Skip to main content

Bring Your Own Key with Laurel Integration Guide

Thomas Zhang avatar
Written by Thomas Zhang
Updated over a month ago

BYOK Integration:

Step 1: Identify or Create Your AWS KMS Key

Create a new AWS KMS key for Laurel:

  1. Log in to the AWS Management Console.

  2. Navigate to the Key Management Service (KMS).

  3. Choose Customer managed keys.

  4. Click Create key.

  5. Configure the key settings, including:

    1. Key Type: Select Symmetric

    2. Description: A description of the key's purpose.

    3. Key Material Origin: Select KMS

    4. Regionality: Choose Single-region (this is still highly available as KMS replicates in multiple availability zone and handles fallback)

  6. Define Key Usage Permissions: This is crucial. This is where the Key Policy is edited. You may do this later as part of Step 2.

  7. Review and finish creating the key.

  8. Copy the Key ARN: Once the key is created, copy its ARN (Amazon Resource Name). You'll need this for the Laurel configuration. The ARN will look something like this: arn:aws:kms:us-east-1:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab

Step 2: Configuring Your AWS KMS Key Policy

The Key Policy controls which AWS principals (users, roles, services) can use the key and how. Laurel must be granted permission to use your key. You must modify the key policy to allow Laurel to access your key. The best practice is to use Laurel's AWS Account ID in a condition.

  1. In the AWS KMS console, find your key.

  2. Go to the "Key policy" section.

  3. Switch to "Policy view" (if not already in it).

  4. Edit the policy. You will need to add a statement (or modify an existing one) with the following policy:

JSON

{
  "Sid": "Allow Laurel cross-account access",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::518350385672:root"
  },
  "Action": [
    "kms:ReEncryptTo",
    "kms:ReEncryptFrom",
    "kms:GenerateDataKey",
    "kms:Encrypt",
    "kms:DescribeKey",
    "kms:Decrypt"
  ],
  "Resource": "*",
  "Condition": {
    "ArnLike": {
      "aws:PrincipalArn": [
        "arn:aws:iam::518350385672:role/enrichment-app-role-*",
        "arn:aws:iam::518350385672:role/assistant-app-role-*",
        "arn:aws:iam::518350385672:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Oncall_*"
      ]
    }
  }
}

Explanation of the Policy Statement:

  • Sid: A statement identifier (you can choose a descriptive name).

  • Effect: Allow grants permission.

  • Action: Specifies the KMS actions Laurel is allowed to perform:

    • kms:Encrypt: Allows Laurel to encrypt data.

    • kms:Decrypt: Allows Laurel to decrypt data.

    • kms:ReEncrypt*: Allows Laurel to re-encrypt data (e.g., during key rotation).

    • kms:GenerateDataKey: Allows Laurel to generate data keys for encryption.

    • kms:DescribeKey: Allows Laurel to retrieve key metadata.

  • Save the updated key policy.

Step 3: Configure Laurel

  1. Log in to Laurel.

  2. Navigate to the Security Settings tab in Laurel Admin (you need to be a super customer admin to access this).

  3. Enter the following information:

    • AWS KMS Key ARN: Paste the ARN of your KMS key (from Step 1).

  4. Save the settings.

  5. A Laurel administrator must enable the feature for it to become active. Once enabled, Laurel will use your provided KMS key for data encryption. Submit a support ticket and we'll validate the key and enable the feature!

Follow this guide for BYOK details.

Related Articles
Laurel Assistants: Permissions, Security, and Infrastructure Requirements
Laurel Technical Implementation FAQs
Laurel Windows Assistant MSIX Deployment: Best Practices for Administrators
How to Prevent Outlook Security Prompts When Using Laurel Assistant
Bring Your Own Key with Laurel Overview
Did this answer your question?