Sign inTry Free

Cloud Key Management Service for AWS Volume Encryption

On this page

Note

This feature is available in SingleStore Helios with Enterprise or Premium editions.

Overview

Amazon Elastic Block Store (EBS) encryption is supported by all EBS volume types and includes a built-in key management infrastructure. AWS Key Management Service (KMS) is used to envelope encryption with customer master keys (CMK) for use with encrypted volumes.

There are two types of CMK: AWS-managed and customer-managed. Customer-managed CMK provides finer control over who may access encrypted data.

This guide provides instructions on how to create a customer-managed key used for EBS volume encryption, define which users/roles can perform encryption operations with this key, and how to use this key with your SingleStore Helios workspace.

Caution

When using a customer-managed key shared with SingleStore Helios, you are accepting the additional terms, conditions, and potential risks pertaining to data availability and loss.

Should the CMK permissions be revoked, or the key deleted, SingleStore Helios will no longer be able to encrypt/decrypt your data. As a consequence, your SingleStore Helios workspace will cease to function immediately, which will likely lead to data consistency and/or workspace stability issues.

Configuring CMEK While Deploying a Workgroup

  1. To create a customer-managed key for use with EBS volume encryption, log into the AWS Management Console and navigate to Security, Identity, & Compliance > Key Management Service.

  2. Select the same region as for the workgroup.

  3. Go to the Customer Managed Keys section on the left side.

  4. Click on the Create key button.

  5. Select the Symmetric type.

  6. Click Next till you reach the Key configuration page.

  7. In the Cloud Portal New Deployment page, click on the Enable CMEK button below Advanced Settings and copy the suggested SingleStore policy.

  8. Paste this into the Key policy section (don't remove the default code there, just add the policy with a comma).

    Cloud Key Management Service for AWS Volume Encryption>Configuring CMEK while deploying the workgroup Step 8

  9. Click on Finish.

  10. After creating the KMS key you will see the ARN. Copy this ARN and go back to the Cloud Portal ).

    Cloud Key Management Service for AWS Volume Encryption > Configuring CMEK while deploying the workgroup Step 10

  11. In the Cloud Portal paste the ARN into the Data Bucket Key ID field. The Backup Bucket Key ID (optional) field can be used for creating a backup bucket in AWS. You can paste either the same ARN or the ARN from another KMS key, but all keys should be in the same region as the workspace group.

    Cloud Key Management Service for AWS Volume Encryption > Configuring CMEK while deploying the workgroup Step 11

  12. After creating the workgroup go to the Security tab and if everything is configured correctly you should see the ENABLED status (If you provided both keys: dataBucketKeyID and backupBucketKeyID you will see two lines there).

    Cloud Key Management Service for AWS Volume Encryption > Configuring CMEK while deploying the workgroup Step 12

Configuring CMEK During Replication

The replication process has the following dependencies for configuring CMEK:

  • if CMEK was not configured for the first workgroup, the CMEK button is not visible for configuring it for the secondary region;

  • if CMEK was configured for the primary region - you cannot add a DB to the replica without configuring CMEK for the secondary region as well. This is mandatory.

  • Only the owner and operator roles can set up CMEK when setting up replication.

  • CMEK can be configured only once and after saving you cannot change the settings after failover/failback or adding a new DB to the workgroup.

To configure CMEK in the secondary region, the steps are as follows:

  1. Go to the Replication tab in the Cloud Portal and click on the Configure Replication button.

  2. Ensure the secondary region is selected correctly and then click the Configure CMEK button.

  3. You will see a new window with the CMEK settings. A valid ARN should be pasted into the Data Bucket Key ID field. The Backup Bucket Key ID (optional) field is responsible only for creating the secondary backup bucket. It can be the same ARN or ARN from another KMS key, but from the same region.

    Configuring CMEK During Replication > second region> step 3

  4. You will see two policies:

    • the first policy is for the second KMS key. Copy this policy and paste it to the KMS key in AWS (policy section) intended for the secondary region.

    • the second policy further down is for the KMS key (AWS) that was configured when creating the primary workgroup.

    • Do not delete the existing policy for the primary region, just add the additional part separated by a comma. (Keep the Enable CMEK window open always during the entire configuration.)

    • Configuring CMEK During Replication ​ after step 4.

Options for Creating the KMS Key for the Secondary Region in AWS

There are two options available for creating the KMS key: the single-region key and the multi-region key.

Options for Creating the KMS Key for the Secondary Region in AWS

If you select the Single-region key, you can create only one KMS key in one region. In this case when you configure CMEK for the secondary region you need to go to the new region in AWS and create the same single-region KMS key using a new policy that is copied from SingleStore (and ensure you update the policy for the primary KMS key as well).

If you select the Multi-region key, you can create the first KMS key in the selected region and based on this key create new ones, in other regions (the policy and ID will be duplicated. Only regions will be changed). In this case, you can create the new KMS key in the required region based on the first one. Open the multi-region KMS key, go to the Regionality tab > Create new replica keys option.

Select the replica region for the secondary region. Click NEXT and go to the Key Policy page.

Go to the Cloud Portal, open the Replica tab, click on the Configure CMEK button. Copy the first policy and paste it to this new KMS key (do not remove the default code there, just add the policy with a comma. Similar to Step 8 in the Configuring CMEK While Deploying a Workgroup section above.). Finally, click on the I understand checkbox in the Confirmation section and then the Create new replica keys button.

Options for Creating the KMS Key for the Secondary Region in AWS- image 2.

Open the just created KMS key and copy the ARN for pasting it to the Customer Portal to the Data Bucket Key ID field.

Update the policy for the primary region - copy the second part of the policy that SingleStore provides then go to the AWS region where the primary workgroup is located and open the KMS key that you used while configuring CMEK for the primary region. Edit the policy and paste the copied part of the policy to the KMS key (don’t delete the already existing policy there - just add a new part with a comma).

Click on the SAVE button in the SingleStore and the replication process will start, the S3 bucket in the secondary region also will be encrypted.

Using API

If you use API while creating a new workgroup, you will not receive the SingleStore policy for the KMS key the first time. Once you configure the KMS key without the policy, SingleStore will provide the policy in the response body and you can then configure the policy correctly.

If you use API while configuring replication, you will again not receive the SingleStore policy. Two types of policies will be returned after the first request to the server. The first policy is for the secondary region and the second policy should be provided for the primary KMS key for updating.

Last modified: August 30, 2024

Was this article helpful?

On this page

Was this article helpful?