Creating customer managed KMS key Encypting data using KMS key Viewing data

Key management

Amazon Fraud Detector encrypts your data using one of two types of keys:

An AWS owned KMS key. This is the default.
A customer managed KMS key.

Creating customer managed KMS key

You can create customer managed KMS key using either the AWS KMS console or the CreateKey API. When creating the key make sure you,

Select a symmetric encryption customer managed KMS key, Amazon Fraud Detector does not support asymmetric KMS keys. For more information, see Asymmetric Keys in AWS KMS in the AWS Key Management Service Developer Guide.
Create single region KMS key. Amazon Fraud Detector does not support multi-region KMS keys. For more information, see Multi-region keys in AWS KMS in the AWS Key Management Service Developer Guide.

Provide the following key policy to grant permissions to Amazon Fraud Detector to use the key.



        {
    "Effect": "Allow",
    "Principal": {
        "Service": "frauddetector.amazonaws.com"
    },
    "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:ReEncrypt*",
        "kms:GenerateDataKey*",
        "kms:DescribeKey",
        "kms:CreateGrant",
        "kms:RetireGrant"
    ],
    "Resource": "*"
}

For information on key policies, see Using Key Policies in AWS KMS in the AWS Key Management Service Developer Guide.

Encrypting data using customer managed KMS key

Use Amazon Fraud Detector’s PutKMSEncryptionKey API to encrypt your Amazon Fraud Detector data at rest using the customer managed KMS key. You can change the encryption configuration at any time using PutKMSEncryptionKey API.

Important notes about encrypted data

Data generated after setting up the customer managed KMS key is encrypted. Data generated before setting up the customer managed KMS key will remain unencrypted.
If customer managed KMS key is changed, the data that was encrypted using the previous encryption configuration will not be re-encrypted.

View data

When you use customer managed KMS key to encrypt your Amazon Fraud Detector data, the data encrypted using this method is not searchable using filters in the Search Past Predictions area of the Amazon Fraud Detector console. To ensure complete search results, use one or more of the following properties to filter results:

Event ID
Evaluation timestamp
Detector status
Detector version
Model version
Model type
Rule evaluation status
Rule execution mode
Rule match status
Rule version
Variable data source

If customer managed KMS key was either deleted or is scheduled for deletion, your data might not be available. For more information, see Deleting KMS key.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Encryption in transit

VPC endpoints (AWS PrivateLink)