Data Encryption at rest for AWS HealthScribe - Amazon Transcribe
Create a customer managed keySpecifying a customer managed key for AWS HealthScribeAWS KMS encryption context

Data Encryption at rest for AWS HealthScribe

AWS HealthScribe provides encryption by default to protect sensitive customer data at rest using Amazon S3-managed keys.

  • Amazon S3-managed Keys (SSE-S3) — AWS HealthScribe uses Amazon S3-managed keys by default to automatically encrypt intermediate files. You cannot view, manage, or use Amazon S3-managed keys, or audit their use. However, you do not have to take any action or change any programs to protect the keys that encrypt your data. For more information, see SSE-S3.

Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements.

While you cannot disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing Amazon S3-managed keys by choosing a customer managed key when you create a job with AWS HealthScribe.

  • Customer managed keys — AWS HealthScribe supports the use of a symmetric customer managed key that you create, own, and manage to add a second layer of encryption over the existing AWS owned encryption. Because you have full control of this layer of encryption, you can perform such tasks as:

    • Establishing and maintaining key policies

    • Establishing and maintaining IAM policies and grants

    • Enabling and disabling key policies

    • Rotating key cryptographic material

    • Adding tags

    • Creating key aliases

    • Scheduling keys for deletion

For more information, see customer managed key in the AWS Key Management Service Developer Guide.

Note

AWS HealthScribe automatically enables encryption at rest using AWS-owned keys to protect personally identifiable data at no charge. However, AWS KMS charges apply for using a customer managed key. For more information about pricing, see AWS Key Management Service pricing.

For more information on AWS KMS, see What is AWS Key Management Service.

Create a customer managed key

You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs. To create a symmetric customer managed key, follow the steps for Creating symmetric customer managed key in the AWS Key Management Service Developer Guide.

Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see Managing access to customer managed keys in the AWS Key Management Service Developer Guide.

If you are using a key in the same account as the IAM role you specify as the DataAccessRoleArn in your StartMedicalScribeJob request, you do not need to update the Key Policy. To use your customer managed key in a different account as your DataAccessRole, you must trust the DataAccessRoleArn in the Key Policy for the following actions:

  • kms:Encrypt — Allows encryption using the customer managed key

  • kms:Decrypt — Allows decryption using the customer managed key

  • kms:DescribeKey — Provides the customer managed key details to allow AWS HealthScribe to validate the key

The following is an example policy statement you can add to give your IAM role cross account permissions to use your customer managed key:

"Statement" : [ 
  {
    "Sid": "Allow access to the DataAcessRole for StartMedicalScribeJob",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::111122223333:role/DataAccessRole"
    },
    "Action": [ 
      "kms:DescribeKey", 
      "kms:Encrypt",
      "kms:Decrypt",
      "kms:GenerateDataKey"
    ],
    "Resource" : "*"
  }
]

Regardless of whether your customer managed key and DataAccessRole are in the same account or different accounts, your DataAccessRole will need permissions to perform the actions mentioned above using your customer managed key. Here is an example policy statement you can add to your DataAccessRole: 

"Statement" : [ 
  {
    "Sid": "Allow role to perform AWS KMS actions for customer managed key",
    "Effect": "Allow",
    "Action": [ 
      "kms:DescribeKey", 
      "kms:Encrypt",
      "kms:Decrypt"
    ],
    "Resource": "*"
  }
]

For more information about specifying permissions in a policy, see the AWS Key Management Service Developer Guide. For more information about troubleshooting key access, see the AWS Key Management Service Developer Guide.

Specifying a customer managed key for AWS HealthScribe

You can specify a customer managed key as a second layer encryption for StartMedicalScribeJob requests. When you create a StartMedicalScribeJob request, you can specify a customer managed key by including the OutputEncryptionKMSKeyId field in your request.

AWS KMS encryption context

AWS KMS encryption context is a map of plain text, non-secret key:value pairs. This map represents additional authenticated data, known as encryption context pairs, which provide an added layer of security for your data. AWS HealthScribe requires a symmetric encryption key to encrypt AWS HealthScribe output into a customer-specified Amazon S3 bucket. To learn more, see Asymmetric keys in AWS KMS.

When creating your encryption context pairs, do not include sensitive information. Encryption context is not secret — it is visible in plain text within your CloudTrail logs (so you can use it to identify and categorize your cryptographic operations). Your encryption context pair can include special characters, such as underscores (_), dashes (-), slashes (/, \) and colons (:).

Tip

It can be useful to relate the values in your encryption context pair to the data being encrypted. Although not required, we recommend you use non-sensitive metadata related to your encrypted content, such as file names, header values, or unencrypted database fields.

To use output encryption with the API, set the KMSEncryptionContext parameter in the StartMedicalScribeJob operation. In order to provide encryption context for the output encryption operation, the OutputEncryptionKMSKeyId parameter must reference a symmetric AWS KMS key ID.

You can use AWS KMS condition keys with IAM policies to control access to a symmetric encryption AWS KMS key based on the encryption context that was used in the request for a cryptographic operation. For an example encryption context policy, see AWS KMS encryption context policy.

Using encryption context is optional, but recommended. For more information, see Encryption context.