Key management in AWS IoT FleetWise
Important
Access to certain AWS IoT FleetWise features is currently gated. For more information, see AWS Region and feature availability in AWS IoT FleetWise.
AWS IoT FleetWise cloud key management
By default, AWS IoT FleetWise uses AWS managed keys to protect your data in the AWS Cloud. You can update your settings to use a customer managed key to encrypt data in AWS IoT FleetWise. You can create, manage, and view your encryption key through AWS Key Management Service (AWS KMS).
AWS IoT FleetWise supports server-side encryption with customer managed keys stored in AWS KMS to encrypt data for the following resources.
AWS IoT FleetWise resource | Data type | Fields that are encrypted at rest with customer managed keys |
---|---|---|
Signal catalog | description | |
Attribute |
description, allowedValues, defaultValue, min, max |
|
Actuator |
description, allowedValues, min, max |
|
Sensor |
description, allowedValues, min, max |
|
Vehicle model (model manifest) | description | |
Decoder manifest | description | |
CanInterface |
protocolName, protocolVersion |
|
ObdInterface |
requestMessageId, dtcRequestIntervalSeconds, hasTransmissionEcu, obdStandard, pidRequestIntervalSeconds, useExtendedIds |
|
CanSignal |
factor, isBigEndian, isSigned, length, messageId, offset, startBit |
|
ObdSignal |
byteLength, offset, pid, pidResponseLength, scaling, serviceMode, startByte, bitMaskLength, bitRightShift |
|
Vehicle | attributes | |
Campaign | description | |
conditionBasedCollectionScheme |
expression, conditionLanguageVersion, minimumTriggerIntervalMs, triggerMode |
|
TimeBasedCollectionScheme |
periodMs |
|
State template | description |
Note
Other data and resources are encrypted using the default encryption with keys managed by AWS IoT FleetWise. This key is created and stored in the AWS IoT FleetWise account.
For more information, see What is AWS Key Management Service? in the AWS Key Management Service Developer Guide.
Enable encryption using KMS keys (console)
To use customer managed keys with AWS IoT FleetWise, you must update your AWS IoT FleetWise settings.
To enable encryption using KMS keys (console)
-
Open the AWS IoT FleetWise console
. -
Navigate to Settings.
-
In Encryption, choose Edit to open the Edit encryption page.
-
For Encryption key type, choose Choose a different AWS KMS key. This enables encryption with customer managed keys stored in AWS KMS.
Note
You can only use customer managed key encryption for AWS IoT FleetWise resources. This includes the signal catalog, vehicle model (model manifest), decoder manifest, vehicle, fleet, and campaign.
-
Choose your KMS key with one of the following options:
-
To use an existing KMS key – Choose your KMS key alias from the list.
-
To create a new KMS key – Choose Create an AWS KMS key.
Note
This opens the AWS KMS console. For more information about creating a KMS key, see Creating keys in the AWS Key Management Service Developer Guide.
-
-
Choose Save to update your settings.
Enable encryption using KMS keys (AWS CLI)
You can use the PutEncryptionConfiguration API operation to enable encryption for your AWS IoT FleetWise account. The following example uses AWS CLI.
To enable encryption, run the following command.
-
Replace
KMS key id
with the ID of the KMS key.
aws iotfleetwise put-encryption-configuration —kms-key-id
KMS key id
—encryption-type KMS_BASED_ENCRYPTION
Example response
{ "kmsKeyId": "customer_kms_key_id", "encryptionStatus": "PENDING", "encryptionType": "KMS_BASED_ENCRYPTION" }
KMS key policy
After you create a KMS key, you must, at minimum, add
the following statement to your KMS key policy for it to work with AWS IoT FleetWise. The AWS IoT FleetWise service principal iotfleetwise.amazonaws.com
in the KMS key policy statement allows AWS IoT FleetWise to access the KMS key.
{ "Sid": "Allow FleetWise to encrypt and decrypt data when customer managed KMS key based encryption is enabled", "Effect": "Allow", "Principal": { "Service": "iotfleetwise.amazonaws.com" }, "Action": [ "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey", "kms:CreateGrant", "kms:RetireGrant", "kms:RevokeGrant" ], "Resource": "*" }
As a security best practice, add aws:SourceArn
and aws:SourceAccount
condition keys to the KMS key policy. The IAM global condition key aws:SourceArn
helps ensure that AWS IoT FleetWise uses the KMS key only for service-specific resource Amazon Resource Names (ARNs).
If you set the value of aws:SourceArn
, it must always be arn:aws:iotfleetwise:us-east-1:account_id:*
. This allows the KMS key to access all AWS IoT FleetWise resources for this AWS account. AWS IoT FleetWise supports one KMS key per account for all resources in that AWS Region. Using any other value for the SourceArn
, or not using the wildcard (*) for the ARN resource field, prevents AWS IoT FleetWise from accessing the KMS key.
The value of aws:SourceAccount
is your account ID, which is used to further restrict the KMS key so that it can only be used for your specific account. If you add aws:SourceAccount
and aws:SourceArn
condition keys to the KMS key, make sure the key is not used by any other service or account. This helps avoid failures.
The following policy includes a service principal (an identifier for a service), as well as aws:SourceAccount
and aws:SourceArn
set up for use based on the AWS Region and your account ID.
{ "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "Service": "iotfleetwise.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey*", "kms:DescribeKey", ], "Resource": "*", "Condition": { "StringLike": { "aws:SourceAccount": "
AWS-account-ID
" }, "ArnLike": { "aws:SourceArn": "arn:aws:iotfleetwise:region
:AWS-account-ID
:*" } } }
For more information about editing a KMS key policy for use with AWS IoT FleetWise, see Changing a key policy in the AWS Key Management Service Developer Guide.
Important
When you add the new sections to your KMS key policy, don't change any existing sections in the policy. AWS IoT FleetWise can’t perform operations to your data if encryption is enabled for AWS IoT FleetWise and any of the following is true:
-
The KMS key is disabled or deleted.
-
The KMS key policy isn't correctly configured for the service.
Permissions for AWS KMS encryption
If you enabled AWS KMS encryption, you must specify permissions in the role policy so that you can call AWS IoT FleetWise APIs. The following policy allows access to all AWS IoT FleetWise actions, as well as AWS KMS specific permissions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotfleetwise:*", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey" ], "Resource": [ "*" ] } ] }
The following policy statement is required for your role to invoke encryption APIs. This policy statement allows PutEncryptionConfiguration
and GetEncryptionConfiguration
actions from AWS IoT FleetWise.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iotfleetwise:GetEncryptionConfiguration", "iotfleetwise:PutEncryptionConfiguration", "kms:GenerateDataKey*", "kms:Decrypt", "kms:DescribeKey" ], "Resource": [ "*" ] } ] }