tech-advisor / training /data /raw /aws-devops-agent-security-encryption-at-rest-for-devops-agent.md
aslanconfig's picture
Initial commit: Tech Advisor fine-tuned on AWS DevOps Agent docs
975da6d
|
Raw
History Blame Contribute Delete
1.37 kB

A newer version of the Gradio SDK is available: 6.20.0

Upgrade

Encryption at rest for AWS DevOps Agent

AWS DevOps Agent encrypts all customer data at rest. By default, AWS owned keys are used at no additional charge. You can optionally use a customer managed KMS key.

Customer managed keys

You can specify a customer managed key when creating:

  • Agent Space – Encrypts Agent Space details, investigations, skills, and chat
  • Service – Encrypts third-party service credentials

Step 1: Create a customer managed key

Requirements:

Property Requirement
Key type Symmetric
Key spec SYMMETRIC_DEFAULT
Key usage ENCRYPT_DECRYPT

Step 2: Set the key policy

Required KMS actions: kms:DescribeKey, kms:GenerateDataKey, kms:Decrypt, kms:Encrypt, kms:ReEncrypt

Grant permissions to both caller credentials (synchronous operations) and aidevops.amazonaws.com service principal (asynchronous operations like investigations).

Step 3: Specify the key when creating a resource

In console: Advanced Configuration > Encryption key type > Customer managed key In API: Include kmsKeyArn parameter

Encryption context

{
  "aws-crypto-ec:aws:aidevops:arn": "arn:aws:aidevops:{region}:{accountId}:{resourceType}/{resourceId}"
}

Key management

  • Disabling/deleting KMS key prevents data access
  • Cannot change key after resource creation
  • Monitor key usage via CloudTrail