# Encrypting EventBridge archives with AWS KMS keys
You can specify that EventBridge use a customer managed key to encrypt events stored in an archive, rather than use an AWS owned key as is the default. You can specify a customer managed key when you create or update an archive. For more information about key types, see [KMS key options](eb-encryption-at-rest-key-options.md).
This includes:
+ Events stored in the archive
+ The event pattern, if any, specified to filter the events sent to the archive
This does not include archive metadata, such as the size of the archive or number of events it contains.
If you specify a customer managed key for an archive, EventBridge encrypts events prior to sending it to the archive, ensuring encryption in transit and at rest.
## Archive encryption context
An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context.
You can also use the encryption context as a condition for authorization in policies and grants.
If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html).
For event archives, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. The context includes a single key–value pair, which contains the event bus ARN.
```
"encryptionContext": {
"kms:EncryptionContext:aws:events:event-bus:arn": "event-bus-arn"
}
```
## AWS KMS key policy for archives
The following example key policy provides the required permissions for an event archive:
+ `kms:DescribeKey`
+ `kms:GenerateDataKey`
+ `kms:Decrypt`
+ `kms:ReEncrypt`
As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](eb-encryption-key-policy.md#eb-encryption-event-bus-confused-deputy).
------
#### [ JSON ]
****
```
{
"Id": "CMKKeyPolicy",
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"Service": "events.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt",
"kms:ReEncrypt*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:us-east-1:123456789012:event-bus/event-bus-arn"
}
}
}
]
}
```
------
# Configuring encryption on archives
You can specify the KMS key for EventBridge to use when you create or update an archive.
## Specifying encryption when creating an archive
Choosing the AWS KMS key used for encryption is an option creating an archive. The default is to use the AWS owned key provided by EventBridge.
**To specify a customer managed key for encryption when creating an archive (console)**
+ Follow these instructions:
[Creating archives](eb-archive-event.md).
**To specify a customer managed key for encryption when creating an archive (CLI)**
+ When calling `[create-archive](https://docs.aws.amazon.com/cli/latest/reference/events/create-archive.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting events stored in the archive.
## Updating encryption on archives
You can update the AWS KMS key being used for encryption at rest on an existing archive. This includes:
+ Changing from the default AWS owned key to a customer managed key.
+ Changing from a customer managed key to the default AWS owned key.
+ Changing from one customer managed key to another.
**To update the KMS key used for encrypting events in an archive (console)**
1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).
1. Navigate to the archive directly, or from the source event bus:
+ In the navigation pane, choose **Event buses**.
On the events bus details page, choose the **Archives** tab.
+ In the navigation pane, choose **Archives**.
1. Choose the archive you want to update.
1. On the archive details page, choose the **Encryption** tab.
1. Choose the KMS key for EventBridge to use when encrypting the events stored in the archive.
**Important**
If you have specify that EventBridge use a customer managed key for encrypting the source event bus, we strongly recommend you also specify a customer managed key for any archives for the event bus as well.
+ Choose **Use AWS owned key** for EventBridge to encrypt the data using an AWS owned key.
This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice.
This is the default.
+ Choose **Use customer managed key** for EventBridge to encrypt the data using the customer managed key that you specify or create.
Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys.
1. Specify an existing customer managed key, or choose **Create a new KMS key**.
EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key.
**To update the KMS key used for encrypting events stored in an archive (CLI)**
+ When calling `[update-archive](https://docs.aws.amazon.com/cli/latest/reference/events/update-archive.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encrypting events stored in the archive.