# Data protection in Deadline Cloud Data protection The AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/) applies to data protection in AWS Deadline Cloud. As described in this model, AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure. You are also responsible for the security configuration and management tasks for the AWS services that you use. For more information about data privacy, see the [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). For information about data protection in Europe, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*. For data protection purposes, we recommend that you protect AWS account credentials and set up individual users with AWS IAM Identity Center or AWS Identity and Access Management (IAM). That way, each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways: + Use multi-factor authentication (MFA) with each account. + Use SSL/TLS to communicate with AWS resources. We require TLS 1.2 and recommend TLS 1.3. + Set up API and user activity logging with AWS CloudTrail. For information about using CloudTrail trails to capture AWS activities, see [Working with CloudTrail trails](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-trails.html) in the *AWS CloudTrail User Guide*. + Use AWS encryption solutions, along with all default security controls within AWS services. + Use advanced managed security services such as Amazon Macie, which assists in discovering and securing sensitive data that is stored in Amazon S3. + If you require FIPS 140-3 validated cryptographic modules when accessing AWS through a command line interface or an API, use a FIPS endpoint. For more information about the available FIPS endpoints, see [Federal Information Processing Standard (FIPS) 140-3](https://aws.amazon.com/compliance/fips/). We strongly recommend that you never put confidential or sensitive information, such as your customers' email addresses, into tags or free-form text fields such as a **Name** field. This includes when you work with Deadline Cloud or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into tags or free-form text fields used for names may be used for billing or diagnostic logs. If you provide a URL to an external server, we strongly recommend that you do not include credentials information in the URL to validate your request to that server. The data entered into name fields in Deadline Cloud job templates may also be included in billing or diagnostic logs and should not contain confidential or sensitive information. **Topics** + [ # Encryption at rest ](encryption-rest.md) + [ # Encryption in transit ](encryption-transit.md) + [ # Key management ](key-management.md) + [ # Inter-network traffic privacy ](inter-network-traffic-privacy.md) + [ # Opt out ](opt-out.md) # Encryption at rest AWS Deadline Cloud protects sensitive data by encrypting it at rest using encryption keys stored in [AWS Key Management Service (AWS KMS)](https://aws.amazon.com/kms). Encryption at rest is available in all AWS Regions where Deadline Cloud is available. Encrypting data means sensitive data saved on disks isn't readable by a user or application without a valid key. Only a party with a valid managed key can decrypt the data. Deadline Cloud deletes Amazon Elastic Block Store volumes when service-managed fleet worker instances terminate. For information about how Deadline Cloud uses AWS KMS for encrypting data at rest, see [Key management](key-management.md). # Encryption in transit For data in transit, AWS Deadline Cloud uses Transport Layer Security (TLS) 1.2 or 1.3 to encrypt data sent between the service and workers. We require TLS 1.2 and recommend TLS 1.3. Additionally, if you use a virtual private cloud (VPC), you can use AWS PrivateLink to establish a private connection between your VPC and Deadline Cloud. # Key management When creating a new farm, you can choose one of the following keys to encrypt your farm data: + **AWS owned KMS key** – Default encryption type if you don't specify a key when you create the farm. The KMS key is owned by AWS Deadline Cloud. You can't view, manage, or use AWS owned keys. However, you don't need to take any action to protect the keys that encrypt your data. For more information, see [AWS owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk) in the *AWS Key Management Service developer guide*. + **Customer managed KMS key** – You specify a customer managed key when you create a farm. All of the content within the farm is encrypted with the KMS key. The key is stored in your account and is created, owned, and managed by you and AWS KMS charges apply. You have full control over the KMS key. You can perform such tasks as: + Establishing and maintaining key polices + Establishing and maintaining IAM policies and grants + Enabling and disabling key policies + Adding tags + Creating key aliases You can't manually rotate a customer owned key used with a Deadline Cloud farm. Automatic rotation of the key is supported. For more information, see [Customer owned keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) in the *AWS Key Management Service Developer Guide*. To create a customer managed key, follow the steps for [Creating symmetric customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the *AWS Key Management Service Developer Guide*. ## How Deadline Cloud uses AWS KMS grants Grants Deadline Cloud requires a [grant](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to use your customer managed key. When you create a farm encrypted with a customer managed key, Deadline Cloud creates a grant on your behalf by sending a `[CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)` request to AWS KMS to get access to the KMS key that you specified. Deadline Cloud uses multiple grants. Each grant is used by a different part of Deadline Cloud that needs to encrypt or decrypt your data. Deadline Cloud also uses grants to allow access to other AWS services used to store data on your behalf, such as Amazon Simple Storage Service, Amazon Elastic Block Store, or OpenSearch. Grants that enable Deadline Cloud to manage machines in a service-managed fleet include a Deadline Cloud account number and role in the `GranteePrincipal` instead of a service principal. While not typical, this is necessary to encrypt Amazon EBS volumes for workers in service-managed fleets using the customer managed KMS key specified for the farm. ## Customer managed key policy Key policies control access to your customer managed key. Each key must have exactly one key policy that contains statements that determine who can use the key and how they can use it. When you create you customer managed key, you can specify a key policy. For more information, see [Managing access to customer managed keys](https://docs.aws.amazon.com/kms/latest/developerguide/control-access-overview.html#managing-access) in the *AWS Key Management Service Developer Guide*. ### Minimal IAM policy for CreateFarm To use your customer managed key to create farms using the console or the `[CreateFarm](https://docs.aws.amazon.com/deadline-cloud/latest/APIReference/API_CreateFarm.html)` API operation, the following AWS KMS API operations must be permitted: + `[kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html)` – Adds a grant to a customer managed key. Grants console access to a specified AWS KMS key. For more informations, see [Using grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) in the *AWS Key Management Service developer guide*. + `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)` – Allows Deadline Cloud to decrypt data in the farm. + `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)` – Provides the customer managed key details to allow Deadline Cloud to validate the key. + `[kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)` – Allows Deadline Cloud to encrypt data using a unique data key. The following policy statement grants the necessary permissions for the `CreateFarm` operation. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DeadlineCreateGrants", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:GenerateDataKey", "kms:CreateGrant", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/1234567890abcdef0", "Condition": { "StringEquals": { "kms:ViaService": "deadline.us-west-2.amazonaws.com" } } } ] } ``` ------ ### Minimal IAM policy for read-only operations To use your customer managed key for read-only Deadline Cloud operations, such getting information about farms, queues, and fleets. The following AWS KMS API operations must be permitted: + `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)` – Allows Deadline Cloud to decrypt data in the farm. + `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)` – Provides the customer managed key details to allow Deadline Cloud to validate the key. The following policy statement grants the necessary permissions for read-only operations. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DeadlineReadOnly", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Condition": { "StringEquals": { "kms:ViaService": "deadline.us-west-2.amazonaws.com" } } } ] } ``` ------ ### Minimal IAM policy for read-write operations To use your customer managed key for read-write Deadline Cloud operations, such as creating and updating farms, queues, and fleets. The following AWS KMS API operations must be permitted: + `[kms:Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)` – Allows Deadline Cloud to decrypt data in the farm. + `[kms:DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)` – Provides the customer managed key details to allow Deadline Cloud to validate the key. + `[kms:GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)` – Allows Deadline Cloud to encrypt data using a unique data key. The following policy statement grants the necessary permissions for the `CreateFarm` operation. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "DeadlineReadWrite", "Effect": "Allow", "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:GenerateDataKey" ], "Resource": "arn:aws:kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Condition": { "StringEquals": { "kms:ViaService": "deadline.us-west-2.amazonaws.com" } } } ] } ``` ------ ## Monitoring your encryption keys When you use an AWS KMS customer managed key with your Deadline Cloud farms, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) or [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html) to track requests that Deadline Cloud sends to AWS KMS. ### CloudTrail event for grants The following example CloudTrail event occurs when grants are created, typically when you call the `CreateFarm`, `CreateMonitor`, or `CreateFleet` operation. ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:SampleUser01", "arn": "arn:aws::sts::111122223333:assumed-role/Admin/SampleUser01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE3", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE", "arn": "arn:aws::iam::111122223333:role/Admin", "accountId": "111122223333", "userName": "Admin" }, "webIdFederationData": {}, "attributes": { "creationDate": "2024-04-23T02:05:26Z", "mfaAuthenticated": "false" } }, "invokedBy": "deadline.amazonaws.com" }, "eventTime": "2024-04-23T02:05:35Z", "eventSource": "kms.amazonaws.com", "eventName": "CreateGrant", "awsRegion": "us-west-2", "sourceIPAddress": "deadline.amazonaws.com", "userAgent": "deadline.amazonaws.com", "requestParameters": { "operations": [ "CreateGrant", "Decrypt", "DescribeKey", "Encrypt", "GenerateDataKey" ], "constraints": { "encryptionContextSubset": { "aws:deadline:farmId": "farm-abcdef12345678900987654321fedcba", "aws:deadline:accountId": "111122223333" } }, "granteePrincipal": "deadline.amazonaws.com", "keyId": "arn:aws::kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "retiringPrincipal": "deadline.amazonaws.com" }, "responseElements": { "grantId": "6bbe819394822a400fe5e3a75d0e9ef16c1733143fff0c1fc00dc7ac282a18a0", "keyId": "arn:aws::kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333", "readOnly": false, "resources": [ { "accountId": "AWS Internal", "type": "AWS::KMS::Key", "ARN": "arn:aws::kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE44444" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" } ``` ### CloudTrail event for decryption The following example CloudTrail event occurs when decrypting values using the customer managed KMS key. ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:SampleUser01", "arn": "arn:aws::sts::111122223333:assumed-role/SampleRole/SampleUser01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE", "arn": "arn:aws::iam::111122223333:role/SampleRole", "accountId": "111122223333", "userName": "SampleRole" }, "webIdFederationData": {}, "attributes": { "creationDate": "2024-04-23T18:46:51Z", "mfaAuthenticated": "false" } }, "invokedBy": "deadline.amazonaws.com" }, "eventTime": "2024-04-23T18:51:44Z", "eventSource": "kms.amazonaws.com", "eventName": "Decrypt", "awsRegion": "us-west-2", "sourceIPAddress": "deadline.amazonaws.com", "userAgent": "deadline.amazonaws.com", "requestParameters": { "encryptionContext": { "aws:deadline:farmId": "farm-abcdef12345678900987654321fedcba", "aws:deadline:accountId": "111122223333", "aws-crypto-public-key": "AotL+SAMPLEVALUEiOMEXAMPLEaaqNOTREALaGTESTONLY+p/5H+EuKd4Q==" }, "encryptionAlgorithm": "SYMMETRIC_DEFAULT", "keyId": "arn:aws::kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "responseElements": null, "requestID": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeffffff", "eventID": "ffffffff-eeee-dddd-cccc-bbbbbbaaaaaa", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws::kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" } ``` ### CloudTrail event for encryption The following example CloudTrail event occurs when encrypting values using the customer managed KMS key. ``` { "eventVersion": "1.08", "userIdentity": { "type": "AssumedRole", "principalId": "AROAIGDTESTANDEXAMPLE:SampleUser01", "arn": "arn:aws::sts::111122223333:assumed-role/SampleRole/SampleUser01", "accountId": "111122223333", "accessKeyId": "AKIAIOSFODNN7EXAMPLE", "sessionContext": { "sessionIssuer": { "type": "Role", "principalId": "AROAIGDTESTANDEXAMPLE", "arn": "arn:aws::iam::111122223333:role/SampleRole", "accountId": "111122223333", "userName": "SampleRole" }, "webIdFederationData": {}, "attributes": { "creationDate": "2024-04-23T18:46:51Z", "mfaAuthenticated": "false" } }, "invokedBy": "deadline.amazonaws.com" }, "eventTime": "2024-04-23T18:52:40Z", "eventSource": "kms.amazonaws.com", "eventName": "GenerateDataKey", "awsRegion": "us-west-2", "sourceIPAddress": "deadline.amazonaws.com", "userAgent": "deadline.amazonaws.com", "requestParameters": { "numberOfBytes": 32, "encryptionContext": { "aws:deadline:farmId": "farm-abcdef12345678900987654321fedcba", "aws:deadline:accountId": "111122223333", "aws-crypto-public-key": "AotL+SAMPLEVALUEiOMEXAMPLEaaqNOTREALaGTESTONLY+p/5H+EuKd4Q==" }, "keyId": "arn:aws::kms:us-west-2:111122223333:key/abcdef12-3456-7890-0987-654321fedcba" }, "responseElements": null, "requestID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "eventID": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "readOnly": true, "resources": [ { "accountId": "111122223333", "type": "AWS::KMS::Key", "ARN": "arn:aws::kms:us-west-2:111122223333:key/a1b2c3d4-5678-90ab-cdef-EXAMPLE33333" } ], "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId": "111122223333", "eventCategory": "Management" } ``` ## Deleting a customer managed KMS key Deleting a customer managed KMS key in AWS Key Management Service (AWS KMS) is destructive and potentially dangerous. It irreversibly deletes the key material and all metadata associated with the key. After a customer managed KMS key is deleted, you can no longer decrypt the data that was encrypted by that key. Deleting the key means that the data becomes unrecoverable. This is why AWS KMS gives customers a waiting period of up to 30 days before deleting the KMS key. The default waiting period is 30 days. ### About the waiting period Because it's destructive and potentially dangerous to delete a customer managed KMS key, we require that you set a waiting period of 7–30 days. The default waiting period is 30 days. However, the actual waiting period might be up to 24 hours longer than the period you scheduled. To get the actual date and time when the key will be deleted, use the [https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) operation. You can also see the scheduled deletion date of a key in the [AWS KMS console](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys-console.html#viewing-details-navigate) on the key’s detail page, in the **General configuration** section. Notice the time zone. During the waiting period, the customer managed key’s status and key state is **Pending deletion**. + A customer managed KMS key that is pending deletion can’t be used in any [cryptographic operations](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). + AWS KMS doesn’t [rotate the backing keys](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) of customer managed KMS keys that are pending deletion. For more information about deleting a customer managed KMS key, see [Deleting customer master keys](https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) in the *AWS Key Management Service Developer Guide*. # Inter-network traffic privacy AWS Deadline Cloud supports Amazon Virtual Private Cloud (Amazon VPC) to secure connections. Amazon VPC provides features that you can use to increase and monitor the security for your virtual private cloud (VPC). You can set up a customer-managed fleet (CMF) with Amazon Elastic Compute Cloud (Amazon EC2) instances that run inside a VPC. By deploying Amazon VPC endpoints to use AWS PrivateLink, traffic between workers in your CMF and the Deadline Cloud endpoint stays within your VPC. Furthermore, you can configure your VPC to restrict internet access to your instances. In service-managed fleets, workers aren't reachable from the internet, but they do have internet access and connect to the Deadline Cloud service over the internet. Each service-managed fleet runs in its own isolated network, and worker instances remain dedicated to individual customers. # Opt out AWS Deadline Cloud collects certain operational information to help us develop and improve Deadline Cloud. The collected data includes things such as your AWS account ID and user ID, so that we can correctly identify you if you have an issue with the Deadline Cloud. We also collect Deadline Cloud specific information, such as Resource IDs (a FarmID or QueueID when applicable), the product name (for example, JobAttachments, WorkerAgent, and more) and the product version. You can choose to opt out from this data collection using application configuration. Each computer interacting with Deadline Cloud, both client workstations and fleet workers, needs to opt out separately. ## Deadline Cloud monitor - desktop Deadline Cloud monitor - desktop collects operational information, such as when crashes occur and when the application is opened, to help us know when you are having problems with the application. To opt out from the collection of this operational information, go to the settings page and clear **Turn on data collection to measure Deadline Cloud Monitor's performance**. After you opt out, the desktop monitor no longer sends the operational data. Any previously collected data is retained and may still be used to improve the service. For more information, see [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/). ## AWS Deadline Cloud CLI and Tools The AWS Deadline Cloud CLI, submitters, and worker agent all collect operational information such as when crashes occur and when jobs are submitted to help us know when you are having problems with these applications. To opt out from the collection of this operational information, use any of the following methods: + In the terminal, enter **deadline config set telemetry.opt\$1out true**. This will opt out the CLI, submitters, and worker agent when running as the current user. + When installing the Deadline Cloud worker agent, add the **--telemetry-opt-out** command line argument. For example, ** ./install.sh --farm-id \$1FARM\$1ID --fleet-id \$1FLEET\$1ID --telemetry-opt-out**. + Before running the worker agent, CLI, or submitter, set an environment variable: **DEADLINE\$1CLOUD\$1TELEMETRY\$1OPT\$1OUT=true** After you opt out, the Deadline Cloud tools no longer send the operational data. Any previously collected data is retained and may still be used to improve the service. For more information, see [Data Privacy FAQ](https://aws.amazon.com/compliance/data-privacy-faq/).