Use Self-Managed Encryption Keys in Confluent Cloud on AWS¶
Protect the data at rest stored in your Confluent Cloud Enterprise or Dedicated Kafka clusters on AWS using AWS Key Management Service to create and manage encryption keys,
Requirements¶
Self-managed encryption keys can be used with supported Kafka clusters on Confluent Cloud created using the Self-managed encryption mode. To use self-managed encryption keys on AWS for supported Kafka cluster types, follow these requirements:
Key creation and management¶
Required RBAC role: OrganizationAdmin or EnvironmentAdmin.
- Create a Dedicated or Enterprise Kafka cluster on AWS using the “Self-managed” encryption mode. After provisioning your Dedicated or Enterprise cluster, you cannot switch modes between Automatic (default) and Self-managed.
- Use AWS Key Management Service (KMS) to generate, use, rotate, and destroy customer master keys (CMKs).
- Only symmetric, software-protected keys are supported.
- Importing key material is not supported.
- AWS KMS External Key Store (XKS) is supported.
- Your External Key Manager (EKM) configuration (including any proxies), AWS External Key Store (XKS), AWS Key Management Service (KMS), and Kafka cluster must all be located in the same AWS region. Cross-region configurations are not supported.
- Each XKS instance must be dedicated exclusively to Confluent. Using XKS keys for other services impacts Confluent’s ability to guarantee SLA performance due to quota conflicts and performance factors outside of Confluent’s control.
- Each XKS instance supports a maximum of four Confluent encryption keys. If you need more than four keys, create additional XKS instances.
- Key rotation:
- Automatic key rotation is available using the AWS KMS console, but manual key rotation is not supported.
- WARNING: Deleting old keys is a permanent operation that cannot be undone and results in data loss.
- Use a unique encryption key for each active cluster.
- If you delete a cluster, the encryption key is released after five days and is available for reuse during cluster creation. As a security best practice, encryption keys should not be reused for production clusters.
FIPS 140-2 certification¶
- Self-managed keys created after March 2023 are FIPS 140-2 Level 3 certified except for AWS regions only offering FIPS 140-2 Level 2 certification. For details, see AWS KMS FAQs.
- You can also use AWS KMS customer managed keys (CMKs) backed by AWS-managed hardware security modules (HSMs) for FIPS 140-2 Level 3 certification.
- For more information, see FIPS 140-2.
Create a Kafka cluster with self-managed encryption¶
Warning
If you accidentally delete the master key, you will no longer be able to access your encrypted data. Neither Confluent nor AWS can regain access to your data.
To create an encrypted Confluent Cloud cluster on AWS that uses a self-managed encryption key:
Navigate to the Clusters page for your environment and click Create cluster if you are creating the first cluster in your environment, or click Add cluster if other clusters exist.
For Select cluster type under Create cluster, select a supported Kafka cluster type, and click Begin Configuration.
For Regions/zones under Create cluster, select AWS as the cloud service provider, select the Region and Availability, and then click Continue.
For Networking under Create cluster, select the networking type and click Continue.
For Security under Create cluster, select Self managed to manage your own encryption key using AWS Key Management Service. Additional steps appear.
Important
- Only symmetric keys are supported.
- Importing key material is not supported.
- The key must be for the same region as the cluster.
Select Create new if you need a new key, or select Use existing if you already have a key.
If you select Create new, go to the AWS KMS (requires sign-in) console and create a new key. Copy the key ARN and then paste it into the Amazon Resource Name (key ID) field.
If you select Use existing, select your key ARN from the drop-down list, then ensure that the policy of the key in your AWS KMS includes the block of code provided in the Confluent Cloud Console.
The key must be for the region selected earlier. The key ARN is a unique, fully-qualified identifier of a customer-managed key (CMK) and cannot be changed. Each Confluent Cloud cluster requires a unique key.
Relevant AWS documentation:
From the Confluent Cloud Console, copy the provided permission statements exactly as-is (do not edit or modify) into the existing Key policy of the ARN in your AWS KMS. The code block gives your AWS key policy authorization to access your Confluent Cloud cluster and authorizes Confluent access to your KMS. For details on how to create and manage your key policy, see Manage Key Policies on Confluent Cloud.
Important
Make sure to append the code block (that includes two new permission statements) immediately after the existing permission statement and remember to add the expected comma separator between the existing statement and the new statements.
After you complete the cluster creation process, this cluster-key pairing is locked. You cannot change it for the lifetime of the cluster. You can still modify permissions related to the key, and also disable or delete it, as long as your AWS permissions allow for it.
The updated key policy should look similar to the following example:
{ "Sid": "Allow Confluent account(s) (152535741197) to use the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::152535741197:role/cc-kafka-d45e6381-b878-11ed-bdff-028e28f108bd" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow Confluent account(s) (152535741197) to attach persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::152535741197:role/cc-kafka-d45e6381-b878-11ed-bdff-028e28f108bd" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*" }
Click Continue.
On the Review and launch page, enter a meaningful name in Cluster name and click Launch Cluster.
A successful validation results in the provisioning of your cluster. If the cluster configuration is invalid because the encryption key is not valid or not authorized for Confluent, then you will get an error message indicating so. Close the modal; any invalid fields will be highlighted in the original form. Reenter a valid value in the highlighted field.
Create a key in AWS Management Console or using the AWS CLI.
Create a key resource in Confluent Cloud using the following Confluent CLI command, replacing
<AWS-ARN-ID>with your AWS KMS key ARN.confluent byok create <AWS-ARN-ID>
The command returns the CCK ID (Confluent Cloud key ID) and permission statements to append to the AWS KMS key policy.
For example:
+------------+------------------------------------------------------------------------------+ | ID | cck-stgc7gd47 | | Key | arn:aws:kms:us-east-1:037803949979:key/45aade25-6395-4920-86a8-f52dbeab4639 | | Roles | arn:aws:iam::811656834269:role/cc-kafka-03f3b3dd-924f-11ef-87a7-82d574be0321 | | Cloud | AWS | | State | AVAILABLE | | Created At | 2024-10-24 21:29:14.319331884 | | | +0000 UTC | +------------+------------------------------------------------------------------------------+
Copy and append these permissions into the key policy “Statements” field of the ARN in your AWS key management system to authorize access for your Confluent Cloud cluster.
{ "Sid" : "Allow Confluent accounts to use the key", "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::811656834269:role/cc-kafka-03f3b3dd-924f-11ef-87a7-82d574be0321" ] }, "Action" : [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource" : "" }, { "Sid" : "Allow Confluent accounts to attach persistent resources", "Effect" : "Allow", "Principal" : { "AWS" : [ "arn:aws:iam::811656834269:role/cc-kafka-03f3b3dd-924f-11ef-87a7-82d574be0321" ] }, "Action" : [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource" : "" }
Next, append the permissions to the existing key policy of the ARN in your AWS KMS using AWS console or the following AWS CLI command. Replace the
<key-ID>with the key ID of your AWS KMS key and replace<policy-file>with the path to the file that contains the updated key policy:aws kms put-key-policy --key-id <key-ID> --policy <policy-file>
For details, see Updating key policies in AWS KMS and put-key-policy command in AWS CLI.
Create a Confluent Cloud Dedicated cluster using your customer-managed key, replacing the placeholders with your values.
confluent kafka cluster create <cluster-name> \ --cloud "aws" \ --region "<KMS-region>" \ --type "enterprise|dedicated" \ --cku <CKU-value> \ --byok <CCK-ID>
You can find the CCK ID in the output of the
confluent byok listcommand.
The following Confluent CLI example shows how to create an encrypted Confluent Cloud Kafka cluster using your customer-managed key.
confluent kafka cluster create <cluster-name> \
--cloud "aws" \
--region "<KMS-region>" \
--type "<enterprise|dedicated>" \
--cku <CKU-value> \
--encryption-key "<AWS-ARN-ID>"
To authorize access for Confluent, copy and append the permission statements to the existing “Statements” array field in the key policy of your ARN.
{
"Sid": "Allow Confluent account(s) (152535741197) to use the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::152535741197:role/cc-kafka-d45e6381-b878-11ed-bdff-028e28f108bd"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow Confluent account(s) (152535741197) to attach persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::152535741197:role/cc-kafka-d45e6381-b878-11ed-bdff-028e28f108bd"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*"
}
After confirming that you’re authorizing this key, the cluster is created.
When you specify the --encryption-key option, you are prompted to
update your AWS KMS policy.
For details, see: