# Encryption at rest with customer managed keys
Next generation Resilience Hub provides encryption by default to protect sensitive customer data at rest using AWS owned keys.
+ **** Next generation Resilience Hub uses these keys by default to automatically encrypt sensitive data. You cannot view, manage, or use AWS owned keys, or audit their use. However, you do not have to take any action or change any programs to protect the keys that encrypt your data. For more information, see [https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service Developer Guide*.
While you cannot disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption by specifying a customer managed key when you create a service resource:
+ **Customer managed keys** Next generation Resilience Hub supports the use of a symmetric encryption customer managed key that you create, own, and manage. Because you have full control of this layer of encryption, you can perform such tasks as:
+ Establishing and maintaining key policies
+ Establishing and maintaining IAM policies and grants
+ Enabling and disabling key policies
+ Rotating key cryptographic material
+ Adding tags
+ Creating key aliases
+ Scheduling keys for deletion
For more information, see [Customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*.
The following table summarizes how Next generation Resilience Hub encrypts sensitive data.
**Encryption of data types in Next generation Resilience Hub**
| Data type | AWS owned key encryption | Customer managed key encryption (optional) |
| --- | --- | --- |
| `description`
Descriptions for services, systems, and resiliency policies. | Enabled | Enabled |
| `finding`
Assessment finding names, descriptions, reasoning, and comments. | Enabled | Enabled |
| `recommendation`
Recommendation descriptions and suggested changes associated with findings. | Enabled | Enabled |
| `serviceFunction`
Service function names and descriptions. | Enabled | Enabled |
| `assumption`
Assumption text associated with service functions. | Enabled | Enabled |
| `userJourney`
User journey descriptions. | Enabled | Enabled |
| `event`
Service event log descriptions. | Enabled | Enabled |
| `assessmentData`
Intermediate data generated by agentic assessment workflows, including topology, resource configuration, and working data stored in Amazon S3. | Enabled | Enabled |
| Resource identifiers
Resource names, ARNs, resource types, and regions. Resource names are used in identifiers and encryption context and must not contain sensitive data. | Enabled | Not supported |
**Note**
Next generation Resilience Hub automatically enables encryption at rest using AWS owned keys at no charge. However, AWS KMS charges apply for using a customer managed key. For more information about pricing, see [AWS Key Management Service pricing](https://aws.amazon.com/kms/pricing/).
**Important**
Next generation Resilience Hub supports only symmetric encryption KMS keys. You cannot use any other type of KMS key to encrypt your Next generation Resilience Hub resources. For help determining whether a KMS key is a symmetric encryption key, see [Identifying symmetric and asymmetric KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) in the *AWS Key Management Service Developer Guide*.
## How Next generation Resilience Hub uses grants in AWS KMS
Next generation Resilience Hub requires a [grant](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to use your customer managed key during asynchronous assessment workflows.
When you create a service with a customer managed key, Next generation Resilience Hub creates a grant on your behalf by sending a [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) request to AWS KMS. The grant is constrained to the encryption context of your service and allows only the following operations:
+ `Encrypt` – Encrypt sensitive fields such as findings, recommendations, and assumptions generated during assessment workflows.
+ `Decrypt` – Decrypt previously encrypted data during assessment processing.
+ `GenerateDataKey` – Generate data keys for encrypting intermediate assessment data stored in Amazon S3.
The grant is retired when you delete the service. You can also revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Next generation Resilience Hub cannot access any of the data encrypted by the customer managed key, which affects API operations and assessment workflows that depend on that data.
For synchronous API operations (such as creating or updating a service), Next generation Resilience Hub uses the caller's permissions on the KMS key directly, without requiring a grant.
## Create a customer managed key
You can create a symmetric encryption customer managed key by using the AWS Management Console or the AWS KMS APIs.
**To create a symmetric encryption customer managed key**
Follow the steps for [Creating symmetric encryption KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*.
## Specifying a customer managed key for Next generation Resilience Hub
You can specify a customer managed key when you create a service, system, or resiliency policy. When you provide a KMS key ID, Next generation Resilience Hub uses that key to encrypt all sensitive data associated with the resource.
You can specify the key using any of the following [key identifiers](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id):
+ Key ID (for example, `1234abcd-12ab-34cd-56ef-1234567890ab`)
+ Key ARN (for example, `arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`)
+ Alias name (for example, `alias/my-key`)
+ Alias ARN (for example, `arn:aws:kms:us-west-2:111122223333:alias/my-key`)
To specify a customer managed key, use the `kmsKeyId` parameter when calling the `CreateService`, `CreateSystem`, or `CreatePolicy` API operations.
## Key policy
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
The following key policy allows Next generation Resilience Hub to use your key. It scopes each permission to only the operations Next generation Resilience Hub requires, using encryption context conditions to ensure your key can only be used for your specific resources. Replace {{CUSTOMER-ACCOUNT-ID}}, {{CUSTOMER-ROLE}}, and {{REGION}} with your values.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowResilienceHubDescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{CUSTOMER-ACCOUNT-ID}}:role/{{CUSTOMER-ROLE}}"
},
"Action": "kms:DescribeKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "resiliencehub.{{REGION}}.amazonaws.com"
}
}
},
{
"Sid": "AllowResilienceHubEncryptDecryptForServices",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{CUSTOMER-ACCOUNT-ID}}:role/{{CUSTOMER-ROLE}}"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "resiliencehub.{{REGION}}.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:resiliencehub:service-arn": "arn:aws:resiliencehub:*:{{CUSTOMER-ACCOUNT-ID}}:service/*"
}
}
},
{
"Sid": "AllowResilienceHubEncryptDecryptForSystems",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{CUSTOMER-ACCOUNT-ID}}:role/{{CUSTOMER-ROLE}}"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "resiliencehub.{{REGION}}.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:resiliencehub:system-arn": "arn:aws:resiliencehub:*:{{CUSTOMER-ACCOUNT-ID}}:system/*"
}
}
},
{
"Sid": "AllowResilienceHubEncryptDecryptForPolicies",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{CUSTOMER-ACCOUNT-ID}}:role/{{CUSTOMER-ROLE}}"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "resiliencehub.{{REGION}}.amazonaws.com"
},
"StringLike": {
"kms:EncryptionContext:aws:resiliencehub:policy-arn": "arn:aws:resiliencehub:*:{{CUSTOMER-ACCOUNT-ID}}:policy/*"
}
}
},
{
"Sid": "AllowResilienceHubCreateGrantForAsyncWorkflows",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{{CUSTOMER-ACCOUNT-ID}}:role/{{CUSTOMER-ROLE}}"
},
"Action": "kms:CreateGrant",
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": "resiliencehub.{{REGION}}.amazonaws.com",
"kms:GrantConstraintType": "EncryptionContextSubset"
},
"StringLike": {
"kms:EncryptionContext:aws:resiliencehub:service-arn": "arn:aws:resiliencehub:*:{{CUSTOMER-ACCOUNT-ID}}:service/*"
},
"ForAllValues:StringEquals": {
"kms:GrantOperations": [
"Encrypt",
"Decrypt",
"GenerateDataKey"
]
}
}
}
]
}
```
The policy statements provide the following permissions:
+ **AllowResilienceHubDescribeKey** – Allows Next generation Resilience Hub to validate that your key exists and is a symmetric encryption key when you specify it during service creation.
+ **AllowResilienceHubEncryptDecryptForServices** – Allows Next generation Resilience Hub to encrypt and decrypt service-level data (findings, recommendations, assumptions, service functions, events, and assessment data) during synchronous API calls. Scoped to your service resources by encryption context.
+ **AllowResilienceHubEncryptDecryptForSystems** – Allows Next generation Resilience Hub to encrypt and decrypt system-level data (system descriptions and user journey descriptions) during synchronous API calls. Scoped to your system resources by encryption context.
+ **AllowResilienceHubEncryptDecryptForPolicies** – Allows Next generation Resilience Hub to encrypt and decrypt policy-level data (resiliency policy descriptions) during synchronous API calls. Scoped to your policy resources by encryption context.
+ **AllowResilienceHubCreateGrantForAsyncWorkflows** – Allows Next generation Resilience Hub to create a grant for asynchronous assessment workflows. The grant is constrained to only the operations needed (Encrypt, Decrypt, GenerateDataKey) and must include an encryption context subset constraint bound to your service ARN.
For more information about [specifying permissions in a policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html), see the *AWS Key Management Service Developer Guide*.
For more information about [troubleshooting key access](https://docs.aws.amazon.com/kms/latest/developerguide/policy-evaluation.html#example-no-iam), see the *AWS Key Management Service Developer Guide*.
## Next generation Resilience Hub encryption context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is an optional set of key-value pairs that contain additional contextual information about the data.
AWS KMS uses the encryption context as [additional authenticated data](https://docs.aws.amazon.com/kms/latest/cryptographic-details/crypto-primitives.html) to support authenticated encryption. When you include an encryption context in a request to encrypt data, AWS KMS binds the encryption context to the encrypted data. To decrypt data, you must include the same encryption context in the request.
**Next generation Resilience Hub encryption context**
Next generation Resilience Hub uses the following encryption context keys depending on the resource type:
**Encryption context keys**
| Encryption context key | Scope | Used for |
| --- | --- | --- |
| aws:resiliencehub:service-arn | Service | Findings, recommendations, assumptions, service functions, dependencies, events, and assessment data |
| aws:resiliencehub:system-arn | System | System descriptions and user journey descriptions |
| aws:resiliencehub:policy-arn | Policy | Resiliency policy descriptions |
Example encryption context for a service-level operation:
```
"encryptionContext": {
"aws:resiliencehub:service-arn": "arn:aws:resiliencehub:us-west-2:{{111122223333}}:service/{{my-service}}:{{abc123}}"
}
```
**Using encryption context for monitoring**
When you use a symmetric encryption customer managed key to encrypt your data, you can use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context appears in logs generated by [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html).
**Using encryption context to control access**
You can use the encryption context in key policies and IAM policies as `conditions` to control access to your symmetric encryption customer managed key. You can also use encryption context constraints in a grant.
Next generation Resilience Hub uses an encryption context subset constraint in grants to ensure that asynchronous workflows can only encrypt and decrypt data belonging to the specific service the grant was created for.
## Monitoring your encryption keys for Next generation Resilience Hub
When you use a customer managed key with your Next generation Resilience Hub resources, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) to track requests that Next generation Resilience Hub sends to AWS KMS.
CreateGrant
When you create a service with a customer managed key, Next generation Resilience Hub sends a `CreateGrant` request on your behalf to enable asynchronous assessment workflows to use your key. The grant is specific to the service and constrained by encryption context. Next generation Resilience Hub uses `RetireGrant` to remove the grant when you delete the service.
The following example event records the `CreateGrant` operation:
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLE:{{session-name}}",
"arn": "arn:aws:sts::{{111122223333}}:assumed-role/{{YourRole}}/{{session-name}}",
"accountId": "{{111122223333}}",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLE",
"arn": "arn:aws:iam::{{111122223333}}:role/{{YourRole}}",
"accountId": "{{111122223333}}",
"userName": "{{YourRole}}"
}
},
"invokedBy": "resiliencehub.amazonaws.com"
},
"eventTime": "2026-01-15T10:07:22Z",
"eventSource": "kms.amazonaws.com",
"eventName": "CreateGrant",
"awsRegion": "us-west-2",
"sourceIPAddress": "resiliencehub.amazonaws.com",
"userAgent": "resiliencehub.amazonaws.com",
"requestParameters": {
"granteePrincipal": "resiliencehub.amazonaws.com",
"keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}",
"retiringPrincipal": "resiliencehub.amazonaws.com",
"operations": [
"Decrypt",
"GenerateDataKey",
"Encrypt"
],
"constraints": {
"encryptionContextSubset": {
"aws:resiliencehub:service-arn": "arn:aws:resiliencehub:us-west-2:{{111122223333}}:service/{{my-service}}:{{abc123}}"
}
}
},
"responseElements": {
"grantId": "0ab0ac0d0b000f00ea00cc0a0e00fc00bce000c000f0000000c0bc0a0000aaafSAMPLE",
"keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}"
},
"requestID": "ff000af-00eb-00ce-0e00-ea000fb0fba0SAMPLE",
"eventID": "56d4e434-abb6-4dd7-8558-ad38560d03b1",
"readOnly": false,
"resources": [
{
"accountId": "{{111122223333}}",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "{{111122223333}}",
"eventCategory": "Management"
}
```
GenerateDataKey
When Next generation Resilience Hub encrypts data using your customer managed key, it sends a `GenerateDataKey` request to generate a data key. This occurs during both synchronous API calls (such as creating a service with a description) and asynchronous assessment workflows.
The following example event records the `GenerateDataKey` operation:
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AWSService",
"invokedBy": "resiliencehub.amazonaws.com"
},
"eventTime": "2026-01-15T11:18:36Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "resiliencehub.amazonaws.com",
"userAgent": "resiliencehub.amazonaws.com",
"requestParameters": {
"numberOfBytes": 32,
"keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}",
"encryptionContext": {
"aws:resiliencehub:service-arn": "arn:aws:resiliencehub:us-west-2:{{111122223333}}:service/{{my-service}}:{{abc123}}",
"aws-crypto-public-key": "AwAnnorjRE+DFQYIuDKjGEvlXwro5Rdiegk8flmq7m0N..."
}
},
"responseElements": null,
"requestID": "c5bedc9b-e6d6-45f8-b121-c9851a3d718a",
"eventID": "e839a7ed-e4a9-32a3-b92a-2c7237a40c82",
"readOnly": true,
"resources": [
{
"accountId": "{{111122223333}}",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "{{111122223333}}",
"eventCategory": "Management"
}
```
Decrypt
When you retrieve resources through API operations or when assessment workflows process previously stored data, Next generation Resilience Hub sends `Decrypt` requests to decrypt the data.
The following example event records the `Decrypt` operation:
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLE:{{session-name}}",
"arn": "arn:aws:sts::{{111122223333}}:assumed-role/{{YourRole}}/{{session-name}}",
"accountId": "{{111122223333}}",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLE",
"arn": "arn:aws:iam::{{111122223333}}:role/{{YourRole}}",
"accountId": "{{111122223333}}",
"userName": "{{YourRole}}"
}
},
"invokedBy": "resiliencehub.amazonaws.com"
},
"eventTime": "2026-01-15T11:27:49Z",
"eventSource": "kms.amazonaws.com",
"eventName": "Decrypt",
"awsRegion": "us-west-2",
"sourceIPAddress": "resiliencehub.amazonaws.com",
"userAgent": "resiliencehub.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}",
"encryptionAlgorithm": "SYMMETRIC_DEFAULT",
"encryptionContext": {
"aws:resiliencehub:service-arn": "arn:aws:resiliencehub:us-west-2:{{111122223333}}:service/{{my-service}}:{{abc123}}",
"aws-crypto-public-key": "A/9P3BC05WjeQONZR1fBiEqWKEse/Yk1lMxd2VIh2ED5..."
}
},
"responseElements": null,
"requestID": "30f8e9bc-4e0a-4359-8bc3-8278ef42c206",
"eventID": "195ef070-c952-4c28-9883-29bca297a08c",
"readOnly": true,
"resources": [
{
"accountId": "{{111122223333}}",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "{{111122223333}}",
"eventCategory": "Management"
}
```
DescribeKey
Next generation Resilience Hub sends `DescribeKey` requests to verify that the customer managed key associated with your service exists in the account and region and is a valid symmetric encryption key.
The following example event records the `DescribeKey` operation:
```
{
"eventVersion": "1.11",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAEXAMPLE:{{session-name}}",
"arn": "arn:aws:sts::{{111122223333}}:assumed-role/{{YourRole}}/{{session-name}}",
"accountId": "{{111122223333}}",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "AROAEXAMPLE",
"arn": "arn:aws:iam::{{111122223333}}:role/{{YourRole}}",
"accountId": "{{111122223333}}",
"userName": "{{YourRole}}"
}
},
"invokedBy": "resiliencehub.amazonaws.com"
},
"eventTime": "2026-01-15T10:07:13Z",
"eventSource": "kms.amazonaws.com",
"eventName": "DescribeKey",
"awsRegion": "us-west-2",
"sourceIPAddress": "resiliencehub.amazonaws.com",
"userAgent": "resiliencehub.amazonaws.com",
"requestParameters": {
"keyId": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}"
},
"responseElements": null,
"requestID": "e427932c-448b-49aa-88e1-b311c27ba753",
"eventID": "48c596a5-83c7-4603-b0cf-be0ff2548623",
"readOnly": true,
"resources": [
{
"accountId": "{{111122223333}}",
"type": "AWS::KMS::Key",
"ARN": "arn:aws:kms:us-west-2:{{111122223333}}:key/{{1234abcd-12ab-34cd-56ef-1234567890ab}}"
}
],
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "{{111122223333}}",
"eventCategory": "Management"
}
```
## Learn more
The following resources provide more information about data encryption at rest.
+ For more information about [AWS Key Management Service basic concepts](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html), see the *AWS Key Management Service Developer Guide*.
+ For more information about [security best practices for AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/kms-security.html), see the *AWS Key Management Service Developer Guide*.