Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SSE-C without KMS

ajac
New Member
4 weeks ago

Hello,

i currently evaluating SmartStore encryption options and noticed that SSE-C in combination with AWS KMS is mentioned in the documentation.

Could someone please clarify the following:

  1. Why does SmartStore SSE-C use AWS KMS, given that SSE-C typically relies on customer-provided keys that are sent with each request?

  2. Is it possible to configure SmartStore encryption to use our own customer-managed key (fully provided and stored by us) instead of an AWS KMS-managed key?

My goal is to maintain full control over the encryption keys while still benefiting from SmartStore’s server-side encryption capabilities.

Thank you in advance for your clarification.

Kind regards!

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
4 weeks ago

Hi @ajac 

My understanding is that SmartStore implements SSE‑C by generating a per‑object data‑encryption key (DEK) using the customer‑managed CMK. The Smartstore service never stores the plaintext key; the key is only supplied by the client on each read/write request, encrypted by KMS, this protection model is same as SSE‑C (the client controls the keys), but the actual key payload is managed by KMS.

Customer Managed Keys (CMK) is available in Splunk Cloud AWS / Google Cloud environments but not Azure (see https://help.splunk.com/en/splunk-cloud-platform/get-started/service-terms-and-policies/10.0.2503/in...

Check out the https://help.splunk.com/en/splunk-cloud-platform/administer/manage-users-and-security/9.3.2408/manag... EMEK page for more information on this but to answer your question, yes, you can manage the key yourself and share access to it through AWS IAM Policies so that Splunk Cloud can consume it. 

Its worth discussing this with your Splunk account team if you need further lower level detail as they may be able to share more under your NDA agreement etc.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...