Konnect supports Customer-Managed Encryption Keys (CMEK), allowing you to use your own symmetric key stored in AWS Key Management Service (KMS) to encrypt a pre-determined set of sensitive data. This feature enhances privacy, security, and regulatory compliance by enabling customer-controlled encryption.
Customer-Managed Encryption Keys (CMEK)
Uses:
Konnect Platform
Related Documentation
Incompatible with
on-prem
Related Resources
Benefits of CMEK
- Regulatory compliance with standards such as HIPAA, GDPR, and PCI-DSS
- Exclusive decryption access Encrypted data can’t be accessed without a key.
- Instant revocation removing the key from AWS KMS makes encrypted data in Konnect unreadable
CMEK scope in Konnect
CMEK currently applies to:
- Payloads captured through the Konnect Debugger
- Request logs stored in Debugger workflows
Configure CMEK
Configuring CMEK consists of creating a symmetric encryption key in AWS KMS and providing the key ARN to Konnect.
Prerequisites
To configure CMEK, you need:
- A symmetric key in AWS KMS
- Org Admin role in Konnect
Create a symmetric encryption key in AWS KMS
-
Provision a new multi-region symmetric key in your AWS account using “Key Managed Service (KMS)”. They key should be in the AWS region you intend to use in Konnect. A multi-region key is recommended to replicate the key in multiple regions, which can be used for disaster recovery or compliance purposes.
- Ensure the following access policy statement is included in your key policy to allow
cc-konnectrole (Konnect) to use your key:{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::333402130851:role/cc-konnect" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GetKeyRotationStatus", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" } - Ensure the multi-region key is replicated to all AWS regions that make up a Konnect region. The following table describes which AWS regions map to each Konnect geo:
|
Konnect geo |
AWS region |
|---|---|
| AU (Australia) |
|
| EU (Europe) |
|
| ME (Middle East) |
|
| US (United States) |
|
| IN (India) |
|
Configure CMEK in Konnect
- In Konnect, navigate to Encryption Keys.
- Click Link key.
- Enter the Name, Amazon Resource Name, description, and Region.
- Click Connect.
User responsibilities
When you configure CMEK, you are responsible for the following:
-
Key rotation:
- AWS KMS takes care of key rotation automatically.
- Manual rotation with a new ARN requires updating the key in Konnect. If the key’s ARN changes, data encrypted with the previous key cannot be decrypted in Konnect.
-
Key revocation:
- Revoking or deleting your key in AWS KMS renders associated data permanently unreadable.
-
Performance impact:
- KMS-based decryption may introduce latency during access operations.
-
Feature limitations:
- CMEK encrypted fields cannot be used in full-text search, filtering, or analytics.
- Alerting features cannot inspect CMEK encrypted content.
-
Cost:
- Any costs incurred in AWS KMS.
Managing keys
See the following sections for information about how to manage CMEK keys.
Key Rotation
- Rotating keys within AWS KMS (without changing the ARN) is supported automatically.
- If you change the ARN, you must update the key in Konnect manually.
- Data encrypted with the previous key cannot be decrypted and will be lost.
Key revocation
The following happens if the AWS KMS key is revoked:
- If the AWS KMS key is revoked or deleted, encrypted data becomes inaccessible.
- Konnect will display decryption errors when this occurs.
FAQs
Can I use automation to configure CMEK in Konnect?
Yes, you can use the Konnect UI, API, and Terraform to configure CMEK.
Can I bring in symmetric keys from other key management services?
No. CMEK currently only supports AWS Key Management Service (KMS).