tech-advisor / training /data /raw /aws-devops-agent-security-encryption-at-rest-for-devops-agent.md
| # Encryption at rest for AWS DevOps Agent | |
| AWS DevOps Agent encrypts all customer data at rest. By default, AWS owned keys are used at no additional charge. You can optionally use a customer managed KMS key. | |
| ## Customer managed keys | |
| You can specify a customer managed key when creating: | |
| + **Agent Space** – Encrypts Agent Space details, investigations, skills, and chat | |
| + **Service** – Encrypts third-party service credentials | |
| ### Step 1: Create a customer managed key | |
| Requirements: | |
| | Property | Requirement | | |
| | --- | --- | | |
| | Key type | Symmetric | | |
| | Key spec | SYMMETRIC_DEFAULT | | |
| | Key usage | ENCRYPT_DECRYPT | | |
| ### Step 2: Set the key policy | |
| Required KMS actions: kms:DescribeKey, kms:GenerateDataKey, kms:Decrypt, kms:Encrypt, kms:ReEncrypt | |
| Grant permissions to both caller credentials (synchronous operations) and aidevops.amazonaws.com service principal (asynchronous operations like investigations). | |
| ### Step 3: Specify the key when creating a resource | |
| In console: Advanced Configuration > Encryption key type > Customer managed key | |
| In API: Include kmsKeyArn parameter | |
| ## Encryption context | |
| ``` | |
| { | |
| "aws-crypto-ec:aws:aidevops:arn": "arn:aws:aidevops:{region}:{accountId}:{resourceType}/{resourceId}" | |
| } | |
| ``` | |
| ## Key management | |
| + Disabling/deleting KMS key prevents data access | |
| + Cannot change key after resource creation | |
| + Monitor key usage via CloudTrail | |