Key management - Amazon Transcribe

Key management

Amazon Transcribe works with KMS key to provide enhanced encryption for your data. Amazon S3 already enables you to encrypt your input audio when creating a transcription job. Integration with AWS KMS enables you to encrypt the output of the StartTranscriptionJob API.

If you don't specify a KMS key, the output of the transcription job is encrypted with the default Amazon S3 key (SSE-S3).

For more information on AWS KMS, see the AWS Key Management Service Developer Guide.

AWS KMS encryption with the AWS Management Console

To encrypt the output of your transcription job, you can choose between using a KMS key for the AWS account that is making the request, or you can use a KMS key from another AWS account.

If you don't specify a KMS key, the output of the transcription job is encrypted with the default Amazon S3 key (SSE-S3).

To enable output result encryption

  1. Under Output data choose Encryption.

  2. Choose whether the KMS key is from the AWS account you're currently using or from a different AWS account. If you want to use a key from the current AWS account, choose the key from KMS key ID. If you're using a key from a different AWS account, you need to enter the key ARN. To use a key from a different AWS account, the caller must have kms:Encrypt permissions for the KMS key.

AWS KMS encryption with the API

To use output encryption with the API, you must specify your KMS key using the OutputEncryptionKMSKeyId parameter of the StartCallAnalyticsJob, StartMedicalTranscriptionJob, or StartTranscriptionJob operation.

If using a key located in the current AWS account, you can specify your KMS key in one of four ways:

  1. Use the KMS key ID itself. For example, 1234abcd-12ab-34cd-56ef-1234567890ab.

  2. Use an alias for the KMS key ID. For example, alias/ExampleAlias.

  3. Use the Amazon Resource Name (ARN) for the KMS key ID. For example, arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab.

  4. Use the ARN for the KMS key alias. For example, arn:aws:kms:region:account-ID:alias/ExampleAlias.

If using a key located in a different AWS account than the current AWS account, you can specify your KMS key in one of two ways:

  1. Use the ARN for the KMS key ID. For example, arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab.

  2. Use the ARN for the KMS key alias. For example, arn:aws:kms:region:account-ID:alias/ExampleAlias.

Note that the user making the request must have permission to use the specified KMS key.

AWS KMS encryption context

AWS KMS encryption context is a map of plain text, non-secret key:value pairs. This map represents additional authenticated data, known as encryption context pairs, which provide an added layer of security for your data. Amazon Transcribe requires a symmetric key to encrypt transcription output into a customer-specified Amazon S3 bucket. To learn more, see Asymmetric keys in AWS KMS.

When creating your encryption context pairs, do not use sensitive information. Encryption context is not secret—it is visible in plain text within your CloudTrail logs (so you can use it to identify and categorize your cryptographic operations).

Your encryption context pair can include special characters, such as underscores (_), dashes (-), slashes (/, \) and colons (:).

Tip

It can be useful to relate the values in your encryption context pair to the data being encrypted. Although not required, we recommend you use non-sensitive metadata related to your encrypted content, such as file names, header values, or unencrypted database fields.

To use output encryption with the API, set the KMSEncryptionContext parameter in the StartTranscriptionJob operation. In order to provide encryption context for the output encryption operation, the OutputEncryptionKMSKeyId parameter must reference a symmetric KMS key ID.

You can use AWS KMS condition keys with IAM policies to control access to a symmetric KMS key based on the encryption context that was used in the request for a cryptographic operation. For example, the following policy grants the IAM role “ExampleRole” permission to use the AWS KMS Decrypt and Encrypt operations for this particular KMS key. This policy works only for requests with at least one encryption context pair, in this case "color:indig0Blu3”.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/ExampleRole" }, "Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKey*", "kms:ReEncrypt*" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:color":"indig0Blu3" } } } ] }

Using encryption context is optional, but recommended. For more information, see Encryption context.