- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
Encrypt your Amazon Elasticsearch domains with KMS Customer Master Keys (CMKs).
KMS Custom Master Keys protect your domains and allow more granular control over the encryption/decryption process.
Follow the Enabling Encryption of Data at Rest docs to learn how to encrypt Amazon Elasticsearch domains in the AWS Console.
Create a new policy JSON document with the following configuration:
es-kms-cmk-policy.json
{
"Id": "es-custom-key-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:root"},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:role/AmazonESManager"},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/ESAdmin"},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::111122223333:user/ESAdmin"},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {"kms:GrantIsForAWSResource": "true"}
}
}
]
}
Run create-key
to create a KMS key with the new policy document.
create-key.sh
aws kms create-key
--description 'KMS CMK policy for encrypting es domain data'
--policy file://es-kms-cmk-policy.json
Run create-alias
with the returned ARN key to attach a new alias to the CMK.
create-alias.sh
aws kms create-alias
--alias-name your-alias/ESCustomCMK
--target-key-id arn:aws:kms:111122223333:key/abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd
Run create-elasticsearch-domain
with the returned configuration data in step 3 to create the selected domain with encryption-at-rest-options
set as enabled= true
and the KmsKeyId=your-key-id
.
create-elasticsearch-domain.sh
aws es create-elasticsearch-domain
--domain-name your-domain-name
....
--encryption-at-rest-options Enabled=true,KmsKeyId="abcdabcd-aaaa-bbbb-cccc-abcdabcdabcd"