File size: 1,373 Bytes
975da6d | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | # Encryption at rest for AWS DevOps Agent
AWS DevOps Agent encrypts all customer data at rest. By default, AWS owned keys are used at no additional charge. You can optionally use a customer managed KMS key.
## Customer managed keys
You can specify a customer managed key when creating:
+ **Agent Space** – Encrypts Agent Space details, investigations, skills, and chat
+ **Service** – Encrypts third-party service credentials
### Step 1: Create a customer managed key
Requirements:
| Property | Requirement |
| --- | --- |
| Key type | Symmetric |
| Key spec | SYMMETRIC_DEFAULT |
| Key usage | ENCRYPT_DECRYPT |
### Step 2: Set the key policy
Required KMS actions: kms:DescribeKey, kms:GenerateDataKey, kms:Decrypt, kms:Encrypt, kms:ReEncrypt
Grant permissions to both caller credentials (synchronous operations) and aidevops.amazonaws.com service principal (asynchronous operations like investigations).
### Step 3: Specify the key when creating a resource
In console: Advanced Configuration > Encryption key type > Customer managed key
In API: Include kmsKeyArn parameter
## Encryption context
```
{
"aws-crypto-ec:aws:aidevops:arn": "arn:aws:aidevops:{region}:{accountId}:{resourceType}/{resourceId}"
}
```
## Key management
+ Disabling/deleting KMS key prevents data access
+ Cannot change key after resource creation
+ Monitor key usage via CloudTrail
|