# Connecting Amazon Key Management Service (KMS) To Workato EKM
Using Amazon Key Management Service (KMS) with Workato Enterprise Key Management (EKM) allows you to bring your own encryption keys to Workato. In addition to meeting compliance and security requirements, you can view detailed activity logs in AWS KMS and stay informed of when and where data is accessed.
This guide will walk you through creating a key in AWS KMS and configuring EKM in Workato.
# Prerequisites
To perform the tasks in this guide, you'll need:
The following in Workato:
- An account with the Enterprise Key Management feature enabled
- A user role with the Key management privilege
The following in Amazon Web Services (AWS):
- Permissions that allow you to create and update keys in AWS KMS. Refer to the AWS KMS documentation (opens new window) for more info.
# Step 1: Create And Configure The Key
- Step 1.1: Retrieve the Workato key policy
- Step 1.2: Configure the key in AWS
- Step 1.3: Enable auto-rotation
# Step 1.1: Retrieve The Workato Key Policy
Sign in to your Workato account if you haven't already.
Navigate to Settings > Key management.
In the How do you want to encrypt your data? field, select AWS KMS key from the drop-down.
Click Step 1 to open it:
Keep this page handy - you'll need it to complete the next step.
# Step 1.2: Configure The Key In AWS
NOTE
While this tutorial walks you through creating a new key, you may use an existing key.
Sign in to your AWS Management Console and open the KMS console (opens new window).
In the navigation pane, click Customer managed keys.
On the Customer managed keys page, click Create key.
On the Step 1 - Configure key page:
Configure the following fields:
- Key type: Select Symmetric. Refer to the AWS KMS documentation (opens new window) for more info about this key type.
- Advanced options > Key material origin: Select KMS.
Click Next.
On the Step 2 - Add labels page:
In the Alias field, enter a display name for the key.
Configure other fields as needed.
Click Next.
Proceed through the remaining steps in AWS, configuring fields as needed. Click Next to proceed to the next page.
When you reach the Step 5 - Review page:
Navigate to the tab where your Workato account settings page from step 1.1 is open.
Copy the contents of the Permission to access key field.
In AWS, paste the contents into the Statement
property of the default policy in the Key policy field.
Note: If there are multiple objects in the Statement
property you need to keep, make sure to add commas (,
) after all but the last object:
Key policy with multiple Statement objects
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::TODO-ACCOUNTID:root"
},
"Action": "kms:*",
"Resource": "*"
}, /* Comma before next object */
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::TODO - ACCOUNTID:role/Workato_EKM"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
Otherwise, the key policy should be similar to the following:
Key policy with a single Statement object
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::TODO - ACCOUNTID:role/Workato_EKM"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
Click Finish to create the key.
# Step 1.3: Enable Auto-Rotation
NOTE
While enabling automatic key rotation (opens new window) isn't a requirement, we recommend doing so as a best practice.
Navigate to the Customer managed keys page.
Locate the key you created in the list and click to open it.
Click the Key rotation tab.
Check the Automatically rotate this KMS key every year box:
Click Save.
# Step 2: Add The Key In Workato
# Step 2.1: Retrieve The Key ARN In AWS
If you're not on the Customer managed keys page, navigate there and click the key you created to open its details page.
On the key's details page, locate the General configuration section and the ARN field:
Copy the ARN and keep it handy - you'll need it to complete the next step.
# Step 2.2: Set Up The Key In Workato
Navigate to the tab where your Workato account settings page is open.
Paste the ARN in the Key ARN field.
Click Update key.
# Troubleshooting Key Validation Errors
If you encounter an error after clicking Update key, verify that:
- You correctly added the key policy to the key in AWS KMS. Verify that the key policy is valid JSON and contained in the
Statement
property. - You pasted the correct key ARN into Workato. Verify the key ARN doesn't contain extra spaces or characters and that you pasted the correct value into Workato.
- AWS KMS isn't experiencing downtime. If you've verified the key policy and ARN are correct, check the AWS Health Dashboard (opens new window) for potential outages in KMS.
Last updated: 12/20/2024, 6:06:00 PM