Cloud Key Management Service for AWS Volume Encryption


This feature is only available in SingleStore Helios - Dedicated.


Amazon Elastic Block Store (EBS) encryption is supported by all EBS volume types and includes a built-in key management infrastructure. AWS Key Management Service (KMS) is used to envelope encryption with customer master keys (CMK) for use with encrypted volumes.

There are two types of CMK: AWS-managed and customer-managed. Customer-managed CMK provides finer control over who may access encrypted data.

This guide provides instructions on how to create a customer-managed key used for EBS volume encryption, define which users/roles can perform encryption operations with this key, and how to use this key with your SingleStore Helios workspace.


When using a customer-managed key shared with SingleStore Helios, you are accepting the additional terms, conditions, and potential risks pertaining to data availability and loss.

Should the CMK permissions be revoked, or the key deleted, SingleStore Helios will no longer be able to encrypt/decrypt your data. As a consequence, your SingleStore Helios workspace will cease to function immediately, which will likely lead to data consistency and/or workspace stability issues.

Create a Customer-Managed Key

  1. To create a customer-managed key for use with EBS volume encryption, log into the AWS Management Console and navigate to Security, Identity, & Compliance > Key Management Service.

    AWS Management Console window show several services links
  2. From the AWS Key Management Service page, click the Create a key button.

    Note: If this is your first time visiting this page, you may initially be greeted with a welcome page.

    AWS Key Management Services window with several links and info on how it works
  3. On the Configure key page, select the Symmetric key radio button, and click the Next button.

    AWS Configure key window with selectable radial buttons and left nav
  4. On the Add labels page:

    • In the Alias field, enter a key name

    • In the Description field, add an associated description

    Tip: Use an intuitive alias and description to remind you that this key is for use with SingleStore Helios.

    When completed, click the Next button.

    KMS add labels window with several input forms

    The customer-managed key will be created in the AWS KMS as shown below.

    KMS window showing customer managed keys
  5. Now that this customer-managed key has been created, create a Support ticket to enable this feature on your SingleStore Helios workspace. You will be notified when this request has been completed.

Last modified: April 3, 2023

Was this article helpful?