AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys.


Turbot uses KMS to encrypt and protect sensitive information stored in your Turbot Clusters - we’ve found it to be reliable, easy to use and very good value for the quality of encryption at low monthly rates.

Available immmediately, Turbot has added enterprise guardrails for the use of KMS, making it easy and safe to put this encryption technology in your application teams hands. Specifically:

  • Control which teams have access to use KMS.

  • Use newly predefined AWS/KMS/{Metadata,Operator,Admin} groups for KMS.

  • Users in Turbot’s standard AWS/{Metadata,Operator,Admin} groups have KMS access immediately integrated.

  • Rely on Turbot’s lockdown and continuous enforcement of key policies and grants, preventing the sharing of access to keys with other AWS accounts or organizations but still allowing grants of keys to AWS services requiring access.

  • Enforce the use of KMS encryption for S3 objects, RDS instances and/or Redshift clusters. Turbot’s controls for those services have been updated to be aware of KMS and different encryption levels.

We believe that KMS will become a key part of application development and data security with AWS services for many of our customers. Please let us know how you are using KMS and any other best practices or controls that Turbot can help automate!

Getting started with KMS

The KMS application has a default setting of Disabled in Turbot.

If you wish to block the use of KMS for all accounts:

  1. Open your Turbot Console in a browser window.
  2. Login as a Cluster Administrator.
  3. Browse to ADMIN, then Options.
  4. Navigate to Application Options, KMS.
  5. Set KMS App Enabled to Disabled or Enabled.
  6. Click Customize, then Recommend as Default or Require by Policy.