Adding a KMS Key for Use on the Instaclustr Platform using Run in Instaclustr’s Account (RIIA) Provisioning

Instaclustr supports the creation of clusters in our provider account, which has EBS and S3 storage encrypted at rest using customer supplied KMS Keys. These instructions outline how to create the KMS Keys, and add them to the Instaclustr Platform. 

In your AWS account:

1. Go to key management service and click on Create a Key
   
   
2. Follow the AWS wizard to create an AWS Encryption Key in the data centre’s intended region. Make sure to add the Instaclustr Production AWS account. As seen in the example image below, do this by adding the ID: 624537489435
   

Once you have created the key in your AWS account, go the Instaclustr console,

1. Navigate to Cluster Resources -> Encryption Keys by clicking on the gear icon at the top right hand corner.
   
2. You’ll need the AWS key’s ARN, found in the key’s details after key creation.
   
3. The alias will identify this key in other parts of the Instaclustr console. Add the alias for your key, the AWS key’s ARN, and set the Provider Account to INSTACLUSTR. Once you have done this, click on Add Key to add the key to your account.
   
4. Once the key is added to your account, it will show up in the table.
5. Use the Validate button to check the validity of the key before cluster creation. For Multi-Region keys, the Validate button updates the list of regions that key is available in.
   
6. When you Create a Cluster or Add a Data Centre to an existing cluster, you will now have the option to enable EBS encryption.

For more information regarding Amazon’s encryption service see:

• Share Custom Encryption Keys More Securely Between Accounts by Using AWS Key Management Service
• Amazon EBS Encryption
• Multi-Region keys in AWS KMS

Further Questions

We are available to provide additional information and guide you through this process. Please contact Instaclustr Support or raise a new ticket.