This topic describes the Alibaba Cloud services that can be integrated with Key Management Service (KMS). These Alibaba Cloud services can use service keys or user-managed keys, including the keys imported by using the Bring Your Own Key (BYOK) feature, to encrypt data of different types in different scenarios.
Workload data encryption
|Elastic Compute Service (ECS)||
By default, the disk encryption feature of ECS uses a service key to encrypt your data. This feature can also use user-managed keys to encrypt your data. Each disk has its own customer master key (CMK) and data key (DK) and uses the envelope encryption mechanism to encrypt your data.
An ECS instance automatically encrypts the data transmitted to an encrypted disk and decrypts data read from the disk. Data is encrypted or decrypted on the host where the ECS instance resides. During encryption and decryption, the performance of the disk is almost not affected.
After an encrypted disk is created and attached to an ECS instance, the ECS instance encrypts the following data:
|Container Service for Kubernetes (ACK)||
ACK supports server-side encryption (SSE) based on KMS for following types of workload data:
|Use KMS to encrypt Kubernetes secrets at rest in the etcd|
|Web App Service||
Web App Service is integrated with KMS to encrypt sensitive configuration data, such as access credentials of ApsaraDB RDS.
|ApsaraDB for RDS instances|
|Application Configuration Management (ACM)||
ACM is integrated with KMS to encrypt application configurations. This ensures the security of sensitive configurations, such as data sources, tokens, usernames, and passwords, and reduces the risk of configuration leak. ACM can use KMS in one of the following ways:
|Create and use encrypted configuration|
Persistent storage data encryption
|Object Storage Service (OSS)||
OSS uses the SSE feature to encrypt uploaded data.
OSS can use an encryption system dedicated to OSS to implement the SSE feature. In this case, this feature is called SSE-OSS. The keys used in this encryption system are not managed by OSS. Therefore, you cannot use ActionTrail to audit the use of these keys.
OSS can also use KMS to implement the SSE feature. In this case, this feature is called SSE-KMS. OSS uses the service key or user-managed keys to encrypt your data. OSS allows you to configure a default CMK for each bucket or specify the CMK to use when you upload an object.
|Apsara File Storage NAS||
By default, Apsara File Storage NAS uses the service key to encrypt your data. Each volume has its own CMK and DK and uses the envelope encryption mechanism to encrypt your data.
By default, the encryption feature of Tablestore uses the service key to encrypt your data. This feature can also use user-managed keys to encrypt your data. Each table has its own CMK and DK and uses the envelope encryption mechanism to encrypt your data.
|Cloud Storage Gateway (CSG)||
CSG supports the following encryption methods:
|ApsaraDB RDS||ApsaraDB RDS supports the following encryption methods:
|ApsaraDB for MongoDB||
The encryption methods for ApsaraDB for MongoDB are similar to those for ApsaraDB RDS.
|Configure TDE for an ApsaraDB for MongoDB instance|
|PolarDB||The encryption methods for PolarDB are similar to those for ApsaraDB RDS.|
Log data encryption
When you create a single-account or multi-account trail, you can enable encryption for events in the ActionTrail console if the events are delivered to an OSS bucket.
Log Service allows you to use KMS to encrypt data for secure storage.
Big data and AI
MaxCompute uses the service key or user-managed keys to encrypt your data.
|Machine Learning Platform for AI (PAI)||You can configure SSE for the Alibaba Cloud services that are used in different data flow stages in the architecture of PAI, such as computing engines, ACK, and data storage services. This protects data security and privacy.||N/A|
|Alibaba Cloud CDN||When an OSS Bucket is used as the origin, you can use OSS-based SSE to protect distributed content. For more information about how to allow CDN to access an encrypted bucket, see the CDN documentation.||Configure private bucket back-to-origin authorization|
|ApsaraVideo for Media Processing||
ApsaraVideo for Media Processing supports two encryption methods: Alibaba Cloud proprietary cryptography and HTTP Live Streaming (HLS) encryption. No matter which encryption method is used, ApsaraVideo for Media Processing can be integrated with KMS to protect video content.
ApsaraVideo VOD supports two encryption methods: Alibaba Cloud proprietary cryptography and HLS encryption. No matter which encryption method is used, ApsaraVideo VOD can be integrated with KMS to protect video content.