AWSOpenSearch UI Help Center
AWS Docs 
Feedback

CMK Encryption

By default, OpenSearch UI encrypts application metadata using AWS owned keys. You can use your own customer managed key (CMK) from AWS KMS for additional control.

What gets encrypted

CMK encryption covers application metadata: configuration settings, workspace definitions, and saved objects metadata (dashboards, visualizations, index patterns). It does not cover data stored in your OpenSearch domains — those have separate encryption settings.

When to use CMK

ScenarioRecommendation
Development or testingAWS owned keys (default)
Production with compliance requirementsCMK
Regulated industries (HIPAA, PCI, FedRAMP)CMK
Need to revoke access to encrypted dataCMK — disable the key to block access

Prerequisites

  • A KMS symmetric encryption key in the same Region as your application
  • IAM permissions: kms:CreateKey, kms:DescribeKey, kms:CreateGrant

Step 1: Create a KMS key

aws kms create-key --description "OpenSearch UI encryption" --region us-east-1

Note the KeyId from the output.

Step 2: Update the key policy

Add the OpenSearch UI service principal to your key policy:

{
  "Sid": "AllowOpenSearchUIService",
  "Effect": "Allow",
  "Principal": {
    "Service": "opensearchservice.amazonaws.com"
  },
  "Action": [
    "kms:Decrypt",
    "kms:GenerateDataKey",
    "kms:CreateGrant",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}

Step 3: Create the application with CMK

Console

  1. Open the OpenSearch Service console
  2. Choose OpenSearch UI (Dashboards) then Create application
  3. In the Encryption section, choose Customize encryption settings
  4. Select your KMS key
  5. Choose Create

CLI

aws opensearch create-application \
  --name my-encrypted-app \
  --region us-east-1 \
  --encryption-at-rest-options '{"kmsKeyId":"arn:aws:kms:us-east-1:ACCOUNT:key/KEY_ID"}'

Monitoring

CMK usage is logged in CloudTrail:

EventMeaning
DecryptReading encrypted metadata
GenerateDataKeyWriting new encrypted metadata
CreateGrantSetting up key access

Important

  • You cannot change the encryption key after creation
  • Disabling or deleting the KMS key makes the application inaccessible
  • KMS keys cost ~$1/month plus per-request charges
  • The key must be in the same Region as the application

Troubleshooting

SymptomCauseFix
KMS key not foundKey in different RegionUse a key in the same Region
Access denied on KMS keyMissing service principalAdd OpenSearch UI service to key policy
Application inaccessibleKMS key disabled/deletedRe-enable key or cancel deletion

Related