From ea99e3c5f4c8d969a78005564161cec2fa0f7307 Mon Sep 17 00:00:00 2001 From: Mikayla Thompson Date: Fri, 27 Sep 2024 15:11:19 -0600 Subject: [PATCH 1/4] Add note about not supporting customer managed keys Signed-off-by: Mikayla Thompson --- SECURITY.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index 73a82e8f3..f8b660814 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -23,3 +23,6 @@ If you are concerned about this scenario, we recommend fully mitigating it by pu The output tuples, available on the shared EFS volume via the Migration Console, contain the exact requests and responses received from both the source and target clusters with the headers and the body of the messages. The Authorization header is present on SigV4 signed requests and those using basic authorization, and with basic authorization credentials can be extracted from the header value. These values are often essential for debugging and so are not censored from the output. If you use basic authorization credentials, ensure that access to your output tuples is protected similarly to the credentials themselves. + +### Customer Managed Keys are not supported by the migration infrastructure +We are able to migrate data to and from clusters with customer managed keys, but data in the intermediary stages (on Kafka, EFS volume, ephemeral storage on ECS) is stored with KMS managed keys. From 8310e077e5cbc5a3f5edf3257220d32d13b71374 Mon Sep 17 00:00:00 2001 From: Mikayla Thompson Date: Fri, 27 Sep 2024 15:22:16 -0600 Subject: [PATCH 2/4] kms->aws Signed-off-by: Mikayla Thompson --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index f8b660814..e10354a30 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,4 +25,4 @@ The output tuples, available on the shared EFS volume via the Migration Console, If you use basic authorization credentials, ensure that access to your output tuples is protected similarly to the credentials themselves. ### Customer Managed Keys are not supported by the migration infrastructure -We are able to migrate data to and from clusters with customer managed keys, but data in the intermediary stages (on Kafka, EFS volume, ephemeral storage on ECS) is stored with KMS managed keys. +We are able to migrate data to and from clusters with customer managed keys, but data in the intermediary stages (on Kafka, EFS volume, ephemeral storage on ECS) is stored with AWS managed keys. From a7d46332824149a875304b7214f9bcdc175583ed Mon Sep 17 00:00:00 2001 From: Mikayla Thompson Date: Fri, 27 Sep 2024 20:12:53 -0600 Subject: [PATCH 3/4] Incorporate suggested wording Signed-off-by: Mikayla Thompson --- SECURITY.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index e10354a30..6f5a79ade 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,4 +25,7 @@ The output tuples, available on the shared EFS volume via the Migration Console, If you use basic authorization credentials, ensure that access to your output tuples is protected similarly to the credentials themselves. ### Customer Managed Keys are not supported by the migration infrastructure -We are able to migrate data to and from clusters with customer managed keys, but data in the intermediary stages (on Kafka, EFS volume, ephemeral storage on ECS) is stored with AWS managed keys. +Each of the AWS services that are interacting with data will encrypt all data being stored at rest. While the services themselves can support performing the encryption via a KMS Key, the CDK deployment option of Migration Assistant doesn't have the ability to set a customer key for any of those services. That will leave all of the data at rest encrypted, but not under the control of a customer's KMS Key. See the links below for more details on forthcoming support: + +https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html +#1026 From 52446edad1d31fafa35903bf373ade05940355f0 Mon Sep 17 00:00:00 2001 From: Mikayla Thompson Date: Mon, 30 Sep 2024 09:49:25 -0600 Subject: [PATCH 4/4] fix issue link Signed-off-by: Mikayla Thompson --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 6f5a79ade..2ec20e3cb 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -28,4 +28,4 @@ If you use basic authorization credentials, ensure that access to your output tu Each of the AWS services that are interacting with data will encrypt all data being stored at rest. While the services themselves can support performing the encryption via a KMS Key, the CDK deployment option of Migration Assistant doesn't have the ability to set a customer key for any of those services. That will leave all of the data at rest encrypted, but not under the control of a customer's KMS Key. See the links below for more details on forthcoming support: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html -#1026 +[Issue #1026](https://github.com/opensearch-project/opensearch-migrations/issues/1026)