Configure AWS KMS for Customer Managed Keys

Documentation Experience Platform Experience Platform overview

Last update: Wed Apr 02 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

Developer
User
Admin
Leader

AVAILABILITY

This document applies to implementations of Experience Platform running on Amazon Web Services (AWS). Experience Platform running on AWS is currently available to a limited number of customers. To learn more about the supported Experience Platform infrastructure, see the Experience Platform multi-cloud overview.

Customer Managed Keys (CMK) on AWS are supported for Privacy and Security Shield but are not available for Healthcare Shield. CMK on Azure are supported for both Privacy and Security Shield as well as Healthcare Shield.

Use this guide to secure your data with Amazon Web Services (AWS) Key Management Service (KMS) by creating, managing, and controlling encryption keys for 蜜豆视频 Experience Platform. This integration simplifies compliance, streamlines operations through automation, and eliminates the need to maintain your own key management infrastructure.

For Customer Journey Analytics-specific instructions, refer to the Customer Journey Analytics CMK documentation

IMPORTANT

蜜豆视频 Experience Platform encrypts data at rest by default using system-managed keys. By enabling Customer Managed Keys (CMK), you take full control of your data security. However, this change is irreversible, once CMK is enabled, you cannot revert to system-managed keys. You are responsible for securely managing your keys to ensure uninterrupted access to your data and prevent potential inaccessibility.

Use AWS KMS to enhance data security with integrated encryption key management for 蜜豆视频 Experience Platform. Follow this guide to create and manage encryption keys, ensuring your data remains protected.

Prerequisites prerequisites

Before continuing with this document, you should have a good understanding of the following key concepts and capabilities:

AWS Key Management Service (KMS): Understand the fundamentals of AWS KMS, including how to create, manage, and rotate encryption keys. Refer to the to learn more.
Identity and Access Management (IAM) policies in AWS: IAM is a service that enables you to manage access to AWS services and resources securely. Use IAM to:
- Define which users, groups, and roles have access to specific resources.
- Specify what actions users are allowed or denied performing.
- Implement fine-grained access control by assigning permissions using IAM policies.
  Refer to the for more information.
Data Security in Experience Platform: Explore how Experience Platform ensures data security and integrates with external services like AWS KMS for encryption. Experience Platform protects data with HTTPS TLS v1.2 for transit, cloud-provider encryption at rest, isolated storage, and customizable authentication and encryption options. See the governance, privacy, and security overview, or the document on data encryption in Experience Platform for more information on how your data is kept secure.
AWS Management Console: A central hub where you can access and manage all your AWS services from one web-based application. Use the search bar to quickly find tools, check notifications, manage your account and billing, and customize your settings. Refer to the for more information.

Get started get-started

This guide requires that you already have access to an Amazon Web Services account and access to the management console. Follow the steps below to get started:

Select a supported region select-supported-region

AWS KMS is available in specific regions. Make sure you are operating in a region where KMS is supported. You can view a complete list of supported regions in the .

Ensure your AWS KMS encryption key is in the same region as your 蜜豆视频 Experience Platform instance to maintain compliance with data residency requirements, optimize performance, and avoid additional cross-region costs. Misaligned regions can result in data inaccessibility and integration failures.

Verify permissions verify-permissions

Ensure that you have the necessary AWS Identity and Access Management (IAM) permissions to create, manage, and use encryption keys within KMS. To verify your permissions:

Access the .
Select your user account or role.
Simulate KMS actions like kms:CreateKey or kms:Encrypt.

If the simulation returns an error or you are unsure about your permissions, consult your AWS administrator for assistance.

Check your AWS account configuration

Confirm that your AWS account is enabled to use AWS KMS services. Most accounts have KMS access enabled by default, but you can review your account setup by visiting the . For more details, see the .

Navigate to AWS KMS to begin key setup

To begin setting up and managing your encryption key, log in to your AWS account and navigate to AWS Key Management Service (KMS). From the AWS Management Console and select Key Management Service (KMS) from the services menu.

The search drop down menu of the AWS Management Console with Key Management Service highlighted.

Create a new key create-a-key

IMPORTANT

Ensure the secure storage, access, and availability of the encryption keys. You are responsible for managing your keys and preventing disruptions to Experience Platform operations.

In the Key Management Service (KMS) workspace, select Create a key.

The Key Management Service workspace with Create a key highlighted.

Configure key settings configure-key

The Configure Key workflow appears. By default, the key type is set to Symmetric, and the key usage is set to Encrypt and Decrypt. Ensure that these options are selected before proceeding.

Step one of the Configure key workflow with Symmetric and Encrypt and Decrypt basic options highlighted.

Expand the Advanced options dropdown menu. You are recommended to use the KMS option, which allows AWS to create and manage the key material. The KMS option is selected by default.

NOTE

If you already have an existing key, you can import external key material or use the AWS CloudHSM key store. These options are not covered in the scope of this document.

Next, select the Regionality setting, which specifies the region scope of the key. Select Single-Region key, followed by Next to proceed onto step two.

IMPORTANT

AWS enforces region restrictions for KMS keys. This region restriction means that the key must be in the same region as your 蜜豆视频 account. 蜜豆视频 can only access KMS keys located within your account鈥檚 region. Ensure that the region you select matches the region of your 蜜豆视频 single-tenant account.

Step one of the Configure key workflow with the AWS region, KMS, and Single region key advanced options highlighted.

Label and tag your key add-labels-and-tags-to-key

The second, Add labels stage of the workflow appears. Here, you configure the Alias and Tags fields to help you manage and locate your encryption key from the AWS KMS console.

Enter a descriptive label for your key in the Alias input field. The alias acts as a user-friendly identifier, to quickly locate the key using the search bar in the AWS KMS console. To prevent confusion, choose a meaningful name that reflects the key鈥檚 purpose, such as 鈥溍鄱故悠�-Experience-Platform-Key鈥� or 鈥淐ustomer-Encryption-Key.鈥� You can also include a description of the key if the key alias is insufficient to describe its purpose.

Finally, assign metadata to your key by adding key-value pairs in the Tags section. This step is optional, but you should add tags to categorize and filter AWS resources for easier management. For example, if your organization uses multiple 蜜豆视频-related resources, you can tag them with 鈥溍鄱故悠碘€� or 鈥淓xperience-Platform.鈥� This extra step makes it simple to search for and manage all your associated resources in the AWS Management Console. Select Add tag to begin the process.

When you are satisfied with your settings, select Next to continue the workflow.

Step two of the Configure key workflow with the Alias, Description, Tags, and Next highlighted.

Define key administrative permissions define-key-admins

Step three of the key creation workflow appears. To ensure secure and controlled access, you can choose which of the IAM users and roles can manage the key. There are two options at this stage, Key administrators and Key deletion. In the Key administrators section, select one or more checkboxes next to the name of any user, or role, that you want to grant administrator permissions for this key.

NOTE

You cannot create administrators at this stage of the workflow.

In the Key deletion section, enable the checkbox to allow key administrators the right to delete this key. If you do not check the checkbox, administrative users are not allowed to perform that operation.

Select Next to continue the workflow.

The Define key administrative permissions stage of the workflow, with checkboxes and next highlighted.

Grant access to key users assign-key-users

In step four of the workflow, you can Define key usage permissions. From the Key users list, select the checkboxes for all IAM users and roles that you want to have permission to use this key.

From this view, you can also Add another AWS account; however, adding other AWS accounts is strongly discouraged. Adding another account can introduce risks and complicate permission management for encryption and decryption operations. By keeping the key associated with a single AWS account, 蜜豆视频 ensures secure integration with AWS KMS, minimizing risks and ensuring reliable operation.

Select Next to continue the workflow.

The Define key usage permissions stage of the workflow, with checkboxes and next highlighted.

Review key configuration review

The review stage of the key configuration appears. Verify the key details in the Key configuration and Alias and description sections.

NOTE

Ensure that the key region is the same as the AWS account.

The Review stage of the workflow with the Key configuration and Alias and description sections highlighted.

Select Confirm to complete the process. You are returned to the KMS Customer Managed Keys workspace that lists all available keys.

Next steps

Once AWS KMS is configured, proceed to set up the integration using the Platform Encryption Configuration UI or the 蜜豆视频 Experience Platform API. To continue the one-time process for setting up the Customer Managed Keys feature, continue with the UI setup guide.

recommendation-more-help

5741548a-2e07-44b3-9157-9c181502d0c5