Skip to main content

Create a KMS key for TDE

You need to provide a AWS KMS key as the Master Key in order to enable Transparent Data Encryption for you elastic CelerData cluster.

You can either create a new key or use an existing key after grant the IAM user or role the access to the key.

note
  • If you choose the Instance Profile-based authentication during cluster deployment, you must grant the key access to the IAM role referenced in the data credential.
  • If you choose the Assumed Role-based authentication during cluster deployment, you must grant the key access to the IAM role you want to use, and configure a trust relationship between this role and the role referenced in the data credential.

For more information, see Authenticate to AWS resources.

Create a KMS key

To create an AWS KMS key, follow these steps:

  1. Sign in to the AWS KMS console as a user with administrator privileges.

  2. In the upper-right corner of the page, select your AWS region.

  3. On the Key Management Service page, click Create a key.

  4. In the Step 1 - Configure key, choose Symmetric as the Key type and Encrypt and decrypt as the Key usage.

  5. (Optional) It is recommended to choose Multi-Region key in the Regionality section in the Advanced options for better security of the key. Multi-Region keys are replicated in different regions so that you can still access the cluster data if the key in the current region is lost.

  6. Click Next.

  7. In the Step 2 - add labels, enter an alias for the key in the Alias field, and click Next.

  8. In the Step 3 - Define key administrative permissions, leave all configurations with their default settings, and click Next again.

  9. In the Step 4 - Define key usage permissions, search and select the IAM user or role authorized to use this key in cryptographic operations.

  10. Click Next. In the Step 5 - Edit key policy, leave all configurations with their default settings, and click Next again.

  11. In the Step 6 - Review, review the configurations, and click Finish to create the key.

  12. Click the key after created. Copy the key ARN in the General configuration section of the key detail page and saves it for enabling TDE during cluster deployment.

Grant the IAM user or role the access to an existing KMS key

If you want to re-use an existing KMS key, you must grant the access to the key to the IAM user or role authorized to use this key in cryptographic operations.

To add the IAM user or role via GUI, follow these steps:

  1. Sign in to the AWS KMS console as a user with administrator privileges.

  2. In the upper-right corner of the page, select your AWS region.

  3. Click the key you want to use. In the Key users section of the Key policy tab, click Add to add the IAM user or role.

  4. Copy the key ARN in the General configuration section of the key detail page and saves it for enabling TDE during cluster deployment.

You can also grant the access using a permission policy. Below is an example of the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<YOUR_KMS_KEY_ARN>"
        }
    ]
}
note

You must replace <YOUR_KMS_KEY_ARN> in the example with the ARN of the KMS key you want to use.