AWS eventbridge high security documentation change
Summary
Added encryption configuration options (AWS owned vs customer managed keys) for event archives
Security assessment
Introduces documentation about encrypting archives with KMS keys, a security feature
Diff
diff --git a/eventbridge/latest/userguide/eb-archive-event.md b/eventbridge/latest/userguide/eb-archive-event.md index 81948d943..d59b5ae51 100644 --- a//eventbridge/latest/userguide/eb-archive-event.md +++ b//eventbridge/latest/userguide/eb-archive-event.md @@ -54 +54,21 @@ You cannot change the source event bus once you have created the archive. - 7. Choose **Next**. + 7. For **Encryption** , choose the KMS key for EventBridge to use when encrypting the events stored in the archive. + +###### Important + +If you have specify that EventBridge use a customer managed key for encrypting the source event bus, we strongly recommend you also specify a customer managed key for any archives for the event bus as well. + + * Choose **Use AWS owned key** for EventBridge to encrypt the data using an AWS owned key. + +This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. + +This is the default. + + * Choose **Use customer managed key** for EventBridge to encrypt the data using the customer managed key that you specify or create. + +Customer managed key are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys. + + 1. Specify an existing customer managed key, or choose **Create a new KMS key / >**. + +EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key. + + 8. Choose **Next**.