Customer-managed keys (optional)

Next generation Resilience Hub supports customer-managed AWS KMS keys (CMKs) for encrypting your data. To use a CMK, ensure your IAM policy includes the following AWS KMS permissions:

kms:DescribeKey
kms:GenerateDataKey
kms:Encrypt
kms:Decrypt

For scheduled or long-running assessments, also include kms:CreateGrant.

No changes to the invoker role are needed for CMK encryption. Next generation Resilience Hub uses your caller identity for synchronous operations and AWS KMS grants for asynchronous operations.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Multi-account setup (without AWS Organizations)

Getting started with Next generation Resilience Hub