Summary
To enable Bring Your Own Key (BYOK) encryption with Auditoria Guardian:
- You must have active licenses for both the Auditoria platform and Auditoria Guardian.
- Your Auditoria tenant must be scheduled for provisioning in the Auditoria US Enterprise pod.
- BYOK is supported only with AWS Key Management Service (KMS).
To encrypt your data with your own keys, you must:
- Create separate symmetric keys in your AWS KMS account.
- Grant access to Auditoria as specified in AWS documentation: Allowing users in other accounts to use a KMS key – AWS KMS
Key Usage
-
These keys encrypt data stored in:
- Auditoria’s AWS storage layer
- Auditoria’s MongoDB instance
AWS Regions for Key Placement
Keys must be created and/or replicated in the following AWS regions:
1. For Auditoria’s AWS Storage Layer:
-
Create one symmetric KMS key in
us-west-1(primary) -
Create one symmetric KMS key in
us-east-2(BC/DR region)
If you cannot create keys directly in these regions, create an AWS multi-region key and replicate it to both. You must provide Auditoria with the ARNs for both regions.
2. For Auditoria’s MongoDB Instance:
- Create a multi-region key in us-west-1
- Replicate this key to us-west-2 and us-east-2
As with storage, if not possible in these regions, use a multi-region key and ensure replicas exist in the supported regions.
Next Steps
Before tenant provisioning, share all created KMS key ARNs with Auditoria. Contact your Auditoria Customer Success Manager, Service Implementor, or support@auditoria.ai to obtain Auditoria’s AWS Account ID and your tenant’s unique IAM Trust Policy.
Customers must complete Sections A and B to configure and use Auditoria Guardian.
Configuration Details
Section A: Create a New Customer Managed Key in CUSTOMER AWS KMS for Data Encryption in Auditoria's AWS Storage Layer
Follow these steps to create the necessary symmetric key(s) for Auditoria’s AWS storage layer:
-
Create the Customer Managed Key in AWS KMS
- Refer to the AWS KMS key creation documentation.
- On the configuration page, select the following options:
- Key type: Symmetric
- Key usage: Encrypt and decrypt
- Key material origin: KMS
-
Select Key Regionality
- Create one key in
us-west-1(primary region) - Create one key in
us-east-2(BC/DR region) -
If you cannot create keys directly in these regions, create an AWS multi-region key and replicate it to both
us-west-1andus-east-2. - You must provide Auditoria with the ARNs for both regions for BYOK configuration.
- Create one key in
-
Set Key Metadata (Alias, Description, Tags—These are optional, but recommended for identification)
-
Alias example:
Auditoria-Guardian - Description example: Key for Auditoria Guardian service (BYOK for data encryption)
-
Tag example:
auditoria-guardian
-
Alias example:
-
Set Permissions
- Define key administrators and key users as you require.
- In the Other AWS Accounts section, add Auditoria's AWS Account ID (you can get this from your Auditoria Customer Success contact or support).
-
Review and Create Key
- Carefully review your key configuration and create the key(s).
- After creation, copy and securely store the Key ARNs (for both
us-west-1andus-east-2).
-
Provide Required Key ARNs to Auditoria
- Share the Key ARNs with Auditoria to enable BYOK provisioning for your tenant.
-
Sample Key ARN format:
arn:aws:kms:us-west-1:1234XXXX9012:key/abcd1234-a1b2-3c4d-5e6f-abcdef123456
Sample AWS KMS Key Policy for Auditoria BYOK
This key policy should be attached to each KMS key you create for BYOK in storage. Replace:
-
[Your_AWS_Account_ID]with your own AWS Account ID (where the key is created) -
[Auditoria_AWS_Account_ID]with the Auditoria AWS Account ID (provided by Auditoria support)
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[AWS Account B]:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[AWS Account A]:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[AWS Account B]:root"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[AWS Account B]:root"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}Policy notes:
- This policy lets your own account manage everything for the key.
- It gives Auditoria only the rights necessary to use the key for encryption/decryption, and to manage resource grants (as needed for BYOK operation).
Section B: Create a New Customer Managed Key in CUSTOMER AWS KMS for Data Encryption in Auditoria's MongoDB Infrastructure
1. Create a Multi-Region Customer Managed Key
Purpose: To create an AWS KMS multi-region key for encrypting Auditoria’s MongoDB data, including setting up replicas in required AWS regions.
Steps:
-
Open AWS Management Console
- Log in to your AWS account.
- In the AWS Management Console, search for and select Key Management Service (KMS).
-
Check Regional Placement
- Set your AWS region to us-west-1 (Auditoria’s enterprise pod region).
-
Create a Customer Managed Key
- Go to Customer Managed Keys in the KMS sidebar.
- Click Create Key.
- Proceed to Advanced Options.
- Set Regionality to Multi-Region Key.
- Enter an easily identifiable Alias (for example:
Auditoria-BYOK-MongoDB). - Click Skip to Review.
- Review the configuration details and click Finish to create the key.
-
View and Copy Key Details
- Click the hyperlink under the new Key ID to open key details.
- Copy the Key ARN and note it as the primary key for us-west-1.
-
Create Disaster Recovery (DR) Replica Keys
- From the key details page, find the Regionality section and click Create new replica keys.
- Select the DR region — us-east-2.
- Click Skip to Review and confirm any required checkboxes at the bottom.
- Click Create new replica keys to create the replica in us-east-2.
- Repeat the above process to create an additional replica key in us-west-2.
-
Document Key ARNs
- For each created key (us-west-1, us-east-2, and us-west-2), copy and save the full Key ARN.
-
Example ARN format:
arn:aws:kms:us-west-1:1234XXXX9012:key/abcd1234-a1b2-3c4d-5e6f-abcdef123456
2. Create IAM Role & Policy
Purpose: To establish an IAM Role and policies that grant Auditoria limited permission to use your MongoDB KMS keys for encryption and decryption, without relinquishing key management control.
Steps:
-
Open AWS IAM Service
- In AWS Console, navigate to IAM.
- Go to Roles in the sidebar.
- Click Create Role.
-
Set Custom Trust Policy
- When prompted, select Custom trust policy.
- Paste the unique trust policy received from Auditoria (this will be a trust policy specifically generated for your Auditoria tenant; see sample below).
-
Complete Role Creation
- Click Next to proceed.
- Input a clear, identifiable role name (e.g.,
auditoria-role). - Click Create Role.
-
Attach Inline Policy
- After creating the role, search for it and click the hyperlink to open the role’s details page.
- Click Add permissions > Create inline policy.
- In the new policy window, switch to the JSON editor.
- Paste the policy shown in the Sample Inline Policy section below, substituting in your actual key ARNs for us-west-1, us-east-2, and us-west-2.
- Click Next.
- Enter a descriptive name for the policy (e.g.,
auditoria-policy) and click Create policy.
-
Send Details to Auditoria
- Provide your Role ARN and the ARNs of all KMS keys created above to Auditoria.
-
Obtain & Apply Your Unique Trust Policy
- Please contact Auditoria to obtain your unique trust policy (required for the trust relationship). This policy will be pasted into your IAM role’s trust policy.
- If not already done, you can edit the trust relationship for this role by selecting the role in IAM, then choosing "Edit trust relationship".
Sample Inline Policy
Replace the <Key ARN ...> placeholders with your actual KMS key ARNs.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": [
"<Key ARN for us-west-1>",
"<Key ARN for us-east-2>",
"<Key ARN for us-west-2>"
]
}
]
}Sample Trust Policy from Auditoria
Below is an example of the trust policy you will receive (replace the account and external ID with the real values provided by Auditoria Support):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::5367XXXXXXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "50c16a86-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
}
}
]
}Note: The exact values will be sent to you by the Auditoria team.