Encrypt Astra Managed Clusters databases with AWS Key Management Service customer managed keys
|
You must configure customer keys before you deploy the databases that will use those keys. You cannot use a new customer key for an existing database. |
You can encrypt your Astra Managed Clusters databases with AWS Key Management Service (KMS) customer managed keys (CMKs).
To do this, you must start the registration process in Astra, create a key in AWS KMS, and then register the key in your Astra organization. This process requires access to both Astra and your cloud provider.
To configure customer key encryption for other cloud providers or Astra DB Serverless databases, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.
Prerequisites
-
Learn how Astra uses customer keys and determine how many keys you need.
-
Access to AWS KMS as an administrator or another IAM role with permissions to create and manage CMKs.
-
The Organization Administrator or a custom role with the the Read CMK Key and Write CMK Key permissions.
To use the DevOps API, you need an application token with a valid role.
Create and register an AWS KMS CMK in the Astra Portal
-
In the Astra Portal header, click Settings.
-
In the Settings navigation menu, make sure the enterprise/organization filter is set to the organization that you want to manage.
If the organization belongs to an enterprise, you must filter on the enterprise, and then click the organization name in the Organizations list.
-
In the Settings navigation menu, click Security.
-
In the Key Encryption section, click Add Keys.
-
For Database Type, select Classic.
-
For Provider, select Amazon Web Services.
-
For Region, select the region where you plan to create your customer key and deploy your database.
You can select from any supported region that is unlocked for your Astra organization. For assistance with unavailable regions, contact IBM Support.
-
After your select a region, make a note of the Cloud Provider ID. This is a unique identifier for a DataStax-owned AWS account. You will use this ID to define allowed principals in your key’s IAM policy.
-
Open a new browser tab, navigate to AWS KMS, and then create a symmetric encryption key in the same region that you selected in the Astra Portal.
-
Edit the key policy to include the following policy statement:
{ "Sid": "Allow an external account to use this KMS key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::PROVIDER_ID:role/creator" }, "Action": [ "kms:EnableKey", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:DescribeKey" ], "Resource": "*" },In the allowed principals, replace
PROVIDER_IDwith the Cloud Provider ID from the Astra Portal. For more information, see AWS account principals.The key policy must include the following permissions and actions, some of which are included in the default key policy:
-
Enable IAM User Permissions
-
Allow an external account to use this KMS key
-
Allow attachment of persistent resources
-
kms:CreateGrant -
kms:ListGrants -
kms:RevokeGrant
-
-
Copy the key’s ARN.
-
In the Astra Portal, paste the key’s ARN in the Key ID field, and then click Add Key.
-
Deploy databases in the same provider-specific region as the registered key.
Astra uses the registered key to encrypt all Astra Managed Clusters databases that you deploy to the same provider-specific region.
Creating new databases and adding regions to multi-region databases are both considered database deployments. For multi-region databases, you must register a key in each desired region before you deploy the database to those regions. For more information, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.
-
Optional: Enable customer key encryption for other regions, providers, or database types.
To enable customer key encryption for Astra Managed Clusters databases in other AWS regions, repeat this entire process for each applicable region.
To configure customer key encryption for other cloud providers or Astra DB Serverless databases, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.
Create and register an AWS KMS CMK with the DevOps API
-
Use the DevOps API to get the DataStax-owned AWS account ID for your key’s IAM policy:
curl -sS -L -X GET "https://api.astra.datastax.com/v2/kms/classic/provider/aws/region/REGION/accounts" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Content-Type: application/json"Replace the following:
-
REGION: A supported AWS region where you plan to create your customer key and your database, such asus-east-2. -
APPLICATION_TOKEN: An application token with the Read CMK Key and Write CMK Key permissions.
-
-
Copy the
provider_idfrom the response, which is a unique identifier for a DataStax-owned AWS account. You will use this ID to define allowed principals in your key’s IAM policy.[ { "organization_id": "ORGANIZATION_ID", "provider_id": "PROVIDER_ID", "provider": "aws" } ] -
In AWS KMS, create a symmetric encryption key in the same region that you used in the previous DevOps API request.
-
Edit the key policy to include the following policy statement:
{ "Sid": "Allow an external account to use this KMS key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::PROVIDER_ID:role/creator" }, "Action": [ "kms:EnableKey", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:DescribeKey" ], "Resource": "*" },In the allowed principals, replace
PROVIDER_IDwith theprovider_idthat was returned by the DevOps API. For more information, see AWS account principals.The key policy must include the following permissions and actions, some of which are included in the default key policy:
-
Enable IAM User Permissions
-
Allow an external account to use this KMS key
-
Allow attachment of persistent resources
-
kms:CreateGrant -
kms:ListGrants -
kms:RevokeGrant
-
-
Copy the key’s ARN.
-
Use the DevOps API to register your customer key in your Astra organization:
curl -sS -L -X POST "https://api.astra.datastax.com/v2/kms/classic" \ --header "Authorization: Bearer APPLICATION_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "orgId": "ORGANIZATION_ID", "aws": { "keyID": "ARN", "region": "REGION" } }'Replace the following:
-
APPLICATION_TOKEN: Your Astra application token. -
ORGANIZATION_ID: Your Astra organization ID. -
ARN: Your key’s ARN from AWS KMS. -
REGION: The region where you created your key, such asus-east-2.
-
-
Deploy databases in the same provider-specific region as the registered key.
Astra uses the registered key to encrypt all Astra Managed Clusters databases that you deploy to the same provider-specific region.
Creating new databases and adding regions to multi-region databases are both considered database deployments. For multi-region databases, you must register a key in each desired region before you deploy the database to those regions. For more information, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.
-
Optional: Enable customer key encryption for other regions, providers, or database types.
To enable customer key encryption for Astra Managed Clusters databases in other AWS regions, repeat this entire process for each applicable region.
To configure customer key encryption for other cloud providers or Astra DB Serverless databases, see Prepare to use customer-managed encryption keys with Astra Managed Clusters.
