# Connecting Amazon Key Management Service (KMS) To Workato EKM

Using Amazon Key Management Service (KMS) with Workato Enterprise Key Management (EKM) allows you to bring your own encryption keys to Workato. In addition to meeting compliance and security requirements, you can view detailed activity logs in AWS KMS and stay informed of when and where data is accessed.

This guide will walk you through creating a key in AWS KMS and configuring EKM in Workato.

# Prerequisites

To perform the tasks in this guide, you'll need:

The following in Workato:
- An account with the Enterprise Key Management feature enabled
- A user role with the Key management privilege
The following in Amazon Web Services (AWS):
- Permissions that allow you to create and update keys in AWS KMS. Refer to the AWS KMS documentation (opens new window) for more info.

# Step 1: Create And Configure The Key

Step 1.1: Retrieve the Workato key policy
Step 1.2: Configure the key in AWS
Step 1.3: Enable auto-rotation

# Step 1.1: Retrieve The Workato Key Policy

Navigate to Settings > Key management.

In the How do you want to encrypt your data? field, select AWS KMS key from the dropdown.

Click Step 1 to open it:

The AWS Key policy on the Workato Key management settings page

Keep this page handy - you'll need it to complete the next step.

# Step 1.2: Configure The Key In AWS

NOTE

While this tutorial walks you through creating a new key, you may use an existing key.

In the navigation pane, click Customer managed keys.

On the Customer managed keys page, click Create key.

On the Step 1 - Configure key page:

Configure the following fields:

Key type: Select Symmetric. Refer to the AWS KMS documentation (opens new window) for more info about this key type.
Advanced options > Key material origin: Select KMS.

The Configure key page in AWS KMS

Click Next.

On the Step 2 - Add labels page:

In the Alias field, enter a display name for the key.

Configure other fields as needed.

Click Next.

Proceed through the remaining steps in AWS, configuring fields as needed. Click Next to proceed to the next page.

When you reach the Step 5 - Review page:

Navigate to the tab where your Workato account settings page from step 1.1 is open.

Copy the contents of the Permission to access key field.

In AWS, paste the contents into the Statement property of the default policy in the Key policy field.

Note: If there are multiple objects in the Statement property you need to keep, make sure to add commas (,) after all but the last object:

Key policy with multiple Statement objects

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::TODO-ACCOUNTID:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },	 /* Comma before next object */ 
        {
	        "Sid": "Allow use of the key",
	        "Effect": "Allow",
	        "Principal": {
	            "AWS": "arn:aws:iam::TODO - ACCOUNTID:role/Workato_EKM"
	        },
	        "Action": [
	            "kms:Encrypt",
	            "kms:Decrypt"
	        ],
	        "Resource": "*"
	    }
    ]
}

Otherwise, the key policy should be similar to the following:

Key policy with a single Statement object

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
	    {
	        "Sid": "Allow use of the key",
	        "Effect": "Allow",
	        "Principal": {
	            "AWS": "arn:aws:iam::TODO - ACCOUNTID:role/Workato_EKM"
	        },
	        "Action": [
	            "kms:Encrypt",
	            "kms:Decrypt"
	        ],
	        "Resource": "*"
	    }
   ]
}

Click Finish to create the key.

# Step 1.3: Enable Auto-Rotation

NOTE

While enabling automatic key rotation (opens new window) isn't a requirement, we recommend doing so as a best practice.

Navigate to the Customer managed keys page.

Locate the key you created in the list and click to open it.

Click the Key rotation tab.

Check the Automatically rotate this KMS key every year box:

The Key rotation tab and enablement checkbox in the Key Details page of AWS

Click Save.

# Step 2.1: Retrieve The Key ARN In AWS

If you're not on the Customer managed keys page, navigate there and click the key you created to open its details page.

On the key's details page, locate the General configuration section and the ARN field:

Highlighted ARN field in the General Configuration section of the key details page in AWS

Copy the ARN and keep it handy - you'll need it to complete the next step.

# Step 2.2: Set Up The Key In Workato

Navigate to the tab where your Workato account settings page is open.

Paste the ARN in the Key ARN field.

Click Update key.

# Troubleshooting Key Validation Errors

If you encounter an error after clicking Update key, verify that:

You correctly added the key policy to the key in AWS KMS. Verify that the key policy is valid JSON and contained in the Statement property.
You pasted the correct key ARN into Workato. Verify the key ARN doesn't contain extra spaces or characters and that you pasted the correct value into Workato.
AWS KMS isn't experiencing downtime. If you've verified the key policy and ARN are correct, check the AWS Health Dashboard (opens new window) for potential outages in KMS.

Last updated: 8/7/2023, 7:58:28 PM