AWS IoT FleetWise cloud key management Enable encryption using KMS keys (console)Enable encryption using KMS keys (AWS CLI)KMS key policy

Key management

AWS IoT FleetWise cloud key management

By default, AWS IoT FleetWise uses AWS managed keys to protect your data in the AWS Cloud. You can update your settings to use a customer managed key to encrypt data in AWS IoT FleetWise. You can create, manage, and view your encryption key through AWS Key Management Service (AWS KMS).

AWS IoT FleetWise supports server-side encryption with customer managed keys stored in AWS KMS to encrypt data for the following resources.

AWS IoT FleetWise resource	Data type	Fields that are encrypted at rest with customer managed keys
Signal catalog		description
	Attribute	description, allowedValues, defaultValue, min, max
	Actuator	description, allowedValues, min, max
	Sensor	description, allowedValues, min, max
Vehicle model (model manifest)		description
Decoder manifest		description
	CanInterface	protocolName, protocolVersion
	ObdInterface	requestMessageId, dtcRequestIntervalSeconds, hasTransmissionEcu, obdStandard, pidRequestIntervalSeconds, useExtendedIds
	CanSignal	factor, isBigEndian, isSigned, length, messageId, offset, startBit
	ObdSignal	byteLength, offset, pid, pidResponseLength, scaling, serviceMode, startByte, bitMaskLength, bitRightShift
Vehicle		attributes
Campaign		description
	conditionBasedCollectionScheme	expression, conditionLanguageVersion, minimumTriggerIntervalMs, triggerMode
	TimeBasedCollectionScheme	periodMs

Note

Other data and resources are encrypted using the default encryption with keys managed by AWS IoT FleetWise. This key is created and stored in the AWS IoT FleetWise account.

For more information, see What is AWS Key Management Service? in the AWS Key Management Service Developer Guide.

Enable encryption using KMS keys (console)

To use customer managed keys with AWS IoT FleetWise, you must update your AWS IoT FleetWise settings.

To enable encryption using KMS keys (console)

Open the AWS IoT FleetWise console.
Navigate to Settings.
In Encryption, choose Edit to open the Edit encryption page.
For Encryption key type, choose Choose a different AWS KMS key. This enables encryption with customer managed keys stored in AWS KMS.

Note
You can only use customer managed key encryption for AWS IoT FleetWise resources. This includes the signal catalog, vehicle model (model manifest), decoder manifest, vehicle, fleet, and campaign.
Choose your KMS key with one of the following options:
- To use an existing KMS key – Choose your KMS key alias from the list.
- To create a new KMS key – Choose Create an AWS KMS key.
  
  Note
  This opens the AWS KMS console. For more information about creating a KMS key, see Creating keys in the AWS Key Management Service Developer Guide.
Choose Save to update your settings.

Enable encryption using KMS keys (AWS CLI)

You can use the PutEncryptionConfiguration API operation to enable encryption for your AWS IoT FleetWise account. The following example uses AWS CLI.

To enable encryption, run the following command.

Replace KMS key id with the ID of the KMS key.


aws iotfleetwise put-encryption-configuration —kms-key-id KMS key id —encryption-type KMS_BASED_ENCRYPTION

Example response


{
 "kmsKeyId": "customer_kms_key_id",
 "encryptionStatus": "PENDING",
 "encryptionType": "KMS_BASED_ENCRYPTION"
}

KMS key policy

After you create a KMS key, you must, at minimum, add the following statement to your KMS key policy for it to work with AWS IoT FleetWise.


{
  "Sid": "Allow FleetWise to encrypt and decrypt data when customer managed KMS key based encryption is enabled",
  "Effect": "Allow",
  "Principal": {
    "Service": "iotfleetwise.amazonaws.com"
  },
  "Action": [
    "kms:GenerateDataKey*",
    "kms:Decrypt",
    "kms:DescribeKey",
    "kms:CreateGrant",
    "kms:RetireGrant",
    "kms:RevokeGrant"
  ],
  "Resource": "*"
}

For more information about editing a KMS key policy for use with AWS IoT FleetWise, see Changing a key policy in the AWS Key Management Service Developer Guide.

Important

When you add the new sections to your KMS key policy, don't change any existing sections in the policy. AWS IoT FleetWise can’t perform operations to your data if encryption is enabled for AWS IoT FleetWise and any of the following is true:

The KMS key is disabled or deleted.
The KMS key policy isn't correctly configured for the service.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Encryption at rest

Controlling access