Encryption Everywhere with your own KMS Key

By default, Engineering Development Hub (EDH) encrypts all data at rest using AWS Key Management Service (KMS). The default encryption uses AWS-managed KMS keys that are unique to your account. If you need more control over key rotation, access policies, or compliance requirements, you can bring your own Customer Managed Key (CMK).

Configure a Global CMK¶

To configure your own CMK, navigate to your default_config.yml. Under the Config section, set the kms_key_id parameter to the ARN of your CMK:

Config:
  kms_key_id: arn:aws:kms:<region>:<account_id>:key/<key_id>

This key will be used to encrypt all available resources (EBS volumes, analytics, Secrets Manager, backups, and more).

Per-Service Key Configuration¶

You can also configure a dedicated CMK for each service independently:

Service	Configuration Path
AWS Backup	`Config.services.aws_backup.kms_key_id`
AWS ElastiCache	`Config.services.aws_elasticache.kms_key_id`
CloudWatch Logs	`Config.services.logging.kms_key_id`
All Storage	`Config.storage.kms_key_id`
Storage: /apps partition	`Config.storage.apps.kms_key_id`
Storage: /data partition	`Config.storage.data.kms_key_id`
EBS on login nodes	`Config.login_node.volume_kms_key_id`
EBS on the EDH Controller	`Config.controller.volume_kms_key_id`
AWS OpenSearch	`Config.analytics.kms_key_id`
AWS Secrets Manager	`Config.secretsmanager.kms_key_id`

Note

Per-service keys take precedence over the global Config.kms_key_id setting.

Key Policy Requirements¶

S3 Bucket encrypted with custom key

Policy below are also required if the S3 bucket you have specified during install time use a non-default CMK key

Your CMK must include the following key policy statement to allow IAM-based access control within your account:

{
  "Sid": "Enable IAM User Permissions",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<your_aws_account_id>:root"
  },
  "Action": "kms:*",
  "Resource": "*"
}

Additional Policy for CloudWatch Logs Encryption¶

If you plan to encrypt CloudWatch Logs with your own CMK, you must also add the following statement to allow the CloudWatch Logs service to use your key:

{
  "Effect": "Allow",
  "Principal": {
    "Service": "logs.<region>.amazonaws.com"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

Replace <region> with your AWS region (e.g., us-east-1).

Scoping Down Permissions After Deployment¶

The broad key policy above is required during initial deployment because you cannot scope kms:Decrypt to specific EDH IAM roles until they are created. Once EDH is up and running, you can edit your key policy to restrict access to only the EDH IAM roles, following the principle of least privilege.