On October 7, 2026, AWS will discontinue support for Amazon Lookout for Equipment. After October 7, 2026, you will no longer be able to access the Lookout for Equipment console or resources. For more information, [see the following](https://aws.amazon.com/blogs/machine-learning/preserve-access-and-explore-alternatives-for-amazon-lookout-for-equipment/).
# Data protection in Amazon Lookout for Equipment
Amazon Lookout for Equipment conforms to the AWS [shared responsibility model](https://aws.amazon.com/compliance/shared-responsibility-model/), which includes regulations and guidelines for data protection. AWS is responsible for protecting the global infrastructure that runs all AWS services. AWS maintains control over data hosted on this infrastructure, including the security configuration controls for handling customer content and personal data. AWS customers and APN partners, acting either as data controllers or data processors, are responsible for any personal data that they put in the AWS Cloud.
For data protection purposes, we recommend that you protect AWS account credentials and set up individual user accounts with AWS Identity and Access Management) (IAM), so that each user is given only the permissions necessary to fulfill their job duties. We also recommend that you secure your data in the following ways:
+ Use multi-factor authentication (MFA) with each account.
+ Use SSL/TLS to communicate with AWS resources. We recommend TLS 1.2 or later.
+ Set up API and user activity logging with AWS CloudTrail.
+ Use AWS encryption solutions, along with all default security controls within AWS services.
+ Use advanced managed security services such as Amazon Macie, which assists in discovering and securing personal data that is stored in Amazon Simple Storage Service (Amazon S3).
We strongly recommend that you never put sensitive identifying information, such as your customers' account numbers, into free-form fields such as a `Name` field. This includes when you work with Amazon Lookout for Equipment or other Amazon Web Services services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter into Amazon Lookout for Equipment or other services might get picked up for inclusion in diagnostic logs. When you provide a URL to an external server, don't include credentials information in the URL to validate your request to that server.
For more information about data protection, see the [AWS Shared Responsibility Model and GDPR](https://aws.amazon.com/blogs/security/the-aws-shared-responsibility-model-and-gdpr/) blog post on the *AWS Security Blog*.
**Topics**
+ [Encryption at rest](encryption-at-rest.md)
+ [Encryption in transit](encryption-in-transit.md)
+ [Key management](key-management.md)
# Encryption at rest
Amazon Lookout for Equipment encrypts your data at rest with your choice of an encryption key. You can choose one of the following:
+ An AWS owned key. If you don't specify an encryption key, your data is encrypted with this key by default.
+ A customer managed key. You can provide the Amazon Resource Name (ARN) of an encryption key that you created in your account. When you use a customer managed key, you must give the key a key policy that enables Amazon Lookout for Equipment to use the key. You must choose a symmetric customer managed key. Amazon Lookout for Equipment doesn't support asymmetric customer managed keys. For more information, see [Key management](key-management.md).
+ Amazon Lookout for Equipment follows the Amazon S3 bucket encryption policy. You have to set Amazon S3 default encryption on your bucket to encrypt objects stored in your bucket by Amazon Lookout for Equipment. For more information ,see [S3 bucket encryption](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html).
# Encryption in transit
Amazon Lookout for Equipment copies data out of your account and processes it in an internal AWS system. Amazon Lookout for Equipment uses TLS 1.2 with AWS certificates to encrypt data sent to other AWS services.
# Key management
Amazon Lookout for Equipment encrypts your data using one of the following types of keys:
+ An AWS owned key. This is the default.
+ A customer managed key. You can create the key when you create an Amazon Lookout for Equipment dataset, model, or inference, or you can create the key using the AWS Key Management Service (AWS KMS) console. Choose a symmetric customer managed key, Amazon Lookout for Equipment doesn't support asymmetric customer managed keys. For more information, see [Using symmetric and asymmetric keys](https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) in the *AWS Key Management Service Developer Guide*.
When you create a key using the AWS KMS console, you can give the key the following policy, which enables users or roles to use the key with Amazon Lookout for Equipment. For more information, see [Using key policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
```
{
"Effect": "Allow",
"Sid": "Allow to use the key with Amazon Lookout for Equipment",
"Principal": {
"AWS": "IAM USER OR ROLE ARN"
},
"Action": [
"kms:DescribeKey",
"kms:CreateGrant",
"kms:RetireGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:ViaService": [
"lookoutequipment.Region.amazonaws.com"
]
}
}
},
{
"Effect": "Allow",
"Sid": "Allow to view the key in the console"
"Principal": {
"AWS": "IAM USER OR ROLE ARN"
},
"Action": [
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Sid": "Allow inference scheduler pass-in role to encrypt output data"
"Principal": {
"AWS": "INFERENCE SCHEDULER PASS-IN ROLE ARN"
},
"Action": [
"kms:GenerateDataKey"
],
"Resource": "*"
}
```