To enhance the security of your Infisical projects, you can now encrypt your secrets using an external Key Management Service (KMS). When external KMS is configured for your project, all encryption and decryption operations will be handled by the chosen KMS. This guide will walk you through the steps needed to configure external KMS support with AWS KMS.

Prerequisites

  • An AWS KMS Key configured as a Symmetric key and with Encrypt and Decrypt key usage. Create AWS KMS Key
Before you begin, you’ll first need to choose a method of authentication with AWS from below.

Setup AWS KMS in the Organization Settings

Next, you will need to follow the steps listed below to add AWS KMS for your organization.
1

Navigate to the organization settings and select the 'Encryption' tab.

Open encryption org settings
2

Click on the 'Add' button

Add encryption org settings Click the ‘Add’ button to begin adding a new external KMS.
3

Select 'AWS KMS'

Select Encryption Provider Choose ‘AWS KMS’ from the list of encryption providers.
4

Provide the inputs for AWS KMS

Selecting AWS as the provider will require you input the following fields.
Alias
string
required
Name for referencing the AWS KMS key within the organization.
Description
string
Short description of the AWS KMS key.
Authentication Mode
string
required
Authentication mode for AWS, either “AWS Assume Role” or “Access Key”.
IAM Role ARN For Role Assumption
string
ARN of the AWS role to assume for providing Infisical access to the AWS KMS Key (required if Authentication Mode is “AWS Assume Role”)
Assume Role External ID
string
Custom identifier for additional validation during role assumption.
Access Key ID
string
AWS IAM Access Key ID for authentication (required if Authentication Mode is “Access Key”).
Secret Access Key
string
AWS IAM Secret Access Key for authentication (required if Authentication Mode is “Access Key”).
AWS Region
string
required
AWS region where the AWS KMS Key is located.
AWS KMS Key ID
string
Key ID of the AWS KMS Key. If left blank, Infisical will generate and use a new AWS KMS Key in the specified region. AWS KMS key ID
5

Click Save

Save your configuration to apply the settings.
You now have an AWS KMS Key configured at the organization level. You can assign these AWS KMS keys to existing Infisical projects by visiting the ‘Project Settings’ page.

Assign AWS KMS Key to an Existing Project

To assign the AWS KMS key you added to your organization, follow the steps below.
1

Open Project Settings and select to the Encryption Tab

Open encryption project settings
2

Under the Key Management section, select your newly added AWS KMS key from the dropdown

Select encryption project settings Choose the AWS KMS key you configured earlier.
3

Click Save

Once you have selected the KMS of choice, click save.