Cloud Key Management Service for AWS Volume Encryption


This feature is only available in SingleStoreDB Cloud - Dedicated.


Amazon Elastic Block Store (EBS) encryption is supported by all EBS volume types and includes a built-in key management infrastructure. AWS Key Management Service (KMS) is used to envelope encryption with customer master keys (CMK) for use with encrypted volumes.

There are two types of CMK: AWS-managed and customer-managed. Customer-managed CMK provides finer control over who may access encrypted data.

This guide provides instructions on how to create a customer-managed key used for EBS volume encryption, define which users/roles can perform encryption operations with this key, and how to use this key with your Managed Service cluster.


When using a customer-managed key shared with Managed Service, you are accepting the additional terms, conditions, and potential risks pertaining to data availability and loss.

Should the CMK permissions be revoked, or the key deleted, Managed Service will no longer be able to encrypt/decrypt your data. As a consequence, your Managed Service cluster will cease to function immediately, which will likely lead to data consistency and/or cluster stability issues.

Create a Customer-Managed Key

  1. To create a customer-managed key for use with EBS volume encryption, log into the AWS Management Console and navigate to Security, Identity, & Compliance > Key Management Service.

  2. From the AWS Key Management Service page, click the Create a key button.

    Note: If this is your first time visiting this page, you may initially be greeted with a welcome page.

  3. On the Configure key page, select the Symmetric key radio button, and click the Next button.

  4. On the Add labels page:

    • In the Alias field, enter a key name

    • In the Description field, add an associated description

    Tip: Use an intuitive alias and description to remind you that this key is for use with SingleStore Managed Service.

    When completed, click the Next button.


    The customer-managed key will be created in the AWS KMS as shown below.

  5. Now that this customer-managed key has been created, create a Support ticket to enable this feature on your Managed Service cluster. You will be notified when this request has been completed.