Customer managed encryption keys (CMEK) allow you to control encryption keys to protect your organization's data. You choose the rotation schedule and the granularity of access.
For more details including key rotation, see Knowledge Article KB0052805, available at https://support.teradata.com. You may need to log in before searching for it.
- Create a single-region encryption key in AWS KMS that is created for the same region where your Teradata environment is hosted. Teradata recommends creating a new key to use to encrypt your environment. See Creating symmetric encryption KMS keys.Important: The new key is essentially blank, do not assign any other AWS accounts or roles. This is done when you start provisioning the environment.
- Obtain the alias ARN and key ARN. See Finding the key ID and key ARN.
- Follow the instructions in Step 1: Sign On and Create Your First Environment to create the Environment; then return here.
- Add teracloud:account & teracloud:pod:id with their corresponding values (Key Value pairs) as Tags to your Key in AWS KMS.
- Copy the Key policy from the VantageCloud Lake Console and append it to the Key Policy of your Key in AWS KMS.Important: Do not alter the key policy obtained from the VantageCloud Lake Console as this may cause provisioning to fail.
Updates to required key policies are your responsibility. Do updates in your AWS Key Management Service to maintain a least privileged access policy.
- Select Complete Setup to secure the environment with your CMEK that you manage in AWS KMS.
Complete within 14 Days after Creating the Environment