Bring your own key (BYOK) API

Create S3 Bucket for the Org with KMS key.

POST/api1/rest/public/s3bucket/org?{kms_arn: the_kms_key, dr_config:{}}
Create S3 Bucket for the Org with KMS key.

This BYOK API allows an Org to have its own S3 Bucket and encryption key. This approach stores each user's data in a separate, encrypted S3 Bucket, with encryption keys managed by the user. At any time, the user can revoke their key, making the files in the bucket inaccessible to anyone.

This API allows the user to:

  • Stores metadata for the Org to indicate that the Org has enabled BYOK
  • Creates a S3 Bucket for the Org
  • Enable encryption for the S3 Bucket with the users KMS key
  • Create a separate IAM role for accessing the S3 Bucket

When this API is called, all subsequent requests for the user’s data which is normally directed to the common S3 Bucket is sent to the BYOK Org specific S3 Bucket.

Prerequisites

  • You must be a member of the Environment/Org.
  • The API requires BYOK subscription.
  • The API can only be invoked once per Org - Once you opt into BYOK bucket, you can’t opt in again, you are already opted in.
  • kms_arn is the arn of the kms key. It needs to be in the same region as the Org. This means that once an Org calls this API and switches over to the new Org specific bucket, any data for the Org in the shared bucket is not accessible and is not migrated/copied to the new org specific bucket. So this should only be called for new Orgs that have no data.
  • The API is one way: Once you opt into the BYOK org specific Bucket, you cannot return to the shared Bucket.
  • The user has to configure policy on their kms key.

Response

A successful response includes a Code 200 OK.

Example

  • In this example the response is a failure because the Org is in us-east-1 but the kms is in us-west-2. On success, it will return 200 OK.
curl -X POST -H "Content-Type: application/json" -H "Authorization: SLToken $TOKEN==" "http://localhost:8888/api/1/rest/public/s3bucket/snaplogic" -d '{"kms_arn": "arn:aws:kms:us-west-2:709230913678:key/386ecdee-16ea-4f41-8db0-6a00f4a37c2e", "dr_config":{}}'
            

"http_status_code": 400, 
"response_map": 
{
  "error_list": 
  [{"message": "KMS arn:aws:kms:us-west-2:709230913678:key/386ecdee-16ea-4f41-8db0-6a00f4a37c2e must be in same region as bucket us-east-1"}]  }
}