tech-advisor / training /data /raw /aws-devops-agent-security-encryption-at-rest-for-devops-agent.md
A newer version of the Gradio SDK is available: 6.20.0
Encryption at rest for AWS DevOps Agent
AWS DevOps Agent encrypts all customer data at rest. By default, AWS owned keys are used at no additional charge. You can optionally use a customer managed KMS key.
Customer managed keys
You can specify a customer managed key when creating:
- Agent Space – Encrypts Agent Space details, investigations, skills, and chat
- Service – Encrypts third-party service credentials
Step 1: Create a customer managed key
Requirements:
| Property | Requirement |
|---|---|
| Key type | Symmetric |
| Key spec | SYMMETRIC_DEFAULT |
| Key usage | ENCRYPT_DECRYPT |
Step 2: Set the key policy
Required KMS actions: kms:DescribeKey, kms:GenerateDataKey, kms:Decrypt, kms:Encrypt, kms:ReEncrypt
Grant permissions to both caller credentials (synchronous operations) and aidevops.amazonaws.com service principal (asynchronous operations like investigations).
Step 3: Specify the key when creating a resource
In console: Advanced Configuration > Encryption key type > Customer managed key In API: Include kmsKeyArn parameter
Encryption context
{
"aws-crypto-ec:aws:aidevops:arn": "arn:aws:aidevops:{region}:{accountId}:{resourceType}/{resourceId}"
}
Key management
- Disabling/deleting KMS key prevents data access
- Cannot change key after resource creation
- Monitor key usage via CloudTrail