Connect Salesforce to AWS KMS and Create a Data Encryption Key
When you configure your connection between Salesforce and AWS, you provide information
about the AWS KMS key that you want Salesforce to use (key identifier, region, and description).
You then generate a JSON structure and add that structure to your key policy in the AWS console
for your key.
Required Editions
Available in both Lightning Experience and Salesforce Classic (not available in
all orgs).
Available in: Enterprise, Performance, Unlimited, and
Developer Editions. Requires purchasing Salesforce Shield or Shield
Platform Encryption, and the External Key Management Service. Data 360 customers
must also have the Platform Encryption for Consumption license.
User
Permissions Needed
To generate, destroy, export, import, upload, and configure
tenant secrets and customer-supplied key material:
Manage Encryption Keys
Important Before you can use EKM, you must create and configure the AWS key you
plan to use. See the AWS Key Management
Service documentation.
You can also add information about your Salesforce key policy to your key policy in AWS
KMS. Salesforce then uses this key policy to generate and wrap a data encryption key for
encryption and decryption operations in Salesforce.
From Setup, in the Quick Find box, enter Platform Encryption,
and then select Advanced Settings. Turn on External Key
Management.
You can now access External Key Management configuration controls on the Key
Management page.
From Setup, in the Quick Find box, enter Platform Encryption and
then select Key Management.
Click the tab for the service you need the EKM for (Data Cloud, Fields and Files -
Probabilistic, Fields - Deterministic, Event Bus, or Search Index). Then click Generate
Root Key located on the tab.
The Configure a Key Management Service box appears.
Select AWS Key Management Service, and then click
Start.
Follow the prompts for gathering and entering your AWS KMS key information. Enter its
key identifier, region, and description. A unique description helps you distinguish
between keys for efficient auditing and key management.
To create a copy of the JSON text, on the Key Policy tab, click
Copy.
The copied JSON text contains details about your AWS KMS key that you entered in the
previous step.
Log in to your AWS KMS console. Paste the copied JSON text into your key policy. Make
sure that it references your key ID and not an alias name, and then save your changes.
For example, use key/key_id
instead of alias/alias_name in your ARN.
In Salesforce, on the Key Management page, click Done.
You receive a notification that AWS KMS is now connected to Salesforce and that a
Salesforce data encryption key is created. Check the connection and new data encryption key
on the Key Management page.
We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required Cookies
Always Active
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional Cookies
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising Cookies
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.
