Configure Server-Side Encryption¶
Alation Cloud Service Applies to Alation Cloud Service instances of Alation
Customer Managed Applies to customer-managed instances of Alation
Server-side encryption is the encryption of data at its destination by the application or service that receives it. More details in Protecting data with server-side encryption in AWS documentation.
To perform metadata extraction, incremental extraction, and sampling of encrypted files in Alation, you may need to set additional permissions to the service account:
The default server-side encryption is with Amazon S3 managed keys (SSE-S3). It does not require any additional permissions (no action required).
If you are using KMS keys (SSE-KMS), additional configuration is required: Configure Access with SSE-KMS
Note
Server-side encryption with customer-provided keys (SSE-C) is not currently supported by Alation.
Configure Access with SSE-KMS¶
This section provides information about the permissions that need to be set if you use the KMS key for server-side encryption. You will need to do the following:
Attach additional permissions to the KMS key
Attach additional permissions to the IAM user (Basic authentication) or IAM role (STS authentication) you are using in Alation
Grant additional permissions to actual users who will perform dynamic sampling in Alation
Attach additional permissions to the IAM role for Lambda function. This is applicable only if you are using the incremental extraction feature.
Refer to the sections below for details.
Attach Additional Permissions to the KMS Key¶
The policy on the KMS key must include the kms:GenerateDataKey
action, which will allow generating a key from the S3 service for source buckets. You can append this permission to the existing policy.
See the permission example below. When using this example, replace {ACCOUNT_ID}
with your account ID and SOURCE_BUCKET_{N}
with your source bucket name.
{
"Sid": "Allow Amazon S3 use of the customer managed key",
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com"
},
"Action": "kms:GenerateDataKey",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "{ACCOUNT_ID}"
},
"ArnLike": {
"aws:SourceARN": [
"arn:aws:s3:::{SOURCE_BUCKET_1}",
"arn:aws:s3:::{SOURCE_BUCKET_2}"
]
}
}
}
Attach Additional Permissions to the IAM User or Role¶
If you are using an IAM user for basic authentication or an IAM role for STS authentication, add the following permission to the IAM user or IAM role to decrypt the KMS key used in source buckets and destination buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": [
"arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID}"
]
}
]
}
Grant Additional Permissions to Users¶
For dynamic sampling, the permission to decrypt the KMS key used in the source buckets must be assigned to the user who performs the dynamic sampling user.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": [
"arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID}"
]
}
]
}
Grant Additional Permissions to the IAM Role for the Lambda Function¶
If the IAM role is used in a Lambda function, add the following permission to the IAM role:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:GenerateDataKey",
"Resource": [
"arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID_OF_KEY_B}"
]
}
Use cases¶
The Same Key for Source and Destination Buckets¶
Criteria¶
Source buckets have the SSE-KMS encryption enabled using a KMS key key-A.
Destination bucket has the SSE-KMS encryption enabled using a KMS key key-A.
Steps¶
Create a KMS key key-A, see How to set up SSE KMS in S3 bucket?.
You must choose key type as symmetric and key usage as encrypt and decrypt.
Create a source bucket with SSE-KMS encryption enabled by selecting KMS key key-A.
Create a destination bucket with SSE-KMS encryption enabled by selecting KMS key key-A.
Update the KMS key-A policy to allow access from the source bucket to use the key.
Go to the KMS service and click Customer-managed keys.
Search for your key key-A.
Edit the key policy and append the below permission. Make sure that you do not remove the existing permission codes. Replace ACCOUNT_ID with your account_id and SOURCE_BUCKET_{N} with the source bucket name.
{ "Sid": "Allow Amazon S3 use of the customer managed key", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "{ACCOUNT_ID}" }, "ArnLike": { "aws:SourceARN": [ "arn:aws:s3:::{SOURCE_BUCKET_1}", "arn:aws:s3:::{SOURCE_BUCKET_2}" ] } } }
Save the policy.
If configuring incremental MDE, follow the steps in Set Up Incremental MDE to set up the Lambda function with the following modifications:
While setting up the inventory configuration, choose the destination bucket created in step 3.
While setting up the IAM role for the lambda function, along with the
PutObject
permission append the below permission. Replace theDESTINATION_BUCKET
with your destination bucket name,ACCOUNT_ID
with your account ID andKEY_ID
with your key ID.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:GenerateDataKey", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID}" ] }, { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::{DESTINATION_BUCKET}/*" ] } ] }When setting up authentication (Configure Access and Permissions), append the following additional permission to support SSE-KMS. Replace ACCOUNT_ID and KEY_ID with your account_id and key_id. If you are using STS auth, make sure to add the below permission to your STS Role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID}" ] } ] }
Perform MDE, schema extraction, and sampling.
For sampling to work, assign the policy created in step 6 to the user (IAM or SSO) who is going to perform sampling.
Different Keys for Source and Destination Buckets¶
Criteria¶
Source buckets have the SSE-KMS encryption enabled using a KMS key key-A.
The destination bucket has the SSE-KMS encryption enabled using a KMS key key-B.
Steps¶
Create KMS keys key-A and key-B. See How to set up SSE KMS in S3 bucket? in Amazon documentation.
You must choose key type as symmetric and key usage as encrypt and decrypt.
Create a source bucket with the SSE-KMS encryption enabled by selecting the KMS key key-A.
Create a destination bucket with SSE-KMS encryption enabled by selecting the KMS key key-B.
Update the KMS key-B policy to allow access from the source bucket to use the key.
Go to the KMS service and click Customer-managed keys.
Search for your key key-B.
Edit the key policy and append the below permission. Make sure that you do not remove the existing permission codes. Replace
ACCOUNT_ID
with your account ID andSOURCE_BUCKET_{N}
with the source bucket name.{ "Sid": "Allow Amazon S3 use of the customer managed key", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "{ACCOUNT_ID}" }, "ArnLike": { "aws:SourceARN": [ "arn:aws:s3:::{SOURCE_BUCKET_1}", "arn:aws:s3:::{SOURCE_BUCKET_2}" ] } } }
Save the policy.
If configuring incremental MDE, follow the steps in Set Up Incremental MDE to set up an inventory and a Lambda function with the following modifications:
While setting up the inventory configuration, choose the destination bucket created in step 3.
While setting up the IAM role for lambda function, along with the PutObject permission append the below permission. Replace the DESTINATION_BUCKET with your destination bucket name, ACCOUNT_ID with your account_id and KEY_ID with your key_id of key-B.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:GenerateDataKey", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID_OF_KEY_B}" ] }, { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::{DESTINATION_BUCKET}/*" ] } ] }When setting up authentication (Configure Access and Permissions), append the following additional permission to support SSE-KMS, append the following additional permission to support SSE-KMS. Replace
ACCOUNT_ID
andKEY_ID
with your account ID and key ID. If you are using STS authentication, make sure to add the below permission to your STS role.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID_OF_KEY_A}", "arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID_OF_KEY_B}" ] } ] }
Perform MDE, schema extraction and sampling.
For sampling to work, assign the policy created in step 6 to the user (IAM or SSO) who is going to perform sampling.
Different Encryption Types for Source and Destination Buckets¶
Criteria¶
Source buckets have the SSE-KMS encryption enabled using a KMS key key-A.
The destination bucket has the default SSE-S3 encryption.
Enable the SSE-KMS encryption using KMS key key-B while doing inventory configuration of the source bucket.
Steps¶
Create KMS keys key-A and key-B. See How to set up SSE KMS in S3 bucket?.
You must choose the key type as symmetric and key usage as encrypt and decrypt.
Create a source bucket with the SSE-KMS encryption enabled by selecting KMS key key-A.
Create a destination bucket with the SSE-KMS encryption.
Update the KMS key-B policy to allow access from the source bucket to use the key.
Go to the KMS service and click Customer-managed keys.
Search for your key key-B.
Edit the key policy and append the below permission. Make sure that you do not remove the existing permission codes. Replace
ACCOUNT_ID
with your account ID andSOURCE_BUCKET_{N}
with the source bucket name.{ "Sid": "Allow Amazon S3 use of the customer managed key", "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com" }, "Action": "kms:GenerateDataKey", "Resource": "*", "Condition": { "StringEquals": { "aws:SourceAccount": "{ACCOUNT_ID}" }, "ArnLike": { "aws:SourceARN": [ "arn:aws:s3:::{SOURCE_BUCKET_1}", "arn:aws:s3:::{SOURCE_BUCKET_2}" ] } } }
Save the policy.
If configuring incremental MDE, follow the steps in Set Up Incremental MDE to set up an inventory and a Lambda function with the following modifications:
Choose the destination bucket created in step 3.
Choose the encryption mode to be SSE-KMS and choose the key key-B.
When setting up authentication (Configure Access and Permissions), append the following additional permission to support SSE-KMS. Replace
ACCOUNT_ID
andKEY_ID
with your account ID and key ID of key-A and key-B. If you are using STS authentication, make sure to add the below permission to your STS role.{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "kms:Decrypt", "Resource": [ "arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID_OF_KEY_A}", "arn:aws:kms:us-east-1:{ACCOUNT_ID}:key/{KEY_ID_OF_KEY_B}" ] } ] }
Perform MDE, schema extraction, and sampling.
For sampling to work, assign the policy created in step 6 to the user (IAM or SSO) who is going to perform sampling.