Log Service allows you to use Key Management Service (KMS) to encrypt data for secure storage. This way, data is stored in a secure manner. This topic describes the data encryption mechanism of Log Service and how to encrypt data by using KMS.

Prerequisites

KMS is activated. For more information, see Activate KMS.

Data encryption mechanism

Log Service supports the following encryption types:

  • Encryption by using service keys

    Log service generates an independent service key for each Logstore. The service key never expires.

    Log Service supports the Advanced Encryption Standard (AES) and SM4 encryption algorithms.

  • Encryption by using Bring Your Own Key (BYOK) keys

    You can create a CMK in the KMS console and grant the relevant permissions to Log Service. When Log Service calls a KMS API operation, this CMK is used to create a key that is used to encrypt data. If the CMK is deleted or disabled, the corresponding BYOK key becomes invalid.

    Notice If the CMK created in the KMS console becomes invalid, all read and write requests to the Logstore fail.

Step 1: Authorize Log Service to access KMS

Before you can you use a BYOK key to encrypt data, you must authorize Log Service to access KMS.

  1. Log on to the RAM console.
  2. Create a RAM role. For more information, see Step 1: Create a RAM role and specify an Alibaba Cloud account for the RAM role.
  3. Modify the trust policy of the RAM role. For more information, see Edit the trust policy of a RAM role.
    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "log.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }
  4. Grant the AliyunKMSReadOnlyAccess and AliyunKMSCryptoUserAccess permissions to the RAM role. For more information, see Grant permissions to a RAM role.
    Add permissions
  5. Before you can use a RAM user to encrypt data by using a BYOK key, you must grant the PassRole permission to the RAM user. To grant the PassRole permission to the RAM user, you can create a custom policy and attach the policy to the RAM user. For more information, see Create a custom policy and Grant permissions to a RAM user.
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "ram:PassRole",
                "Resource": "acs:ram::*"   # The Alibaba Cloud Resource Name (ARN) of the RAM role. For more information, see How do I obtain the ARN of a RAM role? 
            }
        ]
    }

Step 2: Configure data encryption for a Logstore

When you call the CreateLogstore operation to create a Logstore or call the UpdateLogstore operation to modify a Logstore, add the encrypt_conf parameter to specify the encryption settings. The following code provides sample settings.
Notice After you complete the configuration, you cannot change the encryption algorithm or encryption type. You can configure only the enable parameter to enable or disable data encryption. You must add the complete settings of the encrypt_conf parameter each time you call the UpdataLogstore operation.
encrypt_conf = {
    "enable" : True, # Specifies whether data encryption is enabled. 
    "encrypt_type" : "default"# The encryption algorithm. Valid values: default and m4. 
    "user_cmk_info" : # Optional parameter. If you configure this parameter, the BYOK key is used. If you do not configure this parameter, the service key is used. 
    {
          "cmk_key_id" : "" # The ID of the CMK to which the BYOK key belongs, for example, f5136b95-2420-ab31-xxxxxxxxx. 
          "arn" :  "" # The ARN of the RAM role. For more information, see How do I obtain the ARN of a RAM role? 
          "region_id" : "" # The ID of the region where the CMK resides. 
    }
}