Cloud Key Management Service for AWS Volume Encryption

Note

This feature is only available in SingleStore Helios - Dedicated.

Overview

Amazon Elastic Block Store (EBS) encryption is supported by all EBS volume types and includes a built-in key management infrastructure. AWS Key Management Service (KMS) is used to envelope encryption with customer master keys (CMK) for use with encrypted volumes.

There are two types of CMK: AWS-managed and customer-managed. Customer-managed CMK provides finer control over who may access encrypted data.

This guide provides instructions on how to create a customer-managed key used for EBS volume encryption, define which users/roles can perform encryption operations with this key, and how to use this key with your SingleStore Helios workspace.

Caution

When using a customer-managed key shared with SingleStore Helios, you are accepting the additional terms, conditions, and potential risks pertaining to data availability and loss.

Should the CMK permissions be revoked, or the key deleted, SingleStore Helios will no longer be able to encrypt/decrypt your data. As a consequence, your SingleStore Helios workspace will cease to function immediately, which will likely lead to data consistency and/or workspace stability issues.

Create a Customer-Managed Key

  1. To create a customer-managed key for use with EBS volume encryption, log into the AWS Management Console and navigate to Security, Identity, & Compliance > Key Management Service.

  2. From the AWS Key Management Service page, click the Create a key button.

    Note: If this is your first time visiting this page, you may initially be greeted with a welcome page.

  3. On the Configure key page, select the Symmetric key radio button, and click the Next button.

  4. On the Add labels page:

    • In the Alias field, enter a key name

    • In the Description field, add an associated description

    Tip: Use an intuitive alias and description to remind you that this key is for use with SingleStore Helios.

    When completed, click the Next button.

    The customer-managed key will be created in the AWS KMS as shown below.

  5. Now that this customer-managed key has been created, create a Support ticket to enable this feature on your SingleStore Helios workspace. You will be notified when this request has been completed.

Last modified: April 3, 2023

Was this article helpful?