Using MarkLogic Server Encryption with AWS Key Management System
Amazon Web Services (AWS) provides a key management system (KMS) that you can use with MarkLogic Server encryption at rest to encrypt your data. The AWS KMS is supported for customers running their cluster on AWS in the cloud. You must set up your AWS KMS encryption keys and configure the encryption key IDs in your MarkLogic Server before using the AWS KMS.
To set up the AWS key management system, first set up your AWS instance. See Getting Started with MarkLogic Server on AWS and Overview of MarkLogic Server on AWS in the MarkLogic Server on Amazon Web Services (AWS) Guide for details.
The AWS KMS keys (data, config, and log encryption keys) needed to encrypt and decrypt data must be configured in MarkLogic Server before using encryption.
You cannot use the master key and roles from the MarkLogic Server KMS to access the AWS KMS, so you will need to have a Key Administrator specify access to the AWS KMS keys on a per-key basis tied to the user’s IAM role. The Key Administrator can specify access using the Encryption Keys section of the IAM AWS management console. See the next section (Encryption on EBS Volumes) for details and the AWS documentation regarding key policies for more information.
Warning
If an encryption key stored in the AWS KMS is disabled for any reason, it cannot be used for encryption or decryption, and MarkLogic Server loses access to any data encrypted with the disabled key. Deleting a key will lead to permanent data loss as deleted keys can never be recovered. Any keys created in the AWS KMS are cluster management keys and should never be deleted. See https://docs.aws.amazon.com/kms/latest/developerguide/enabling-keys.html for more information.