AWS IoT FleetWise will no longer be open to new customers as of April 30, 2026. Existing AWS IoT FleetWise customers can continue using the service. The [Guidance for Connected Mobility on AWS](https://aws.amazon.com/solutions/guidance/connected-mobility-on-aws/) provides guidance on how to develop and deploy modular services for connected mobility solutions that can be used to achieve equivalent capabilities as AWS IoT FleetWise.
# Data encryption in AWS IoT FleetWise
Data encryption refers to protecting data while in-transit (as it travels to and from AWS IoT FleetWise, and between gateways and servers), and at rest (while it's stored on local devices or in AWS services). You can protect data at rest using client-side encryption.
**Note**
AWS IoT FleetWise edge processing exposes APIs that are hosted within AWS IoT FleetWise gateways and are accessible over the local network. These APIs are exposed over a TLS connection backed by a server-certificate owned by the AWS IoT FleetWise Edge connector. For client authentication, these APIs use an access-control password. The server-certificate private-key and the access-control password are both stored on disk. AWS IoT FleetWise edge processing relies on file-system encryption for the security of these credentials at rest.
For more information about server-side encryption and client-side encryption, review the following topics.
**Topics**
+ [Encryption at rest in AWS IoT FleetWise](encryption-at-rest.md)
+ [Key management in AWS IoT FleetWise](key-management.md)
# Encryption at rest in AWS IoT FleetWise
AWS IoT FleetWise stores your data in the AWS Cloud and on gateways.
## Data at rest in the AWS Cloud
AWS IoT FleetWise stores data in other AWS services that encrypt data at rest by default. Encryption at rest integrates with [AWS Key Management Service (AWS KMS)](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) for managing the encryption key that is used to encrypt your asset property values and aggregate values in AWS IoT FleetWise. You can choose to use a customer managed key to encrypt asset property values and aggregate values in AWS IoT FleetWise. You can create, manage, and view your encryption key through AWS KMS.
You can choose an AWS owned key or a customer managed key to encrypt your data.
### How it works
Encryption at rest integrates with AWS KMS for managing the encryption key that is used to encrypt your data.
+ AWS owned key – Default encryption key. AWS IoT FleetWise owns this key. You can't view, manage, or use this key in your AWS account. You also can't see operations on the key in AWS CloudTrail logs. You can use this key at no additional charge.
+ Customer managed key – The key is stored in your account, which you create, own, and manage. You have full control over the KMS key. Additional AWS KMS charges apply.
### AWS owned keys
AWS owned keys aren't stored in your account. They're part of a collection of KMS keys that AWS owns and manages for use in multiple AWS accounts. AWS services can use AWS owned keys to protect your data.
You can't view, manage, or use AWS owned keys, or audit their use. However, you don't need to take any action or change any programs to protect keys that encrypt your data.
You won’t be charged a fee if you use AWS owned keys, and they don’t count against AWS KMS quotas for your account.
### Customer managed keys
Customer managed keys are KMS keys in your account that you create, own, and manage. You have full control over these KMS keys, such as the following:
+ Establishing and maintaining their key policies, IAM policies, and grants
+ Enabling and disabling them
+ Rotating their cryptographic material
+ Adding tags
+ Creating aliases that refer to them
+ Scheduling them for deletion
You can also use CloudTrail and Amazon CloudWatch Logs to track the requests that AWS IoT FleetWise sends to AWS KMS on your behalf.
If you're using customer managed keys, you must grant AWS IoT FleetWise access to the KMS key stored in your account. AWS IoT FleetWise uses envelope encryption and key hierarchy to encrypt data. Your AWS KMS encryption key is used to encrypt the root key of this key hierarchy. For more information, see [Envelope encryption](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping) in the *AWS Key Management Service Developer Guide*.
The following example policy grants AWS IoT FleetWise permissions to use your AWS KMS key.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"Service": "iotfleetwise.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
```
------
**Important**
When you add the new sections to your KMS key policy, don't change any existing sections in the policy. AWS IoT FleetWise can’t perform operations to your data if encryption is enabled for AWS IoT FleetWise and any of the following is true:
The KMS key is disabled or deleted.
The KMS key policy isn't correctly configured for the service.
### Using vision system data with encryption at rest
**Note**
Vision system data is in preview release and is subject to change.
If you have customer managed encryption with AWS KMS keys enabled on your AWS IoT FleetWise account, and you want to use vision system data, reset your encryption settings to be compatible with complex data types. This enables AWS IoT FleetWise to establish additional permissions needed for vision system data.
**Note**
Your decoder manifest could be stuck in a validating status if you haven't reset your encryption settings for vision system data.
1. Use the [GetEncryptionConfiguration](https://docs.aws.amazon.com/iot-fleetwise/latest/APIReference/API_GetEncryptionConfiguration.html) API operation to check if AWS KMS encryption is enabled. No further action is needed if the encryption type is `FLEETWISE_DEFAULT_ENCRYPTION`.
1. If the encryption type is `KMS_BASED_ENCRYPTION`, use the [PutEncryptionConfiguration](https://docs.aws.amazon.com/iot-fleetwise/latest/APIReference/API_PutEncryptionConfiguration.html) API operation to reset the encryption type to `FLEETWISE_DEFAULT_ENCRYPTION`.
```
aws iotfleetwise put-encryption-configuration \
--encryption-type FLEETWISE_DEFAULT_ENCRYPTION
```
1. Use the [PutEncryptionConfiguration](https://docs.aws.amazon.com/iot-fleetwise/latest/APIReference/API_PutEncryptionConfiguration.html) API operation to re-enable the encryption type to `KMS_BASED_ENCRYPTION`.
```
aws iotfleetwise put-encryption-configuration \
--encryption-type KMS_BASED_ENCRYPTION \
--kms-key-id kms_key_id
```
For more information about enabling encryption, see [Key management in AWS IoT FleetWise](key-management.md).
# Key management in AWS IoT FleetWise
**Important**
Access to certain AWS IoT FleetWise features is currently gated. For more information, see [AWS Region and feature availability in AWS IoT FleetWise](fleetwise-regions.md).
## AWS IoT FleetWise cloud key management
By default, AWS IoT FleetWise uses AWS managed keys to protect your data in the AWS Cloud. You can update your settings to use a customer managed key to encrypt data in AWS IoT FleetWise. You can create, manage, and view your encryption key through AWS Key Management Service (AWS KMS).
AWS IoT FleetWise supports server-side encryption with customer managed keys stored in AWS KMS to encrypt data for the following resources.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/iot-fleetwise/latest/developerguide/key-management.html)
**Note**
Other data and resources are encrypted using the default encryption with keys managed by AWS IoT FleetWise. This key is created and stored in the AWS IoT FleetWise account.
For more information, see [What is AWS Key Management Service?](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) in the *AWS Key Management Service Developer Guide*.
## Enable encryption using KMS keys (console)
To use customer managed keys with AWS IoT FleetWise, you must update your AWS IoT FleetWise settings.
**To enable encryption using KMS keys (console)**
1. Open the [AWS IoT FleetWise console](https://console.aws.amazon.com/iotfleetwise/).
1. Navigate to **Settings**.
1. In **Encryption**, choose **Edit** to open the **Edit encryption** page.
1. For **Encryption key type**, choose **Choose a different AWS KMS key**. This enables encryption with customer managed keys stored in AWS KMS.
**Note**
You can only use customer managed key encryption for AWS IoT FleetWise resources. This includes the signal catalog, vehicle model (model manifest), decoder manifest, vehicle, fleet, and campaign.
1. Choose your KMS key with one of the following options:
+ **To use an existing KMS key** – Choose your KMS key alias from the list.
+ **To create a new KMS key** – Choose **Create an AWS KMS key**.
**Note**
This opens the AWS KMS console. For more information about creating a KMS key, see [Creating keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html) in the *AWS Key Management Service Developer Guide*.
1. Choose **Save** to update your settings.
## Enable encryption using KMS keys (AWS CLI)
You can use the [PutEncryptionConfiguration](https://docs.aws.amazon.com/iot-fleetwise/latest/APIReference/API_GetEncryptionConfiguration.html) API operation to enable encryption for your AWS IoT FleetWise account. The following example uses AWS CLI.
To enable encryption, run the following command.
+ Replace *kms\$1key\$1id* with the ID of the KMS key.
```
aws iotfleetwise put-encryption-configuration \
--encryption-type KMS_BASED_ENCRYPTION \
--kms-key-id kms_key_id
```
**Example response**
```
{
"kmsKeyId": "customer_kms_key_id",
"encryptionStatus": "PENDING",
"encryptionType": "KMS_BASED_ENCRYPTION"
}
```
## KMS key policy
After you create a KMS key, you must, at minimum, add the following statement to your KMS key policy for it to work with AWS IoT FleetWise. The AWS IoT FleetWise service principal `iotfleetwise.amazonaws.com` in the KMS key policy statement allows AWS IoT FleetWise to access the KMS key.
```
{
"Sid": "Allow FleetWise to encrypt and decrypt data when customer managed KMS key based encryption is enabled",
"Effect": "Allow",
"Principal": {
"Service": "iotfleetwise.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:DescribeKey",
"kms:CreateGrant",
"kms:RetireGrant",
"kms:RevokeGrant"
],
"Resource": "*"
}
```
As a security best practice, add `aws:SourceArn` and `aws:SourceAccount` condition keys to the KMS key policy. The IAM global condition key `aws:SourceArn` helps ensure that AWS IoT FleetWise uses the KMS key only for service-specific resource Amazon Resource Names (ARNs).
If you set the value of `aws:SourceArn`, it must always be `arn:aws:iotfleetwise:us-east-1:account_id:*`. This allows the KMS key to access all AWS IoT FleetWise resources for this AWS account. AWS IoT FleetWise supports one KMS key per account for all resources in that AWS Region. Using any other value for the `SourceArn`, or not using the wildcard (\$1) for the ARN resource field, prevents AWS IoT FleetWise from accessing the KMS key.
The value of `aws:SourceAccount` is your account ID, which is used to further restrict the KMS key so that it can only be used for your specific account. If you add `aws:SourceAccount` and `aws:SourceArn` condition keys to the KMS key, make sure the key is not used by any other service or account. This helps avoid failures.
The following policy includes a service principal (an identifier for a service), as well as `aws:SourceAccount` and `aws:SourceArn` set up for use based on the AWS Region and your account ID.
```
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"Service": "iotfleetwise.amazonaws.com"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:SourceAccount": "AWS-account-ID"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:iotfleetwise:region:AWS-account-ID:*"
}
}
}
```
For more information about editing a KMS key policy for use with AWS IoT FleetWise, see [Changing a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the *AWS Key Management Service Developer Guide*.
**Important**
When you add the new sections to your KMS key policy, don't change any existing sections in the policy. AWS IoT FleetWise can’t perform operations to your data if encryption is enabled for AWS IoT FleetWise and any of the following is true:
The KMS key is disabled or deleted.
The KMS key policy isn't correctly configured for the service.
## Permissions for AWS KMS encryption
If you enabled AWS KMS encryption, you must specify permissions in the role policy so that you can call AWS IoT FleetWise APIs. The following policy allows access to all AWS IoT FleetWise actions, as well as AWS KMS specific permissions.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotfleetwise:*",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:DescribeKey"
],
"Resource": [
"*"
]
}
]
}
```
------
The following policy statement is required for your role to invoke encryption APIs. This policy statement allows `PutEncryptionConfiguration` and `GetEncryptionConfiguration` actions from AWS IoT FleetWise.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iotfleetwise:GetEncryptionConfiguration",
"iotfleetwise:PutEncryptionConfiguration",
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:DescribeKey"
],
"Resource": [
"*"
]
}
]
}
```
------
## Recovery after AWS KMS key deletion
If you delete an AWS KMS key after enabling encryption with AWS IoT FleetWise, you must reset your account by deleting all data before using AWS IoT FleetWise again. You can use the list and delete API operations to clean up resources in your account.
**To clean up resources in your account**
1. Use list APIs with the `listResponseScope` parameter set to `METADATA_ONLY`. This provides a list of resources, including resource names and other metadata such as ARNs and timestamps.
1. Use delete APIs to remove individual resources.
You must clean up resources in the following order.
1. Campaigns
1. List all campaigns with the `listResponseScope` parameter set to `METADATA_ONLY`.
1. Delete the campaigns.
1. Fleets and vehicles
1. List all fleets with the `listResponseScope` parameter set to `METADATA_ONLY`.
1. List all vehicles for each fleet with the `listResponseScope` parameter set to `METADATA_ONLY`.
1. Disassociate all vehicles from each fleet.
1. Delete the fleets.
1. Delete the vehicles.
1. Decoder manifests
1. List all decoder manifests with the `listResponseScope` parameter set to `METADATA_ONLY`.
1. Delete all decoder manifests.
1. Vehicle models (model manifests)
1. List all vehicle models with the `listResponseScope` parameter set to `METADATA_ONLY`.
1. Delete all vehicle models.
1. State templates
1. List all state templates with the `listResponseScope` parameter set to `METADATA_ONLY`.
1. Delete all state templates.
1. Signal catalogs
1. List all signal catalogs.
1. Delete all signal catalogs.