Key management - Amazon CodeGuru Security

Amazon CodeGuru Security is in preview release and is subject to change.

Key management

CodeGuru Security encrypts your data using one of two types of KMS keys:

  • An AWS owned KMS key. This is the default encryption method.

  • A customer managed KMS key. To use your own KMS key, you need to create the key and then provide a key policy to grant permissions to CodeGuru Security to use the key.

The following sections explain how to create and use a customer managed KMS key to encrypt your data.

Create a customer managed KMS key

You can create customer managed KMS key using either the AWS KMS console or the CreateKey API. When creating the key, you can use an existing symmetric key in your account or create a symmetric customer managed KMS key. CodeGuru Security does not support asymmetric KMS keys. Additionally, you will need a AWS KMS key in the same AWS Region as your scans, or a multi-region key. For more information see Creating symmetric encryption AWS KMS keys in the AWS KMS user guide.

Permissions for code encryption with a customer managed KMS key

To use your encryption key, you need to create a policy that allows access to AWS KMS key actions and a policy that allows Amazon CodeGuru Security to use those actions.

If you are setting, updating, or resetting the encryption key for your account it is recommended to use an Amazon CodeGuru Security administrator policy, such as AmazonCodeGuruSecurityFullAccess.

The key policy for KMS must allow the following actions:

  • kms:CreateGrant

  • kms:Decrypt

  • kms:DescribeKey

  • kms:GenerateDataKeyWithoutPlainText

  • kms:Encrypt

  • kms:RetireGrant

After you've verified that you have the correct KMS permissions in your key policy, you must create a policy to attach to your CodeGuru Security access role that allows CodeGuru Security to use your key for encryption. Add the following statements to your policy and replace <region> with the AWS Region where you are running CodeGuru Security scans:

{ "Effect": "Allow", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "ForAllValues:StringEquals": { "kms:GrantOperations": [ "GenerateDataKey", "GenerateDataKeyWithoutPlaintext", "Encrypt", "Decrypt", "RetireGrant", "DescribeKey" ] }, "StringEquals": { "kms:ViaService": [ "codeguru-security.<region>.amazonaws.com" ] } } }, { "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:RetireGrant", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": [ "codeguru-security.<region>.amazonaws.com" ] } } }

For information on key policies, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.

Configure encryption with the Amazon CodeGuru Security API

To set a customer managed key for encryption, use the UpdateAccountConfiguration operation. In the API request, for the EncryptionConfig object, use the kmsKeyArn field to specify the ARN of the AWS KMS encryption key you want to use. If you call UpdateAccountConfiguration and pass null or nothing for kmsKeyArn, an AWS owned key will be used for encryption.

To view the current KMS key ARN that is being used for encryption, call GetAccountConfiguration. If you attempt to use GetAccountConfiguration when you haven't set a customer managed key, the operation returns null which means that an AWS owned key is being used for encryption.

If you delete the key or change it's policy to deny access to Amazon CodeGuru Security you will be unable to access your findings and dashboard metrics and code scans will fail for your account.