Set up customer-managed keys
Sigma supports the use of customer-managed keys (CMK) for AWS and Azure. CMK allows you to use your own key management services (KMS) to encrypt the secrets and data that Sigma uses, giving you greater control over the key management lifecycle and encryption. For example, CMK lets you rotate your database master keys, ensuring expired keys lose access to encrypted data.
This document explains how to set up customer-managed keys with Sigma for both AWS and Azure. Follow the steps relevant to your environment.
This feature isn't supported in all regions. To check if it is supported in your region, see Supported data platforms and feature compatibility.
For more details about what data is encrypted by CMK, including how to handle key rotation, see About using customer-managed keys in Sigma.
This is a premium feature. To enable it for your Sigma organization, contact your Sigma Account Executive or contact Sigma Support.
Customer-managed keys for AWS
Set up CMK for Sigma organizations hosted on AWS.
System and user requirements
- Admin privileges in your AWS console.
Prerequisites
Before setting up CMK in AWS, contact your Sigma Account Executive for the following information:
- The ARN for Sigma Encryption Service IAM user. For example,
arn:aws:iam::{Sigma_account}:user/user_shared_from_Sigma. - An external ID. For example,
572CE5EC-6467-42DB-B2E0-3BA5A51023FD.
If you want to provide these details in a secure sharing context, you can use one of the following mechanisms:
- 1Password share
- Secure file sharing platforms such as ShareFile, Box, or Dropbox Business with encryption features
Set up customer-managed keys in AWS
Perform the following steps in your AWS Console:
-
Create an AWS IAM role. For instructions, see Creating an IAM role using a custom trust policy in the AWS documentation.
TheExternalIdcondition is mandatory to ensure that the trust granted to Sigma is only used in the context of your organization. For more information, see The confused deputy problem in the AWS documentation.Format the custom trust policy as follows:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::{Sigma_account}:user/user_shared_from_Sigma" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEqualsIfExists": { "sts:ExternalId": [ "572CE5EC-6467-42DB-B2E0-3BA5A51023FD", ] } } } ] } -
After the IAM role has been created, take note of the role ARN. The role ARN is required to set up your AWS KMS key. See Find Amazon Resource Names (ARNs) in AMS in the AWS documentation.
-
Create an AWS KMS key. For instructions, see Create a symmetric encryption KMS key in the AWS documentation. When prompted, select the following options:
- Key type: Symmetric
- Key usage: Encrypt and decrypt
- Key material origin: KMS-recommended
- Regionality: Multi-region key
-
After creating the key, edit the key policy to allow access from the newly created IAM role and the ARN for the Sigma Encryption Service IAM user provided by your Sigma Account Executive. For instructions, see Change a key policy in the AWS documentation. You can use the following formatting during configuration:
{ "Version": "2012-10-17", "Statement": [ { … }, { "Sid": "Enable permission for Sigma Computing", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::{customer_account}:role/role_to_share_with_Sigma" ] }, "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource": "*" } ] } -
After modifying the KMS key, take note of the KMS key ARN. You need the KMS key ARN to modify the permissions of your IAM role.
-
Edit the permissions of your IAM role to operate on the KMS key. For instructions, see the section on Adding IAM identity permissions (console) in the AWS documentation for Adding IAM identity permissions. When prompted, make the following configurations:
- Service: KMS
- Actions allowed: DescribeKey, Encrypt, Decrypt, ReEncryptFrom, ReEncryptTo
- Resources: Specific, and add your KMS key ARN
Your permission policy should look something like the following:
{ "Statement": [ { "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Effect": "Allow", "Resource": [ "arn:aws:kms:us-west-2:{customer_account}:key/{mrk-key-id}" ] } ], -
After creating and updating the IAM role and KMS key, provide the ARN for the IAM role and the KMS key to your Sigma Account Executive. After the migration to CMK is complete for your Sigma organization, your Account Executive contacts you.
Customer-managed keys for Azure
Set up CMK for Sigma organizations hosted on Azure.
System and user requirements
- You must have admin privileges in Azure, with either the Cloud Application Administrator or Application Administrator role type. See Microsoft Entra built-in roles in the Microsoft documentation.
- You must have the User Access Administrator role to manage access to the Key Vault that hosts your CMK keys. For more details, see Azure built-in roles in the Microsoft documentation.
- Your encryption keys must be asymmetric.
Prerequisites
-
Reach out to your Sigma Account Executive for the following information:
- The
AppIdfor your Azure Encryption Service instance. - The name of your Azure Encryption Service instance.
- The
-
Retrieve the Azure tenant ID of the tenant that hosts your KeyVault. For instructions, see Find your Microsoft Entra tenant in the Microsoft documentation.
If you want to provide these details in a secure sharing context, you can use one of the following mechanisms:
- 1Password share
- Secure file sharing platforms such as ShareFile, Box, or Dropbox Business with encryption features
Set up customer-managed keys in Azure
Perform the following steps in Microsoft Azure:
-
In Microsoft Entra, create an enterprise application for the Sigma encryption service. For instructions, see Create an enterprise application from a multitenant application in Microsoft Entra ID. When prompted for an
AppId, use the one provided by your Sigma Account Executive.After creating an enterprise application, you should see the service principal in your Azure account listed under Enterprise Applications. The service principal should have the same name provided by your Sigma Account Executive. The
encryption-svccredentials are authenticated with this service principal. -
To allow you to configure role-based access control for the Sigma service principal, give consent for the Sigma service principal to access your Azure Key Vault. For instructions, see Grant tenant-wide admin consent in Enterprise apps pane. When prompted, set the following configurations:
- Claim value:
user_impersonation - Permission:
Have full access to the Azure Key Vault service - Type:
Delegated
- Claim value:
-
In your Key Vault tenant, assign the service principal the
Key Vault Crypto Userrole. This role allows the service principal to run encryption and decryption. Depending on your use case, you can scope the role assignment to a specific key or set the role assignment throughout the Key Vault. The Sigma service principal requires, at a minimum, permission to performencryptanddecryptcryptographic operations on the designated key. For details, see Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control and Key types, algorithms, and operations in the Azure documentation. -
After completing setup, provide your Sigma Account Executive with the
TenantIDand theKey Identifier, which consists of theKey Vault URL,Key Name, andVersion. After onboarding your Sigma organization to CMK, your Account Executive contacts you.
Updated about 7 hours ago