KMS encryption in Amazon Comprehend
Amazon Comprehend works with AWS Key Management Service (AWS KMS) to provide enhanced encryption for your data. Amazon S3 already enables you to encrypt your input documents when creating a text analysis, topic modeling, or custom Amazon Comprehend job. Integration with AWS KMS enables you to encrypt the data in the storage volume for Start* and Create* jobs, and it encrypts the output results of Start* jobs using your own KMS key.
For the AWS Management Console, Amazon Comprehend encrypts custom models with its own KMS key. For the AWS CLI, Amazon Comprehend can encrypt custom models using either its own KMS key or a provided customer managed key (CMK).
KMS encryption using the AWS Management Console
Two encryption options are available when using the console:
-
Volume encryption
-
Output result encryption
To enable volume encryption
-
Under Job Settings, choose the Job encryption option.
-
Choose whether the KMS customer-managed key (CMK) is from the account you're currently using or from a different account. If you want to use a key from the current account, choose the key alias from KMS key ID. If you're using a key from a different account, you must enter the key's ARN.
To enable output result encryption
-
Under Output Settings, choose the Encryption option.
-
Choose whether the customer-managed key (CMK) is from the account you're currently using or from a different account. If you want to use a key from the current account, choose the key ID from KMS key ID. If you're using a key from a different account, you must enter the key's ARN.
If you have previously setup encryption using SSE-KMS on the your S3 input documents, this
can provide you with additional security. However, if you do this, the IAM role used must have
kms:Decrypt permission for the KMS key with which the input documents are
encrypted. For more information, see Permissions required to use KMS encryption.
KMS encryption with API operations
All Amazon Comprehend Start* and Create* API operations support KMS encrypted
input documents. Describe* and List* API operations return the
KmsKeyId in OutputDataConfig if the original job had
KmsKeyId provided as an input. If it was not provided as input, it isn't
returned.
This can be seen in the following AWS CLI example using the StartEntitiesDetectionJob operation:
aws comprehend start-entities-detection-job \ --regionregion\ --data-access-role-arn "data access role arn" \ --entity-recognizer-arn "entity recognizer arn" \ --input-data-config "S3Uri=s3://Bucket Name/Bucket Path" \ --job-namejob name\ --language-code en \ --output-data-config "KmsKeyId=Output S3 KMS key ID" "S3Uri=s3://Bucket Name/Bucket Path/" \ --volumekmskeyid "Volume KMS key ID"
This example is formatted for Unix, Linux, and macOS. For Windows, replace the backslash (\) Unix continuation character at the end of each line with a caret (^).
Customer Managed Key (CMK) encryption with API operations
Amazon Comprehend custom model API operations, CreateEntityRecognizer,
CreateDocumentClassifier, and CreateEndpoint, support encryption
using customer managed keys via the AWS CLI.
You need an IAM policy to allow a principal to use or manage customer managed keys. These
keys are specified in the Resource element of the policy statement. As best
practice, limit customer managed keys to only those that the principals must use in your policy
statement.
The following AWS CLI example creates a custom entity recognizer with model encryption using the CreateEntityRecognizer operation:
aws comprehend create-entity-recognizer \ --recognizer-namename\ --data-access-role-arndata access role arn\ --language-code en \ --model-kms-key-idModel KMS Key ID\ --input-data-config file:///path/input-data-config.json
This example is formatted for Unix, Linux, and macOS. For Windows, replace the backslash (\) Unix continuation character at the end of each line with a caret (^).
