Encryption at rest: How it works in Amazon QLDB
QLDB encryption at rest encrypts your data using 256-bit Advanced Encryption Standard (AES-256). This helps secure your data from unauthorized access to the underlying storage. All data stored in QLDB ledgers is encrypted at rest by default. Server-side encryption is transparent, which means that changes to applications aren't required.
Encryption at rest integrates with AWS Key Management Service (AWS KMS) for managing the encryption key that is used to protect your QLDB ledgers. When creating a new ledger or updating an existing ledger, you can choose one of the following types of AWS KMS keys:
-
AWS owned key – The default encryption type. The key is owned by QLDB (no additional charge).
-
Customer managed key – The key is stored in your AWS account and is created, owned, and managed by you. You have full control over the key (AWS KMS charges apply).
Topics
AWS owned key
AWS owned keys aren't stored in your AWS account. They're part of a collection of KMS keys that AWS owns and manages for use in multiple AWS accounts. AWS services can use AWS owned keys to protect your data.
You don't need to create or manage AWS owned keys. However, you can't view or track AWS owned keys, or audit their use. You aren't charged a monthly fee or a usage fee for AWS owned keys, and they don't count against the AWS KMS quotas for your account.
For more information, see AWS owned keys in the AWS Key Management Service Developer Guide.
Customer managed key
Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. QLDB supports symmetric encryption KMS keys only.
Use a customer managed key to get the following features:
-
Setting and maintaining key policies, IAM policies, and grants to control access to the key
-
Enabling and disabling the key
-
Rotating cryptographic material for the key
-
Creating key tags and aliases
-
Scheduling the key for deletion
-
Importing your own key material or using a custom key store that you own and manage
-
Using AWS CloudTrail and Amazon CloudWatch Logs to track the requests that QLDB sends to AWS KMS on your behalf
For more information, see Customer managed keys in the AWS Key Management Service Developer Guide.
Customer managed keys incur a
charge
When you specify a customer managed key as the KMS key for a ledger, all ledger data in both journal storage and indexed storage is protected with the same customer managed key.
Inaccessible customer managed keys
If you disable your customer managed key, schedule the key for deletion, or revoke the
grants on the key, the status of your ledger encryption becomes
KMS_KEY_INACCESSIBLE. In this state, the ledger is impaired and
doesn't accept any read or write requests. An inaccessible key prevents all
users and the QLDB service from encrypting or decrypting data—and from
performing read and write operations in the ledger. QLDB must have access to
your KMS key to ensure that you can continue to access your ledger and to
prevent data loss.
Important
An impaired ledger automatically returns to an active state after you restore the grants on the key, or after you reenable the key that was disabled.
However, deleting a customer managed key is irreversible. After a key is deleted, you can no longer access the ledgers that are protected with that key, and the data becomes unrecoverable permanently.
To check the encryption status of a ledger, use the AWS Management Console or the DescribeLedger API operation.
How Amazon QLDB uses grants in AWS KMS
QLDB requires grants to use your customer managed key. When you create a ledger that is protected with a customer managed key, QLDB creates grants on your behalf by sending CreateGrant requests to AWS KMS. Grants in AWS KMS are used to give QLDB access to a KMS key in a customer AWS account. For more information, see Using Grants in the AWS Key Management Service Developer Guide.
QLDB requires the grants to use your customer managed key for the following AWS KMS operations:
-
DescribeKey – Verify that the specified symmetric encryption KMS key is valid.
-
GenerateDataKey – Generate a unique symmetric data key that QLDB uses to encrypt data at rest in your ledger.
-
Decrypt – Decrypt the data key that was encrypted by your customer managed key.
-
Encrypt – Encrypt plaintext into ciphertext using your customer managed key.
You can revoke a grant to remove the service's access to the customer managed key at any time. If you do, the key becomes inaccessible, and QLDB loses access to any of the ledger data protected by the customer managed key. In this state, the ledger is impaired and doesn't accept any read or write requests until you restore the grants on the key.
Restoring grants in AWS KMS
To restore grants on a customer managed key and recover access to a ledger in QLDB, you can update the ledger and specify the same KMS key. For instructions, see Updating the AWS KMS key of an existing ledger.
Encryption at rest considerations
Consider the following when you're using encryption at rest in QLDB:
-
Server-side encryption at rest is enabled by default on all QLDB ledger data and can't be disabled. You can't encrypt only a subset of data in a ledger.
-
Encryption at rest only encrypts data while it is static (at rest) on a persistent storage media. If data security is a concern for data in transit or data in use, you might need to take additional measures as follows:
-
Data in transit: All your data in QLDB is encrypted in transit. By default, communications to and from QLDB use the HTTPS protocol, which protects network traffic by using Secure Sockets Layer (SSL)/Transport Layer Security (TLS) encryption.
-
Data in use: Protect your data before sending it to QLDB by using client-side encryption.
-
To learn how to implement customer managed keys for ledgers, proceed to Using customer managed keys in Amazon QLDB.
