Encryption at rest in Amazon EventBridge

EventBridge provides transparent server-side encryption by integrating with AWS Key Management Service (KMS). Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements.

The following table lists the artifacts that EventBridge encrypts at rest, by resource:

Resource	Details	AWS owned key	customer managed key
API destinations		Supported	Not supported
Archives		Supported	Not supported
Events from AWS services	Event data includes all fields contained in the event-detail element of the event. EventBridge does not encrypt event metadata. For more information on event metadata, see Event metadata.	Supported	Not supported
Events from custom and partner sources	Event data includes all fields contained in the event-detail element of the event. EventBridge does not encrypt event metadata. For more information on event metadata, see Event metadata.	Supported	Supported
Event patterns (event buses)		Supported	Not supported
Input transformers (event buses)		Supported	Not supported
Pipes	Includes: Event patterns Input transformers Execution data in logs Events flowing through a pipe are never stored at rest.	Supported	Supported

By default, EventBridge uses an AWS owned key to encrypt data. You can specify for EventBridge to use customer managed keys for specific resources instead.

Important

We strongly recommend that you never put confidential or sensitive information in the following artifacts, as they are not encrypted at rest:

Event bus names
Rule names
Shared resources, such at tags

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data protection

KMS key options