KMS Encryption in Amazon Comprehend

Amazon Comprehend works with Amazon Key Management Service (KMS) to provide enhanced encryption for your data. Amazon S3 already enables you to encrypt your input documents when creating a text analysis, topic modeling, or custom Comprehend job. Integration with KMS enables you to encrypt the data in the storage volume for Start* and Create* jobs as well as encrypt the output results of Start* jobs using your own KMS key. Amazon Comprehend encrypts custom models with its own KMS key and does not use a customer provided KMS key.

KMS encryption with the AWS Console

Two encryption options are available when using the AWS Console:

Volume encryption
Output result encryption

To enable volume encryption

Under Job Settings, choose the Job encryption option.
Choose whether the KMS customer-managed key (CMK) is from the account you're currently using or from a different account. If you want to use a key from the current account, choose the key alias from KMS key ID. If you're using a key from a different account, you need to enter the key's ARN.

To enable output result encryption

Under Output Settings, choose the Encryption option.
Choose whether the customer-managed key (CMK) is from the account you're currently using or from a different account. If you want to use a key from the current account, choose the key ID from KMS key ID. If you're using a key from a different account, you need to enter the key's ARN.

If you have previously setup encryption using SSE-KMS on the your S3 input documents, this can provide you with additional security. However, if you do this, the IAM role used must have kms:Decrypt permission for the KMS key with which the input documents are encrypted. For more information, see Permissions Required to Use KMS Encryption.

KMS encryption with APIs

All Amazon Comprehend Start* and Create* APIs support KMS encrypted input documents. Describe* and List* APIs will return the KmsKeyId in OutputDataConfig if the original job had KmsKeyId provided as an input. If it was not provided as input, it will not be returned.

This can be seen in the following AWS CLI example using the StartEntitiesDetectionJob operation:

This example is formatted for Unix, Linux, and macOS. For Windows, replace the backslash (\) Unix continuation character at the end of each line with a caret (^).


aws comprehend start-entities-detection-job \
     --region region
     --data-access-role-arn "data access role arn" \    
     --entity-recognizer-arn "entity recognizer arn" \
     --input-data-config "S3Uri=s3://Bucket Name/Bucket Path" \    
     --job-name job name \
     --language-code en \
     --output-data-config "KmsKeyId=Output S3 KMS key ID" "S3Uri=s3://Bucket Name/Bucket Path/" \
     --volumekmskeyid "Volume KMS key ID"

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Data Protection

Using a Virtual Private Cloud (VPC)