How do I configure Customer Managed KMS Key with Amazon Q Developer?

3 minute read

Content level: Intermediate

This article describes steps to configure Customer Managed KMS Key with Amazon Q Developer

Short description:

By default, Amazon Q Developer uses AWS managed keys for encryption. Sometimes customers might want to setup and use a Customer Managed KMS Key with Amazon Q Developer. Customer managed keys can be used for specific features including:

Chat in the AWS console
Console error diagnosis
Customizations
Agent for software development
Agent for code transformation
Security scans

Resolution:

First, ensure you have the necessary permissions to use AWS KMS and Amazon Q Developer. Administrators need permissions to manage KMS keys and configure Amazon Q Developer
Create a Customer Managed KMS Key (if you haven't already):

aws kms create-key
Set up the required IAM permissions. Users need a policy that allows Amazon Q to access the customer managed key. Here's an example policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "QKMSDecryptGenerateDataKeyPermissions",
      "Effect": "Allow",
      "Action": [
        "kms:Decrypt",
        "kms:GenerateDataKey",
        "kms:GenerateDataKeyWithoutPlaintext",
        "kms:ReEncryptFrom",
        "kms:ReEncryptTo"
      ],
      "Resource": [
        "arn:aws:kms:{{region}}:{{account_id}}:key/[[key_id]]"
      ],
      "Condition": {
        "StringLike": {
          "kms:ViaService": [
            "q.{{region}}.amazonaws.com"
          ]
        }
      }
    }
  ]
}

4. Configure Amazon Q Developer to use your Customer managed KMS key: * Open the Amazon Q Developer console * Go to Settings * In the Amazon Q Developer account details panel, click Edit * Expand the "Encryption key - optional" section * Select "Customize encryption settings (advanced)" * Search for and select your customer managed key by name or ARN

NOTE:

If you encounter KMS grant-related errors, you may need to update permissions by clicking "Update permissions" in the Amazon Q Developer console.
You can revert to using AWS managed keys at any time by deselecting "Customize encryption settings".
Remember that using customer managed keys gives you more control over the encryption keys, including the ability to audit key usage, create key policies, and revoke access if needed.
For using Customer Managed KMS key, you should not have an existing Customizations. If you already have a customization, you will encounter following error while updating the KMS key under Amazon Q developer settings.
Resource is in Invalid State
You can delete the existing Customizations and then proceed to follow the steps for setting-up Customer Managed KMS Key with Amazon Q Developer and then re-create Customizations.

Related information:

Managing the encryption method in Amazon Q Developer

Topics

Security, Identity, & Compliance Machine Learning & AI

Relevant content

Creating a custom resource with Amazon Q Developer
AWS OFFICIALUpdated 12 days ago
Setting Up Amazon Q Developer Operational Investigations (Preview)
EXPERT
Raj
published a month ago
Transform Kubernetes Manifests using Amazon Q Developer
EXPERT
Olawale
published 2 months ago
Question about Amazon Q Developer
Accepted Answer
Jason Ip
asked 10 days ago
RDS encryption - Switch from KMS AWS Managed Key to Customer Managed Key
AWS-User-8528002
asked 2 years ago
How to set up the Amazon Q Developer Pro subscription for personal use?
Baskaran
asked 4 months ago
How do I set up Amazon Q Developer chat on the AWS Management Console?
AWS OFFICIALUpdated 3 months ago
Should I use an AWS KMS managed key or a customer managed KMS key to encrypt my objects on Amazon S3?
AWS OFFICIALUpdated 9 months ago
How do I use CloudTrail to log Amazon Q Developer events that my IDE or CLI provides?
AWS OFFICIALUpdated 3 months ago
How do I manually rotate customer managed keys in AWS KMS?
AWS OFFICIALUpdated a year ago