# Data protection in Amazon EventBridge Data protection The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in Amazon EventBridge. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*. For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: + Use multi-factor authentication (MFA) with each account. + Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. + Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*. + Use AWS encryption solutions, along with all default security controls within AWS services. + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. + If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with EventBridge or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. ## Data encryption in EventBridge Encryption EventBridge provides both *encryption at rest* and *encryption in transit* to protect your data: + Encryption at rest EventBridge integrates with AWS Key Management Service (KMS) to encrypt stored data. By default, EventBridge uses an AWS owned key to encrypt data. You can also specify for EventBridge to use a customer managed key for specific features instead. + Encryption in transit EventBridge encrypts data that passes between EventBridge and other services by using Transport layer Security (TLS). For event buses, this includes during an event being sent to EventBridge, as well as when EventBridge sends an event to a rule target. ## Encryption at rest in Amazon EventBridge Encryption at rest EventBridge provides transparent server-side encryption by integrating with AWS Key Management Service (KMS). Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements. By default, EventBridge uses an AWS owned key to encrypt data. You can specify for EventBridge to use customer managed keys for specific resources instead. The following table lists the artifacts that EventBridge encrypts at rest, by resource: | **Resource** | **Details** | **AWS owned key** | **Customer managed key** | | --- | --- | --- | --- | | [API destinations](eb-api-destinations.md) | Connection authorization parameters are stored in an AWS Secrets Manager secret. | Supported | [Supported](encryption-connections.md) | | [Archives](eb-archive.md) | | Supported | [Supported](encryption-archives.md) | | [Connections](eb-target-connection.md) | Connection authorization parameters are stored in an AWS Secrets Manager secret. | Supported | [Supported](encryption-connections.md) | | [Event buses](eb-event-bus.md) | Includes: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/eb-data-protection.html) | Supported | [Supported](eb-encryption-event-bus-cmkey.md) | | [Pipes](eb-pipes.md) | Includes: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/eb-data-protection.html) Events flowing through a pipe are never stored at rest. | Supported | [Supported](eb-encryption-pipes-cmkey.md) | **Important** We strongly recommend that you never put confidential or sensitive information in the following artifacts, as they are not encrypted at rest: Event bus names Rule names Shared resources, such at tags # KMS key options for data encryption in Amazon EventBridge KMS key options EventBridge uses an AWS owned key to encrypt data stored in resources. For each resource, you can choose the type of KMS key EventBridge uses to encrypt the data: + **AWS owned key** By default, EventBridge encrypts data using 256-bit Advanced Encryption Standard (AES-256) under an AWS owned key, which helps secure your data from unauthorized access. You can't view, manage, or use AWS owned keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. AWS owned keys are completely free of charge (no monthly fees or usage fees), and they do not count against the AWS KMS quotas for your account. You don't need to create or maintain the key or its key policy. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*. + **Customer managed key** EventBridge supports the use of a symmetric customer managed key that you create, own, and manage. Because you have full control of this type of KMS key, you can perform such tasks as: + Establishing and maintaining key policies + Establishing and maintaining IAM policies and grants + Enabling and disabling key policies + Rotating key cryptographic material + Adding tags + Creating key aliases + Scheduling keys for deletion For more information, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*. EventBridge supports [Multi-Region keys](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) and [cross account access of keys](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html). Customer managed keys incur a monthly fee. For details, see [AWS Key Management Service Pricing](https://aws.amazon.com/kms/pricing/), and [Quotas](https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) in the *AWS Key Management Service Developer Guide*. **Note** EventBridge does not support [schema discovery](eb-schema.md) on event buses encrypted using customer managed keys. # Authorizing EventBridge to use a customer managed key Authorizing key use If you use a customer managed key in your account to protect your EventBridge resources, the policies on that KMS key must give EventBridge permission to use it on your behalf. You provide these permissions in a [key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). EventBridge does not need additional authorization to use the default AWS owned key to protect the EventBridge resources in your AWS account. EventBridge requires the following permissions to use customer managed keys: + [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) EventBridge requires this permission to retrieve the KMS key ARN for the Key Id provided, and to verify that the key is symmetric. + [https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) EventBridge requires this permission to generate a data key as the encryption key for the data. + [https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) EventBridge requires this permission to decrypt the data key that is encrypted and stored with the encrypted data. EventBridge uses this for event pattern matching; users never have access to the data. ## Security when using customer managed keys for EventBridge encryption Security considerations As a security best practice, add an `aws:SourceArn`, `aws:sourceAccount`, or `kms:EncryptionContext:aws:events:event-bus:arn` condition key to the AWS KMS key policy. The IAM global condition key helps ensure that EventBridge uses the KMS key only for the specified bus or account. The following example demonstrates how to follow this best practice in your IAM policy for an event bus: ``` { "Sid": "Allow the use of key", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition" : { "StringEquals": { "aws:SourceAccount": "arn:aws:events:region:account-id", "aws:SourceArn": "arn:aws:events:region:account-id:event-bus/event-bus-name", "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:region:account-id:event-bus/event-bus-arn" } } ``` # Maintaining AWS KMS encryption key access in EventBridge Maintaining key access To ensure EventBridge always retains access to the necessary customer managed key: + Do not delete a customer managed key until you are sure all resources encrypted with it have been processed. When you perform any of the following operations, retain the previous key material to ensure EventBridge can continue to use it for previously-encrypted resources: + [Automatic key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotating-keys-enable-disable) + [Manual key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) + [Updating a key alias](https://docs.aws.amazon.com/kms/latest/developerguide/alias-manage.html#alias-update) In general, If you are considering deleting a AWS KMS key, disable it first and set a [CloudWatch alarm](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys-creating-cloudwatch-alarm.html) or similar mechanism to be certain that you'll never need to use the key to decrypt encrypted data. + Do not delete the key policy that provides EventBridge the permissions to use the key. Other considerations include: + Specify customer managed keys for rule targets, as appropriate. When EventBridge sends an event to a rule target, the event is sent using Transport layer Security (TLS). However, what encryption is applied to the event as it is stored on the target depends on the encryption you have configured on the target itself. # Encrypting EventBridge event buses with AWS KMS keys Encrypting event buses You can specify that EventBridge use an AWS KMS to encrypt your data stored on an event bus, rather than use an AWS owned key as is the default. You can specify a customer managed key when you create or update an event bus. You can also update the default event bus to use a customer managed key for encryption as well. For more information, see [KMS key options](eb-encryption-at-rest-key-options.md). When you specify a customer managed key for an event bus, EventBridge uses that key to encrypt the following: + [Custom](eb-putevents.md) and [partner](eb-saas.md) events stored on the event bus. Events from AWS service are encrypted using an AWS owned key. EventBridge does not encrypt event metadata. For more information on event metadata, see [AWS service event metadata](https://docs.aws.amazon.com/eventbridge/latest/ref/events-structure.html) in the *Events Reference*. + For each [rule](eb-rules.md) on the bus: + The rule [event pattern](eb-event-patterns.md). + [Target](eb-targets.md) information, including target input, [input transformers](eb-transform-target-input.md), and [configuration parameters](eb-create-rule-wizard.md#eb-create-rule-target). + If [event bus logging](eb-event-bus-logs.md) is enabled, the `detail` and `error` sections of log records. If you specify a customer managed key for an event bus, you have the option of specifying a dead-letter queue (DLQ) for the event bus. EventBridge then delivers any custom or partner events that generate encryption or decryption errors to that DLQ. For more information, see [DLQs for encrypted events](eb-encryption-event-bus-dlq.md). **Note** We strongly recommend specifying a DLQ for event buses, to ensure events are preserved if encryption or decryption errors occur. You can also specify using customer managed keys for encrypting event bus archives. For more information, see [Encrypting archives](encryption-archives.md). **Note** Schema discovery is not supported for event buses encrypted using a customer managed key. To enable schema discovery on an event bus, choose to use an AWS owned key. For more information, see [KMS key options](eb-encryption-at-rest-key-options.md). ## Event bus encryption context Event bus encryption context An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context. You can also use the encryption context as a condition for authorization in policies and grants. If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html). For event buses, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. The context includes a single key–value pair, which contains the event bus ARN. ``` "encryptionContext": { "kms:EncryptionContext:aws:events:event-bus:arn": "event-bus-arn" } ``` ## AWS KMS key policy for event bus Event bus key policy The following example key policy provides the required permissions for an event bus: + `kms:DescribeKey` + `kms:GenerateDataKey` + `kms:Decrypt` As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](eb-encryption-key-policy.md#eb-encryption-event-bus-confused-deputy). ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowEventBridgeToValidateKeyPermission", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "AllowEventBridgeToEncryptEvents", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:us-east-1:123456789012:event-bus/event-bus-arn", "aws:SourceArn": "arn:aws:events:us-east-1:123456789012:event-bus/event-bus-name" } } } ] } ``` ------ ## AWS KMS key permissions for event bus actions AWS KMS key permissions for event bus actions To create or update an event bus encrypted using a customer managed key, you must have the following permissions to the specified customer managed key: + `kms:GenerateDataKeyWithoutPlaintext` + `kms:Decrypt` + `kms:Encrypt` + `kms:ReEncryptFrom` + `kms:ReEncryptTo` + `kms:DescribeKey` In addition, to perform certain event bus actions on an event bus encrypted using a customer managed key, you must have `kms:Decrypt` permission for the specified customer managed key. These actions include: + `[DescribeRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DescribeRule.html)` + `[DisableRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html)` + `[EnableRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_EnableRule.html)` + `[ListRules](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_ListRules.html)` + `[ListTargetsByRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_ListTargetsByRule.html)` + `[PutRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutRule.html)` + `[ListRuleNamesByTarget](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_ListRuleNamesByTarget.html)` + `[PutTargets](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutTargets.html)` # Configuring encryption on EventBridge event buses Configuring event bus encryption You can specify the KMS key for EventBridge to use when you create or update an event bus. You can also update the default event bus to use a customer managed key as well. ## Specifying the AWS KMS key used for encryption when creating an event bus Set encryption when creating an event bus Choosing the AWS KMS key used for encryption is part of creating an event bus. The default is to use the AWS owned key provided by EventBridge. **To specify a customer managed key for encryption when creating an event bus (console)** + Follow these instructions: [Creating an event bus](eb-create-event-bus.md). **To specify a customer managed key for encryption when creating an event bus (CLI)** + When calling `[create-event-bus](https://docs.aws.amazon.com/cli/latest/reference/events/create-event-bus.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption on the event bus. Optionally, use `dead-letter-config` to specify a dead-letter queue (DLQ). ## Updating the AWS KMS key used for encryption on an event bus Update encryption on an event bus You can update the AWS KMS key being used for encryption at rest on an existing event bus. This includes: + Changing from the default AWS owned key to a customer managed key. + Changing from a customer managed key to the default AWS owned key. + Changing from one customer managed key to another. When you update an event bus to use a different AWS KMS key, EventBridge decrypts any data stored on the event bus and then encrypts it using the new key. **To update the KMS key used for encryption on an event bus (console)** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. In the navigation pane, choose **Event buses**. 1. Choose the event bus you want to update. 1. On the events bus details page, choose the **Encryption** tab. 1. Choose the KMS key for EventBridge to use when encrypting the event data stored on the event bus: + Choose **Use AWS owned key** for EventBridge to encrypt the data using an AWS owned key. This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. This is the default. + Choose **Use customer managed key** for EventBridge to encrypt the data using the customer managed key that you specify or create. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. 1. Specify an existing customer managed key, or choose **Create a new KMS key**. EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key. 1. Choose the Amazon SQS queue to use as the dead-letter queue (DLQ) for this event bus, if any. EventBridge sends events that aren't successfully encrypted to the DLQ, if configured, so you can process them later. **To update the KMS key used for encryption on an event bus (CLI)** + When calling `[update-event-bus](https://docs.aws.amazon.com/cli/latest/reference/events/create-event-bus.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption on the event bus. Optionally, use `dead-letter-config` to specify a dead-letter queue (DLQ). **To update the KMS key used for encryption on the default event bus, using CloudFormation** Because EventBridge provisions the default event bus into your account automatically, you cannot create it using a CloudFormation template, as you normally would for any resource you wanted to include in a CloudFormation stack. To include the default event bus in a CloudFormation stack, you must first *import* it into a stack. Once you have imported the default event bus into a stack, you can then update the event bus properties as desired. + Follow these instructions: [Updating a default bus using CloudFormation](event-bus-update-default-cfn.md). # Encryption in EventBridge when an event bus is the rule target Encryption for event bus targets When a custom or partner event is sent to an event bus, EventBridge encrypts that event according to the encryption at rest KMS key configuration for that event bus - either the default AWS owned key or a customer managed key, if one has been specified. If an event matches a rule, EventBridge encrypts the event with the KMS key configuration for that event bus until the event is sent to the rule target, *unless the rule target is another event bus*. + If the target of a rule is another event bus in the same AWS Region: If the target event bus has a specified customer managed key, EventBridge encrypts the event with the customer managed key of the target event bus for delivery instead. ![\[An event sent from one event bus to another, encrypted using the key of the target event bus.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/cmkms-bus-same-region_eventbridge_conceptual.svg) + If the target of a rule is another event bus in a different AWS Region: EventBridge encrypts the event at rest according to the KMS key configuration on the first event bus. EventBridge uses TLS to send the event to the second event bus in the different Region, where it is then encrypted according to the KMS key configuration specified for the target event bus. ![\[An event sent to a target event bus in a different Region, using TLS in transit.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/cmkms-bus-cross-region_eventbridge_conceptual.svg) # Event encryption for managed rules in EventBridge Encryption for managed rules AWS services can create and manage event bus rules in your AWS account that are needed for certain functions in those services. As part of a managed rule, the AWS service can specify that EventBridge use the customer managed key specified for the rule target. This gives you the flexibility to specify which customer managed key to use based on the rule target. In these cases, once a custom or partner event matches against the managed rule, EventBridge uses the target customer managed key specified by the managed rule to encrypt the event until it is sent to the rule target. This is regardless of whether the event bus has been configured to use its own customer managed key for encryption. This is the case even if the target of the managed rule is another event bus, and that event bus has its own customer managed key specified for encryption. EventBridge continues to use the target customer managed key specified in the managed rule until the event is sent to a target that is not an event bus. ![\[An event that matches a managed rule, encrypted using the key of the rule target.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/cmkms-bus-managed-rule_eventbridge_conceptual.svg) For cases where the rule target is an event bus in another Region, you must provide a [multi-Region key](https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html). The event bus in the first Region encrypts the event using the customer managed key specified in the managed rule. It then sends the event to the target event bus in the second Region. That event bus must be able to continue to use the customer managed key until it sends the event to its target. # Encrypting event bus logs with AWS KMS in EventBridge Encrypting event bus logs When sending logs, EventBridge encrypts the `detail` and `error` sections of each log record with the KMS key specified for the event bus. If you have specified a customer managed key for the event bus, EventBridge uses that key for encryption in transit. Once delivered, the record is decrypted and then re-encrypted with the KMS key specified for the log destination. ## Event bus logs encryption context Logs encryption context An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context. You can also use the encryption context as a condition for authorization in policies and grants. If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html). For event bus logs, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. ``` "encryptionContext": { "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" } ``` ## AWS KMS key policy permissions for event bus logging Logging permissions For event buses using a customer managed key, you must add the following permissions to the key policy. + Allow EventBridge to encrypt logs using the customer managed key. ``` { "Sid": "Enable log service encryption", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" } } } ``` + Allow the logging service to decrypt logs sent by EventBridge. ``` { "Sid": "Enable log delivery decryption", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" } } } ``` # Using dead-letter queues to capture encrypted event errors in EventBridge DLQs for encrypted events If you configure customer managed key encryption on an event bus, we recommend that you specify a dead-letter queue (DLQ) for that event bus. EventBridge sends custom and partner events to this DLQ if it encounters a non-retriable error while processing the event on the event bus. A non-retriable error is one where user action is required to resolve the underlying issue, such as the specified customer managed key being disabled or missing. + If a non-retriable encryption or decryption error occurs while EventBridge is processing the event on the event bus, the event is sent to the DLQ for the *event bus*, if one is specified. + If a non-retriable encryption or decryption error occurs while EventBridge is attempting to send the event to a target, including input transformations and target-specific settings, the event is sent to the DLQ for the *target*, if one is specified. ![\[A non-retriable error during event bus processing, sent to the event bus DLQ.\]](http://docs.aws.amazon.com/eventbridge/latest/userguide/images/cmkms-bus-dlq_eventbridge_conceptual.svg) For more information, including considerations when using DLQs, and instructions on setting permissions, see [Using dead-letter queues](eb-rule-dlq.md). # Decrypting events in EventBridge dead-letter queues Decrypting DLQ events Once you've resolved the underlying issue that is causing a non-retriable error, you can process the events sent to the event bus or target DLQs. For encrypted events, you must first decrypt the event in order to process it. The following example demonstrates how to decrypt an event that EventBridge has delivered to an event bus or target DLQ. ``` // You will receive an encrypted event in the following json format. // ``` // { // "version": "0", // "id": "053afa53-cdd7-285b-e754-b0dfd0ac0bfb", // New event id not the same as the original one // "account": "123456789012", // "time": "2020-02-10T10:22:00Z", // "resources": [ ], // "region": "us-east-1", // "source": "aws.events", // "detail-type": "Encrypted Events", // "detail": { // "event-bus-arn": "arn:aws:events:region:account:event-bus/bus-name", // "rule-arn": "arn:aws:events:region:account:event-bus/bus-name/rule-name", // "kms-key-arn": "arn:aws:kms:region:account:key/key-arn", // "encrypted-payload": "AgR4qiru/XNwTUyCgRHqP7rbbHn/xpmVeVeRIAd12TDYYVwAawABABRhd3M6ZXZlbnRzOmV2ZW50LWJ1cwB // RYXJuOmF3czpldmVudHM6dXMtZWFzdC0xOjE0NjY4NjkwNDY3MzpldmVudC1idXMvY21rbXMtZ2EtY3Jvc3 // MtYWNjb3VudC1zb3VyY2UtYnVzAAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLWVhc3QtMToxNDY2ODY5" // } // } // ``` // Construct an AwsCrypto object with the encryption algorithm `ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY` which // is used by EventBridge for encryption operation. This object is an entry point for decryption operation. // It can later use decryptData(MasterKeyProvider, byte[]) method to decrypt data. final AwsCrypto crypto = AwsCrypto.builder() .withEncryptionAlgorithm(CryptoAlgorithm.ALG_AES_256_GCM_HKDF_SHA512_COMMIT_KEY) .build(); // Construct AWS KMS master key provider with AWS KMS Client Supplier and AWS KMS Key ARN. The KMS Client Supplier can // implement a RegionalClientSupplier interface. The AWS KMS Key ARN can be fetched from kms-key-arn property in // encrypted event json detail. final KmsMasterKeyProvider kmsMasterKeyProvider = KmsMasterKeyProvider.builder() .customRegionalClientSupplier(...) .buildStrict(KMS_KEY_ARN); // The string of encrypted-payload is base64 encoded. Decode it into byte array, so it can be furthur // decrypted. The encrypted payload can be fetched from encrypted-payload field in encrypted event json detail. byte[] encryptedByteArray = Base64.getDecoder().decode(ENCRYPTED_PAYLOAD); // The decryption operation. It retrieves the encryption context and encrypted data key from the cipher // text headers, which is parsed from byte array encrypted data. Then it decrypts the data key, and // uses it to finally decrypt event payload. This encryption/decryption strategy is called envelope // encryption, https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping final CryptoResult decryptResult = crypto.decryptData(kmsMasterKeyProvider, encryptedByteArray); final byte[] decryptedByteArray = decryptResult.getResult(); // Decode the event json plaintext from byte array into string with UTF_8 standard. String eventJson = new String(decryptedByteArray, StandardCharsets.UTF_8); ``` # Encrypting EventBridge Pipes data with AWS KMS keys Encrypting pipe data You can specify that EventBridge use a customer managed key to encrypt pipe data stored at rest, rather than use an AWS owned key as is the default. You can specify a customer managed key when you create or update a pipe. For more information about key types, see [KMS key options](eb-encryption-at-rest-key-options.md). The pipe data EventBridge encrypts at rest includes: + [Event patterns](eb-event-patterns.md) + [Input transformers](eb-pipes-input-transformation.md) Events flowing through a pipe are never stored at rest. ## EventBridge Pipes encryption context Encryption context An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context. You can also use the encryption context as a condition for authorization in policies and grants. If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html). For EventBridge Pipes, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. The context includes a single key–value pair, which contains the pipe ARN. ``` "encryptionContext": { "kms:EncryptionContext:aws:pipes:arn": "pipe-arn" } ``` For vended logs, EventBridge uses the following encryption context. ``` "encryptionContext": { "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" } ``` ## AWS KMS key policy for EventBridge Pipes Pipe key policy The following example key policy provides the required permissions for a pipe: + `kms:DescribeKey` + `kms:GenerateDataKey` + `kms:Decrypt` As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the AWS KMS key only for the specified resource or account. For more information, see [Security considerations](eb-encryption-key-policy.md#eb-encryption-event-bus-confused-deputy). ------ #### [ JSON ] **** ``` { "Id": "CMKKeyPolicy", "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/pipe-execution-role" }, "Action": [ "kms:DescribeKey" ], "Resource": "*" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/pipe-execution-rolee" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "ArnLike": { "kms:EncryptionContext:aws:pipe:arn": "arn:aws:pipes:us-east-1:123456789012:pipe/pipe-name" }, "ForAnyValue:StringEquals": { "kms:EncryptionContextKeys": [ "aws:pipe:arn" ] } } } ] } ``` ------ ### Permissions for pipe logs that include execution data Permissions for vended logs If you have configured pipes logging to include execution data, the key policy must include the following permissions for the logging service: + `kms:Decrypt` + `kms:GenerateDataKey` For more information, see [Including execution data in EventBridge Pipes logs](eb-pipes-logs.md#eb-pipes-logs-execution-data). The following example key policy provides the required permissions for pipes logging: ``` { "Sid": "Enable log service encryption", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" } } } ``` In addition, the pipe execution role requires the `kms:GenerateDataKey` permisson. ``` { "Sid": "Enable log service encryption", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account:role/pipe-execution-role" }, "Action": [ "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringLike": { "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" } } } ``` The pipe execution role should also include: ``` "Action": [ "kms:GenerateDataKey" ], "Resource": "key-arn", "Condition": { "StringLike": { "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*" } } ``` # Configuring encryption in EventBridge Pipes Configuring pipe encryption You can specify the KMS key for EventBridge to use when you create or update a pipe. ## Specifying the AWS KMS key used for encryption when creating a pipe Set pipe encryption Choosing the AWS KMS key used for encryption is an option creating a pipe. The default is to use the AWS owned key provided by EventBridge. **To specify a customer managed key for encryption when creating a pipe (console)** + Follow these instructions: [Creating a pipe](eb-pipes-create.md). **To specify a customer managed key for encryption when creating a pipe (CLI)** + When calling `[create-pipe](https://docs.aws.amazon.com/cli/latest/reference/pipes/create-pipe.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption on the event bus. ## Updating the AWS KMS key used for encryption on EventBridge Pipes Update pipe encryption You can update the AWS KMS key being used for encryption at rest on an existing pipe. This includes: + Changing from the default AWS owned key to a customer managed key. + Changing from a customer managed key to the default AWS owned key. + Changing from one customer managed key to another. When you update a pipe to use a different AWS KMS key, EventBridge decrypts any data stored on the pipe and then encrypts it using the new key. **To update the KMS key used for encryption on a pipe (console)** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. In the navigation pane, choose **Pipes**. 1. Choose the pipe you want to update. 1. On the pipe bus details page, choose the **Encryption** tab. 1. Choose the KMS key for EventBridge to use when encrypting the data stored on pipe: + Choose **Use AWS owned key** for EventBridge to encrypt the data using an AWS owned key. This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. This is the default. + Choose **Use customer managed key** for EventBridge to encrypt the data using the customer managed key that you specify or create. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. 1. Specify an existing customer managed key, or choose **Create a new KMS key**. EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key. **To update the KMS key used for encryption on a pipe (CLI)** + When calling `[update-pipe](https://docs.aws.amazon.com/cli/latest/reference/pipes/update-pipe.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting pipe data. # Encrypting EventBridge archives with AWS KMS keys Encrypting archives You can specify that EventBridge use a customer managed key to encrypt events stored in an archive, rather than use an AWS owned key as is the default. You can specify a customer managed key when you create or update an archive. For more information about key types, see [KMS key options](eb-encryption-at-rest-key-options.md). This includes: + Events stored in the archive + The event pattern, if any, specified to filter the events sent to the archive This does not include archive metadata, such as the size of the archive or number of events it contains. If you specify a customer managed key for an archive, EventBridge encrypts events prior to sending it to the archive, ensuring encryption in transit and at rest. ## Archive encryption context Encryption context An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context. You can also use the encryption context as a condition for authorization in policies and grants. If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html). For event archives, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. The context includes a single key–value pair, which contains the event bus ARN. ``` "encryptionContext": { "kms:EncryptionContext:aws:events:event-bus:arn": "event-bus-arn" } ``` ## AWS KMS key policy for archives Archive key policy The following example key policy provides the required permissions for an event archive: + `kms:DescribeKey` + `kms:GenerateDataKey` + `kms:Decrypt` + `kms:ReEncrypt` As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](eb-encryption-key-policy.md#eb-encryption-event-bus-confused-deputy). ------ #### [ JSON ] **** ``` { "Id": "CMKKeyPolicy", "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:DescribeKey" ], "Resource": "*" }, { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:us-east-1:123456789012:event-bus/event-bus-arn" } } } ] } ``` ------ # Configuring encryption on archives Configuring archive encryption You can specify the KMS key for EventBridge to use when you create or update an archive. ## Specifying encryption when creating an archive Set archive encryption Choosing the AWS KMS key used for encryption is an option creating an archive. The default is to use the AWS owned key provided by EventBridge. **To specify a customer managed key for encryption when creating an archive (console)** + Follow these instructions: [Creating archives](eb-archive-event.md). **To specify a customer managed key for encryption when creating an archive (CLI)** + When calling `[create-archive](https://docs.aws.amazon.com/cli/latest/reference/events/create-archive.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting events stored in the archive. ## Updating encryption on archives Update archive encryption You can update the AWS KMS key being used for encryption at rest on an existing archive. This includes: + Changing from the default AWS owned key to a customer managed key. + Changing from a customer managed key to the default AWS owned key. + Changing from one customer managed key to another. **To update the KMS key used for encrypting events in an archive (console)** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. Navigate to the archive directly, or from the source event bus: + In the navigation pane, choose **Event buses**. On the events bus details page, choose the **Archives** tab. + In the navigation pane, choose **Archives**. 1. Choose the archive you want to update. 1. On the archive details page, choose the **Encryption** tab. 1. Choose the KMS key for EventBridge to use when encrypting the events stored in the archive. **Important** If you have specify that EventBridge use a customer managed key for encrypting the source event bus, we strongly recommend you also specify a customer managed key for any archives for the event bus as well. + Choose **Use AWS owned key** for EventBridge to encrypt the data using an AWS owned key. This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. This is the default. + Choose **Use customer managed key** for EventBridge to encrypt the data using the customer managed key that you specify or create. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. 1. Specify an existing customer managed key, or choose **Create a new KMS key**. EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key. **To update the KMS key used for encrypting events stored in an archive (CLI)** + When calling `[update-archive](https://docs.aws.amazon.com/cli/latest/reference/events/update-archive.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting events stored in the archive. # Encrypting EventBridge connection authorization with AWS KMS keys Encrypting connections When you create or update a connection, you can specify authorization parameters for that connection. EventBridge then securely stores those parameters in a secret in AWS Secrets Manager. By default, EventBridge uses an AWS owned key to encrypt and decrypt this secret. You can specify that EventBridge use a customer managed key instead. ## AWS KMS key policy for connections Connection key policy The AWS KMS key policy must grant EventBridge the following permissions on your behalf: + `kms:DescribeKey` + `kms:GenerateDataKey` + `kms:Decrypt` The following policy example grants all AWS KMS permissions. ------ #### [ JSON ] **** ``` { "Id": "key-policy-example", "Version":"2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::012345678901:root" }, "Action": "kms:*", "Resource": "*" } ] } ``` ------ For EventBridge to use a customer managed key, you must add a resource tag to the key with a key of `EventBridgeApiDestinations` and a value of `true`. For more information on resource tags, see [Add tags to a KMS key](https://docs.aws.amazon.com/kms/latest/developerguide/add-tags.html) in the *AWS Key Management Service Developer Guide*. As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](eb-encryption-key-policy.md#eb-encryption-event-bus-confused-deputy). ``` "Condition": { "StringLike": { "kms:ViaService": "secretsmanager.*.amazonaws.com", "kms:EncryptionContext:SecretARN": [ "arn:aws:secretsmanager:*:*:secret:events!connection/*" ] }, "StringEquals": { "kms:ResourceTag/EventBridgeApiDestinations": "true" } } ``` ## Connection encryption context Encryption context An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context. You can also use the encryption context as a condition for authorization in policies and grants. If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html). For connections, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. The context includes a single key–value pair, which contains the secret ARN. ``` "encryptionContext": { "kms:EncryptionContext:SecretARN": "secret-arn" } ``` ## Using cross-account or cross-Region customer managed keys for connections Cross-account or Region keys You can allow users or roles in a different AWS account to use a KMS key in your account. Cross-account access requires permission in the key policy of the KMS key and in an IAM policy in the external user's account. To use a customer managed key from another account, the account with the customer managed key must include the following policy: ``` { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::account:role/AmazonEventBridgeApiDestinationsInternalServiceRolePolicy" }, "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "*" } ``` For more information, see [ Allowing users in other accounts to use a KMS key ](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying-external-accounts.html) in the *AWS Key Management Service Developer Guide*. ## Revoking customer managed key access to connections Revoking AWS KMS key access Be aware that when you revoke a customer managed key--through disabling, deleting, or rotating the key, or updating the key policy--EventBridge may have cached the key value, and so that key may still retain access to a connection's secret for a short period of time. To immediately revoke customer managed key access to a connection's secret, de-authorize or delete the connection. For more information, see [De-authorizing connections](eb-target-connection-deauthorize.md) and [Deleting connections](eb-target-connection-delete.md). ## Connection de-authorization due to customer managed key errors Customer managed key errors EventBridge de-authorizes a connection if it encounters the following errors when attempting to encrypt or decrypt the connection's secret: + The customer managed key has been deleted. + The customer managed key has been disabled. + The connection does not have the necessary permissions to access the customer managed key. For more information, see [De-authorizing connections](eb-target-connection-deauthorize.md). # Configuring encryption on connections Configuring connection encryption You can specify the KMS key for EventBridge to use when you create or update a connection. ## Specifying AWS KMS keys when creating connections Specifying AWS KMS keys Choosing the AWS KMS key used for encryption is optional when creating a connection. By default, EventBridge uses an AWS owned key. **To specify a customer managed key for encryption when creating a connection (console)** + Follow these instructions: [Creating connections](eb-target-connection-create.md). **To specify a customer managed key for encryption when creating a connection (CLI)** + When calling `[create-connection](https://docs.aws.amazon.com/cli/latest/reference/events/create-connection.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption of the connection's secret. ## Updating AWS KMS keys for connections Updating AWS KMS keys You can update the KMS key being used for encrypting an existing connection. This includes: + Changing from the default AWS owned key to a customer managed key. + Changing from a customer managed key to the default AWS owned key. + Changing from one customer managed key to another. When you update a connection to use a different KMS key , EventBridge decrypts the connection's secret and then encrypts it using the new key. Make sure the KMS key you specify has the necessary permissions. For more information, see [Connection key policy](encryption-connections.md#encryption-connections-key-policy). **To update the KMS key used for encryption on a connection (console)** 1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/). 1. In the navigation pane, choose **Integration**, and then choose **Connections**. 1. Choose the connection you want to update. 1. On the connection details page, under **Encryption**, choose the KMS key for EventBridge to use when encrypting the connection's secret: + Choose **Use AWS owned key** for EventBridge to encrypt the secret using an AWS owned key. This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. This is the default. + Choose **Choose a different AWS KMS key (advanced)** for EventBridge to encrypt the secret using the customer managed key that you specify or create. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. 1. Specify an existing customer managed key, or choose **Create a new KMS key**. Make sure the KMS key you specify has the necessary permissions. For more information, see [Connection key policy](encryption-connections.md#encryption-connections-key-policy). EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key. **To update the KMS key used for encryption on a connection (CLI)** + When calling `[update-connection](https://docs.aws.amazon.com/cli/latest/reference/events/update-connection.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting the connection secret.