Simple Log Service lets you use Key Management Service (KMS) to encrypt data for protection at rest. This topic describes the data encryption mechanisms in Simple Log Service and provides instructions on how to use KMS to encrypt data.
Prerequisites
Key Management Service (KMS) is activated. For more information, see Purchase a Dedicated KMS instance.
Data encryption mechanisms
Simple Log Service supports the following two encryption mechanisms.
Encryption with a service key
Features:
-
Simplicity: Requires no extra configuration. Simple Log Service manages encryption and key management, which reduces your operational overhead.
-
Key isolation: A unique data encryption key is generated for each Logstore to enhance data security.
-
Durability: These data encryption keys never expire, ensuring long-term encryption stability.
-
Supported encryption algorithms: AES (default) and SM4.
Use cases:
-
You want to quickly implement data encryption without managing the keys yourself.
-
You do not have specific key management requirements and prefer the service provider to manage the keys.
-
You need to ensure the long-term validity and stability of your data encryption keys.
Target users:
Small businesses or individual users who want simple and secure log encryption without handling complex key management tasks.
Encryption with Bring Your Own Key (BYOK)
Features:
-
Full control: You manage the entire lifecycle of your keys, including creation, rotation, and deletion.
-
Flexibility: You can easily update or rotate keys as needed to enhance security and flexibility.
-
Proactive management: You must create and manage a customer master key (CMK) in the KMS console and grant the necessary permissions.
Use cases:
-
Your organization has strict security and compliance requirements that mandate self-managed encryption keys.
-
You want to proactively manage and rotate encryption keys to meet higher security standards.
-
You want the ability to quickly rotate or delete a key to protect your data if the key is compromised or other security risks arise.
Target users:
Large enterprises or financial institutions that have strict data protection and compliance requirements, need to implement their own key management policies, and have dedicated teams to manage keys.
If your customer master key (CMK) is deleted or disabled, the associated BYOK key becomes invalid, and all read and write requests to the Logstore will fail.
Limitations
Once you select an encryption mechanism, you cannot change it, nor can you modify the encryption algorithm or type. You can only use the enable parameter to enable or disable the encryption feature. When you update the Logstore, you must include the complete encrypt_conf parameter in each request.
For example, if you first choose to encrypt data by using a service key, you cannot later switch to the Bring Your Own Key (BYOK) method.
Encrypt data with a service key
To configure data encryption, include the encrypt_conf parameter when you call the CreateLogStore or UpdateLogStore API.
The data structure of the encrypt_conf field is described in the following table. The user_cmk_info field is not required.
|
Parameter |
Type |
Description |
Example |
|---|---|---|---|
|
object |
The encryption configuration. |
||
| enable |
boolean |
Whether to enable data encryption. Valid values:
|
true |
| encrypt_type |
string |
The encryption algorithm. Valid values: default and sm4. Required when enable is set to true. |
default |
| user_cmk_info | EncryptUserCmkConf |
Optional. If specified, the bring-your-own-key (BYOK) key is used. Otherwise, the service key of Simple Log Service is used. |
{ "cmk_key_id" : "f5136b95-2420-ab31-xxxxxxxxx" "arn" : "acs:ram::13234:role/logsource" "region_id" : "cn-hangzhou" } |
Encrypt data with BYOK
Prerequisites
Key Management Service (KMS) is activated. For more information, see Purchase a Dedicated KMS instance.
Step 1: Grant BYOK permissions
Before you use the BYOK method, you must grant the required Resource Access Management (RAM) permissions.
-
Log on to the RAM console.
-
Create a RAM role for a trusted Alibaba Cloud service with the following configurations:
For Role Type, select common service role. For Role Name, enter
KMS-TEST. For Select Trusted Service, select Simple Log Service. -
Grant the AliyunKMSReadOnlyAccess and AliyunKMSCryptoUserAccess permissions to the RAM role. For more information, see Grant permissions to a RAM role.
-
Grant the
ram:PassRolepermission. You can skip this step if you use your Alibaba Cloud account to configure BYOK encryption. If you use a RAM user, you must create a custom policy and then grant permissions to the RAM user.The
Resourcevalue in the following policy must be replaced with the ARN of the RAM role that was created in Step 2. For more information about how to view the ARN of a RAM role, see How do I view the ARN of a RAM role?.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "ram:PassRole", "Resource": "acs:ram::<account-id>:role/<role-name>" } ] }
Step 2: Configure data encryption
Once you configure data encryption, you cannot modify the encryption algorithm or type. You can only use the enable parameter to enable or disable the encryption feature. When you update the Logstore, you must include the complete encrypt_conf parameter in each request.
For an existing Logstore, call the UpdateLogStore API and include the encrypt_conf parameter to configure data encryption.
Before calling UpdateLogStore, you must first retrieve the current Logstore configuration by calling GetLogStore. Then, modify the configuration and pass it in the UpdateLogStore request.
The following table describes the data structure of the encrypt_conf parameter. To use BYOK, you must specify the user_cmk_info parameter.
|
Parameter |
Type |
Description |
Example |
|---|---|---|---|
|
object |
The encryption configuration. |
||
| enable |
boolean |
Whether to enable data encryption. Valid values:
|
true |
| encrypt_type |
string |
The encryption algorithm. Valid values: default and sm4. Required when enable is set to true. |
default |
| user_cmk_info | EncryptUserCmkConf |
Optional. If specified, the bring-your-own-key (BYOK) key is used. Otherwise, the service key of Simple Log Service is used. |
{ "cmk_key_id" : "f5136b95-2420-ab31-xxxxxxxxx" "arn" : "acs:ram::13234:role/logsource" "region_id" : "cn-hangzhou" } |
EncryptUserCmkConf data structure
|
Parameter |
Type |
Description |
Example |
|
object |
The data structure for user-managed encryption settings. |
||
|
cmk_key_id |
string |
The ID of the customer master key (CMK) for BYOK. |
f5136b95-2420-ab31-xxxxxxxxx |
|
arn |
string |
The ARN of the RAM role that you created in Step 1. |
acs:ram::13234:role/logsource |
|
region_id |
string |
The region ID where the CMK is located. |
cn-hangzhou |
encrypt_conf = {
"enable" : true, # Specifies whether to enable encryption.
"encrypt_type" : "default", # The encryption algorithm. Supported values: default, m4, sm4_ecb, sm4_cbc, sm4_gcm, aes_ecb, aes_cbc, aes_cfb, aes_ofb, and aes_gcm.
"user_cmk_info" : # Optional. If you specify this parameter, BYOK is used. Otherwise, a service key is used.
{
"cmk_key_id" : "", # The ID of the CMK for BYOK. Example: f5136b95-2420-ab31-xxxxxxxxx.
"arn" : "", # The ARN of the RAM role that you created in Step 1.
"region_id" : "" # The region ID where the CMK is located.
}
}Related documents
For more information, see the following API operations: