Skip to main content
Version: 8.7

Key rotation and audit logging

Learn more about key rotation and audit logging when using AWS BYOK with Camunda 8 SaaS.

Disclaimer

References to Amazon Web Services (AWS) operations may change over time. Camunda does not control AWS features, APIs, or logs. This documentation may become outdated if AWS updates their services.

Key rotation

With BYOK, you manage your own encryption keys in AWS KMS. Camunda cannot rotate customer-managed keys. Only you can rotate keys in AWS KMS.

Manual key rotation

  • Rotating a key in AWS KMS does not change the Key ID.
  • New key material is generated for future encryption; previously encrypted data remains accessible.
  • Camunda clusters continue using the same Key ID and do not need reconfiguration.
  • Camunda does not re-encrypt existing data; you are responsible for key management.

To use a new AWS KMS key instead of rotating, contact Camunda support to update cluster settings.

Key rotation caution
  • Do not delete or disable an old key until the cluster uses a replacement.
  • Improper key management may block data access.
  • Ensure backup storage and persistent volumes remain accessible.
  • See KMS key rotation and S3 server-side encryption.

Best practices

PracticeDescription
Separate keys per environmentUse different keys for production, staging, and development clusters.
Regular auditingPeriodically review AWS KMS key policies and access logs.
Monitor rotationUse Amazon CloudWatch or Amazon EventBridge to track key rotation events.

Audit logging

AWS KMS integrates with AWS CloudTrail to log all key usage. You are responsible for monitoring and persisting these logs.

What is logged

  • Encrypt, Decrypt, GenerateDataKey, and CreateGrant operations
  • Failed attempts due to denied access
Log visibility

All AWS KMS operations performed by Camunda appear in AWS CloudTrail in your AWS account.

Audit best practices

  1. Enable AWS CloudTrail in the cluster Region and persist logs.
  2. Set up Amazon CloudWatch or Amazon EventBridge alerts for key deletion, disabled keys, or access denied events.
  3. Review logs regularly for compliance.
  4. Use tools like CloudTrail Lake or Access Analyzer for KMS to simplify auditing.
  5. Export logs to a centralized SIEM if required.
Audit responsibility

You are responsible for monitoring and persisting AWS KMS activity and logs. Camunda does not have access to AWS CloudTrail logs in your account.