Allow customers to pass a KMS Key to use to encrypt data at rest. #1026
Labels
enhancement
New feature or request
Comments
4 tasks
sumobrian
changed the title
github-project-automation
bot
moved this to Not Committed
in OpenSearch Migrations - Roadmap
sumobrian
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Customers may prefer that they control the ability to decrypt any stored data and to revoke and/or audit those decryptions at any point. AWS KMS provides those abilities and is integrated to AWS Managed Services.
While the AWS deployment for the Migrations Assistant uses services that use KMS and support customer managed KMS Keys, the deployment options included with the opensearch-migration project doesn't allow that configuration. Instead, services will encrypt all data at rest using using keys managed by each of the services.
What solution would you like?
A user can pass a key arn or map of key arns for different resources that are in turn passed to each of the services.
What alternatives have you considered?
Since KMS is a broadly deployed AWS feature, allowing customers that have adopted them to support them seems appropriate.
Do you have any additional context?
KMS can be used for governance and compliance. There may be some customers for whom this is an absolute requirement. Today, those customers would not be able to use the deployment CDK as-is.
The text was updated successfully, but these errors were encountered: