AWS Customer-Managed Keys Setup Guide

Follow our setup guide to configure AWS customer-managed keys.

Prerequisites

To set up AWS customer-managed keys for your Fivetran account, you need:

• A Business Critical Fivetran account
• An AWS account.

Setup instructions

Create AWS key

1. Log into your AWS console.

2. In the Security, Identity, & Compliance section, go to Key Management Service.

3. Click Create key.

4. In the Key type section, select Symmetric.

5. In the Advanced options section, select Multi-Region key. Click Next.

   

6. Enter an alias. (Optional) Enter a description. Click Next.

7. Choose the users and roles to administer the key. Click Next.

8. Review the key policy and click Finish.

9. Click on the newly-created key. Make a note of the key's ARN. You will need it later to configure Fivetran.

Create IAM policy

1. Go to your IAM console.
2. In the Access Management section, go to Policies.
3. Click Create Policy.
4. On the Create policy page, go to the JSON tab.
5. Copy the following policy into the JSON editor. Replace {your key ARN} with the key ARN you found in Step 1. Make sure you use the complete ARN. The key ARN has the following format: arn:aws:kms:<region>:<account_id>:key/<key_id>. An example of a key ARN: arn:aws:kms:us-east-1:000000000000:key/mrk-00000000000000000000000000000000.

   {
   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "kms:Decrypt",
               "kms:Encrypt",
               "kms:GenerateDataKey",
               "kms:ReEncryptTo",
               "kms:GenerateDataKeyWithoutPlaintext",
               "kms:DescribeKey",
               "kms:ReEncryptFrom"
           ],
           "Resource": "{your key ARN}"
       }
   ]
   }
   

6. Click Next: Tags. (Optional) Add tags.
7. Click Next: Review.
8. Enter a memorable policy name (for example, “Fivetran-KMS-Access”).
9. Click Create Policy.

Create IAM role

1. Return to the IAM console.
2. In the Access Management section, go to Roles.
3. Click Create role.
4. Select Another AWS Account as the role type.
5. In the Account ID field, enter Fivetran’s account ID, 834469178297.
6. Select the Require External ID checkbox. In the External ID field, enter your Fivetran account ID from the dashboard.
7. Click Next: Permissions.
8. Select the IAM policy you created in Step 2.
9. Click Next: Tags and (optional) add tags.
10. Click Next: Review.
11. Enter a role name.
12. Click Create role.
13. On the Roles page, select the Fivetran role you just created.
14. Copy the role’s ARN.

Finish Fivetran configuration

1. In the Fivetran dashboard, go to Account Settings > General > Customer-Managed Keys Configuration.
2. Click Add Key.
3. Select AWS Key Management Service.
4. Enter the Key ARN you obtained from Step 1.
5. Enter the Role ARN you obtained from Step 3.
6. Click Submit.