# Connecting Amazon Key Management Service (KMS) To Workato EKM

Using Amazon Key Management Service (KMS) with Workato Enterprise Key Management (EKM) allows you to bring your own encryption keys to Workato. In addition to meeting compliance and security requirements, you can view detailed activity logs in AWS KMS and stay informed of when and where data is accessed.

This guide will walk you through creating a key in AWS KMS and configuring EKM in Workato.


# Prerequisites

To perform the tasks in this guide, you'll need:


# Step 1: Create And Configure The Key

# Step 1.1: Retrieve The Workato Key Policy

1

Sign in to your Workato account if you haven't already.

2

Navigate to Settings > Key management.

3

In the How do you want to encrypt your data? field, select AWS KMS key from the dropdown.

4

Click Step 1 to open it:

The AWS Key policy on the Workato Key management settings page

Keep this page handy - you'll need it to complete the next step.

# Step 1.2: Configure The Key In AWS

NOTE

While this tutorial walks you through creating a new key, you may use an existing key.

1

Sign in to your AWS Management Console and open the KMS console (opens new window).

2

In the navigation pane, click Customer managed keys.

3

On the Customer managed keys page, click Create key.

4

On the Step 1 - Configure key page:

1

Configure the following fields:

The Configure key page in AWS KMS

2

Click Next.

5

On the Step 2 - Add labels page:

1

In the Alias field, enter a display name for the key.

2

Configure other fields as needed.

3

Click Next.

6

Proceed through the remaining steps in AWS, configuring fields as needed. Click Next to proceed to the next page.

7

When you reach the Step 5 - Review page:

1

Navigate to the tab where your Workato account settings page from step 1.1 is open.

2

Copy the contents of the Permission to access key field.

3

In AWS, paste the contents into the Statement property of the default policy in the Key policy field.

Note: If there are multiple objects in the Statement property you need to keep, make sure to add commas (,) after all but the last object:

Key policy with multiple Statement objects
{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::TODO-ACCOUNTID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },	 /* Comma before next object */ 
        {
	        "Sid": "Allow use of the key",
	        "Effect": "Allow",
	        "Principal": {
	            "AWS": "arn:aws:iam::TODO - ACCOUNTID:role/Workato_EKM"
	        },
	        "Action": [
	            "kms:Encrypt",
	            "kms:Decrypt"
	        ],
	        "Resource": "*"
	    }
    ]
}

Otherwise, the key policy should be similar to the following:

Key policy with a single Statement object
{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
	    {
	        "Sid": "Allow use of the key",
	        "Effect": "Allow",
	        "Principal": {
	            "AWS": "arn:aws:iam::TODO - ACCOUNTID:role/Workato_EKM"
	        },
	        "Action": [
	            "kms:Encrypt",
	            "kms:Decrypt"
	        ],
	        "Resource": "*"
	    }
   ]
}
4

Click Finish to create the key.

# Step 1.3: Enable Auto-Rotation

NOTE

While enabling automatic key rotation (opens new window) isn't a requirement, we recommend doing so as a best practice.

1

Navigate to the Customer managed keys page.

2

Locate the key you created in the list and click to open it.

3

Click the Key rotation tab.

4

Check the Automatically rotate this KMS key every year box:

The Key rotation tab and enablement checkbox in the Key Details page of AWS

5

Click Save.


# Step 2: Add The Key In Workato

# Step 2.1: Retrieve The Key ARN In AWS

1

If you're not on the Customer managed keys page, navigate there and click the key you created to open its details page.

2

On the key's details page, locate the General configuration section and the ARN field:

Highlighted ARN field in the General Configuration section of the key details page in AWS

3

Copy the ARN and keep it handy - you'll need it to complete the next step.

# Step 2.2: Set Up The Key In Workato

1

Navigate to the tab where your Workato account settings page is open.

2

Paste the ARN in the Key ARN field.

3

Click Update key.


# Troubleshooting Key Validation Errors

If you encounter an error after clicking Update key, verify that:

  • You correctly added the key policy to the key in AWS KMS. Verify that the key policy is valid JSON and contained in the Statement property.
  • You pasted the correct key ARN into Workato. Verify the key ARN doesn't contain extra spaces or characters and that you pasted the correct value into Workato.
  • AWS KMS isn't experiencing downtime. If you've verified the key policy and ARN are correct, check the AWS Health Dashboard (opens new window) for potential outages in KMS.