Bringing Your Own Encryption Key into AlphaSense AWS

Objective: Enable customers to create and manage their own Customer Master Key (CMK) in AWS Key Management Service (KMS) to use with AlphaSense services.

Prerequisites

• Active AWS account.
• Familiarity with AWS KMS and IAM (Identity and Access Management).

Workflow Diagram

Detailed Steps

1. Create a Customer Master Key (CMK)

• Log in to your AWS Management Console.
• Select region us-east-1
• Navigate to Key Management Service.
• Click on “Create a key”.
• Select “Symmetric” as the key type for general-purpose encryption.
• Select “Encrypt & decrypt“ as the key usage.
• Provide a name and description for the key to identify its use with AlphaSense.
• Configure key administrative permissions: Specify which IAM roles or users can manage the key.
• Configure key usage permissions: Define which accounts, IAM roles, or users can use the key to encrypt and decrypt data. This is not required if AlphaSense is only user of the key.

2. Implement AlphaSense-Specific Key Policies

• AlphaSense will provide a JSON policy. This should specify the permissions for the service to use the CMK.
• Attach this statement to your CMK key policy to allow AlphaSense to use the keys for encryption.

3. Example statement

{
  "Sid": "Allow access for AlphaSense",
  "Effect": "Allow",
  "Principal": {"AWS": "arn:aws:iam::[AlphaSense-Account-ID]:role/[customer-facing-role-name]"},
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:ReEncrypt*",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

AlphaSense will provide the role ARN when needed.

Further Reading: AWS KMS Policy Examples

4. Provide Key ARN to AlphaSense

• Securely transmit the ARN of your CMK to AlphaSense. Ensure that this communication is done through secure channels.

5. Security Considerations

• Regularly audit the IAM roles and policies associated with your CMK.
• Use AWS CloudTrail to log and monitor all key usage.