Skip to content

Allow customers to pass a KMS Key to use to encrypt data at rest. #1026

New issue
New issue
Open
Open
Allow customers to pass a KMS Key to use to encrypt data at rest.#1026
Labels
enhancementNew feature or request
@gregschohn

Description

@gregschohn
gregschohn
opened on Sep 27, 2024

Is your feature request related to a problem?

Customers may prefer that they control the ability to decrypt any stored data and to revoke and/or audit those decryptions at any point. AWS KMS provides those abilities and is integrated to AWS Managed Services.

While the AWS deployment for the Migrations Assistant uses services that use KMS and support customer managed KMS Keys, the deployment options included with the opensearch-migration project doesn't allow that configuration. Instead, services will encrypt all data at rest using using keys managed by each of the services.

What solution would you like?

A user can pass a key arn or map of key arns for different resources that are in turn passed to each of the services.

What alternatives have you considered?

Since KMS is a broadly deployed AWS feature, allowing customers that have adopted them to support them seems appropriate.

Do you have any additional context?

KMS can be used for governance and compliance. There may be some customers for whom this is an absolute requirement. Today, those customers would not be able to use the deployment CDK as-is.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    OpenSearch Migrations - Roadmap

    Status

    Not Committed

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions