Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account
AWS KMS and data encryption in Amazon Monitron - Amazon Monitron

Amazon Monitron is no longer open to new customers. Existing customers can continue to use the service as normal. For capabilities similar to Amazon Monitron, see our blog post.

Amazon Monitron is no longer open to new customers. Existing customers can continue to use the service as normal. For capabilities similar to Amazon Monitron, see our blog post.

AWS KMS and data encryption in Amazon Monitron

PDFRSS

Amazon Monitron encrypts your data and project information using one of two types of keys through AWS Key Management Service (AWS KMS). You can choose one of the following:

  • An AWS owned key. This is the default encryption key and is used if you do not choose Custom encryption settings when setting up your project.

  • A customer managed CMK. You can use an existing key in your AWS account or create a key in the AWS KMS console or using the API. If you're using an existing key, you choose Choose an AWS KMS key and then either choose a key from the list of AWS KMS keys, or enter the Amazon Resource Name (ARN) of another key. If you want to create a new key, you choose Create an AWS KMS key. For more information, see Creating Keys in the AWS Key Management Service Developer Guide.

When using AWS KMS to encrypt your data, keep the following in mind:

  • Your data is encrypted at rest in the Cloud in Amazon S3 and Amazon DynamoDB.

  • When data is encrypted using an AWS owned CMK, Amazon Monitron uses a separate CMK for each customer.

  • IAM users must have the required permissions to call the AWS KMS API operations connected with Amazon Monitron. Amazon Monitron includes the following permissions in its managed policy for console use. 

    {
                 "Effect": "Allow",
                 "Action": [
                         "kms:ListKeys",
                         "kms:DescribeKey",
                         "kms:ListAliases",
                         "kms:CreateGrant"
                 ],
                 "Resource": "*"
         },

    For more information, see Using IAM Policies with AWS KMS in the AWS Key Management Service Developer Guide.

  • If you delete or disable your CMK, you won't be able to access the data. For more information, see Deleting AWS KMS keys in the AWS Key Management Service Developer Guide.

Previous topic:

Data in transit

Need help?

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.