key, see Managing keys in the Amazon Key Management Service Developer Guide.
Encryption in transit
Amazon Personalize uses TLS with Amazon certificates to encrypt any data sent to other Amazon services. Any communication with other Amazon services happens over HTTPS, and Amazon Personalize endpoints support only secure connections over HTTPS.
Amazon Personalize copies data out of your account and processes it in an internal Amazon system. When processing data, Amazon Personalize encrypts data with either a Amazon Personalize Amazon KMS key or any Amazon KMS key you provide.
Key management
Amazon manages any default Amazon KMS keys. It is your responsibility to manage any Amazon KMS keys that you own. You must grant Amazon Personalize and your Amazon Personalize IAM service role permission to use your key. For more information, see Giving Amazon Personalize permission to use your Amazon KMS key.
For information about managing your own Amazon KMS key, see Managing keys in the Amazon Key Management Service Developer Guide.