Encryption using KMS custom encryption key (CMK)

Custom Encryption Key (CMK)

In order for Kinesis and EventBridge pipes to use Customer-managed keys (CMK), a modification is required to the CMK policy to grant access for Kinesis and EventBridge Pipes for the following functions:

kms:Encrypt
kms:Decrypt,
kms:ReEncrypt,
kms:GenerateDataKey,
kms:DescribeKey

What you will need

You will need the following two values:

1. ARN of the Kinesis Stream being used for CTR, and;
2. Operata EventBridge Pipe Execution Role

💡Tip: You can get both of these values from the Operata Cloud Formation Stack that was deployed as part of your integration.

Making changes to KMS Customer-managed keys (CMK)

1. Log in to KMS Console in AWS
2. Click on Customer-managed keys (CMK) in the left hand menu
3. Select the Key ID that is being used by your Kinesis stream for encryption
4. In Key Policy click Edit
5. Add the statement to the existing policy as per the example below

❗️

Important

Be sure to change the following fields:

 "Resource": "{Kinesis Stream ARN}"
 "Principal": {
   "AWS": "{Execution Role of EventBridge Pipe"

Example:

 "Resource": "arn:aws:kinesis:us-east-1:8012345678:stream/Operata-Kinesis"
 "Principal": {
   "AWS": "arn:aws:iam::8012345678:role/OperataAWSIntegration-CTR-operataEventBridgePipeRol-R2GazQu5D7mk"

    {
      "Sid": "AllowKinesisAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "{Kinesis Stream ARN}"
    },
    {
      "Sid": "AllowEventBridgePipeAccess",
      "Effect": "Allow",
      "Principal": {
        "AWS": "{Execution Role of EventBridge Pipe}"
      },
      "Action": "kms:Decrypt",
      "Resource": "*"
    }