# Data Encryption at rest for AWS HealthScribe
By default, AWS HealthScribe provides encryption at rest to protect sensitive customer data using AWS HealthScribe managed AWS Key Management Service (AWS KMS) keys. Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. Also, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements. When you create an AWS HealthScribe transcription job or start a stream, you can specify a customer managed key. This adds a second layer of encryption.
+ **AWS HealthScribe managed AWS KMS keys** — AWS HealthScribe uses AWS HealthScribe managed AWS Key Management Service (AWS KMS) keys by default to automatically encrypt intermediate files. You can't disable this layer of encryption or choose an alternate encryption type. You can't view, manage, or use the keys, or audit their use. However, you don't have to take any action or change any programs to protect the keys that encrypt your data.
+ **Customer managed keys** — AWS HealthScribe supports the use of a symmetric customer managed key that you create, own, and manage to add a second layer of encryption over the existing AWS owned encryption. Because you have full control of this layer of encryption, you can perform such tasks as:
+ Establishing and maintaining key policies
+ Establishing and maintaining IAM policies and grants
+ Enabling and disabling key policies
+ Rotating key cryptographic material
+ Adding tags
+ Creating key aliases
+ Scheduling keys for deletion
For more information, see [customer managed key](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#customer-cmk) in the AWS Key Management Service Developer Guide.
**Note**
AWS HealthScribe automatically enables encryption at rest using AWS-owned keys to protect personally identifiable data at no charge. However, AWS KMS charges apply for using a customer managed key. For more information about pricing, see [AWS Key Management Service pricing](https://aws.amazon.com//kms/pricing/).
For more information on AWS KMS, see [What is AWS Key Management Service](https://docs.aws.amazon.com//kms/latest/developerguide/overview.html).
**Topics**
+ [Creating a customer managed key](health-scribe-encryption-customer.md)
+ [Specifying a customer managed key for AWS HealthScribe](#health-scribe-encryption-managed)
+ [AWS KMS encryption context](#health-scribe-encryption-context)
+ [Monitoring your encryption keys for AWS HealthScribe](#hscribe-monitoring-keys)
# Creating a customer managed key
You can create a symmetric customer managed key by using the AWS Management Console, or the AWS KMS APIs. To create a symmetric customer managed key, follow the steps for [Creating symmetric customer managed key](https://docs.aws.amazon.com//kms/latest/developerguide/create-keys.html#create-symmetric-cmk) in the AWS Key Management Service Developer Guide.
Key policies control access to your customer managed key. Every customer managed key must have exactly one key policy, which contains statements that determine who can use the key and how they can use it. When you create your customer managed key, you can specify a key policy. For more information, see [Managing access to customer managed keys](https://docs.aws.amazon.com//kms/latest/developerguide/control-access-overview.html#managing-access) in the AWS Key Management Service Developer Guide.
## AWS KMS key policies for AWS HealthScribe
If you are using a key in the same account as the IAM role you specify as the `DataAccessRole` in your [StartMedicalScribeJob](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_StartMedicalScribeJob.html) or `ResourceAccessRole` in your [StartMedicalScribeStream](https://docs.aws.amazon.com/transcribe/latest/APIReference/API_streaming_StartMedicalScribeStream.html) request, you don't need to update the Key Policy. To use your customer managed key in a different account as your DataAccessRole (for transcription jobs) or ResourceAccessRole (for streaming), you must trust the respective role in the Key Policy for the following actions:
+ [https://docs.aws.amazon.com//kms/latest/APIReference/API_Encrypt.html](https://docs.aws.amazon.com//kms/latest/APIReference/API_Encrypt.html) — Allows encryption using the customer managed key
+ [https://docs.aws.amazon.com//kms/latest/APIReference/API_Decrypt.html](https://docs.aws.amazon.com//kms/latest/APIReference/API_Decrypt.html) — Allows decryption using the customer managed key
+ [https://docs.aws.amazon.com//kms/latest/APIReference/API_DescribeKey.html](https://docs.aws.amazon.com//kms/latest/APIReference/API_DescribeKey.html) — Provides the customer managed key details to allow AWS HealthScribe to validate the key
The following is an example key policy you can use to grant your ResourceAccessRole cross account permissions to use your customer managed key for AWS HealthScribe streaming. To use this policy for transcription jobs, update the `Principal` to use the DataAccessRole ARN, and remove or modify the encryption context.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid": "AllowAccessForKeyAdministrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:root"
},
"Action": [
"kms:*"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToResourceAccessRoleForMedicalScribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ResourceAccessRole"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:us-east-1:transcribe:medical-scribe:session-id": "1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
}
},
{
"Sid": "AllowAccessToResourceAccessRoleForDescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ResourceAccessRole"
},
"Action": "kms:DescribeKey",
"Resource": "*"
}
]
}
```
------
## IAM policy permissions for access roles
The IAM policy attached to your DataAccessRole or ResourceAccessRole must grant permissions to perform the necessary AWS KMS actions, regardless of whether the customer-managed key and role are in the same or different accounts. Also, the role's trust policy must grant AWS HealthScribe permission to assume the role.
The following IAM policy example shows how to grant a ResourceAccessRole permissions for AWS HealthScribe streaming. To use this policy for transcription jobs, replace `transcribe.streaming.amazonaws.com` with `transcribe.amazonaws.com` and remove or modify the encryption context.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/KMS-Example-KeyId",
"Condition": {
"StringEquals": {
"kms:ViaService": "transcribe.streaming.amazonaws.com",
"kms:EncryptionContext:aws:us-east-1:transcribe:medical-scribe:session-id": "1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
}
},
{
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/KMS-Example-KeyId",
"Condition": {
"StringEquals": {
"kms:ViaService": "transcribe.streaming.amazonaws.com"
}
}
}
]
}
```
------
The following is trust policy example for the ResourceAccessRole. For DataAccessRole, replace `transcribe.streaming.amazonaws.com` with `transcribe.amazonaws.com`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "transcribe.streaming.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*"
}
}
}
]
}
```
------
For more information about [specifying permissions in a policy](https://docs.aws.amazon.com//kms/latest/developerguide/control-access-overview.html#overview-policy-elements) or [troubleshooting key access](https://docs.aws.amazon.com//kms/latest/developerguide/policy-evaluation.html#example-no-iam), see the AWS Key Management Service Developer Guide.
## Specifying a customer managed key for AWS HealthScribe
You can specify a customer managed key as a second layer encryption for transcription jobs or streaming.
+ For transcription jobs, you specify your key in the [OutputEncryptionKMSKeyId](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_StartMedicalScribeJob.html#transcribe-StartMedicalScribeJob-request-OutputEncryptionKMSKeyId) of your [StartMedicalScribeJob](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_StartMedicalScribeJob.html) API operation.
+ For streaming, you specify the key in the [MedicalScribeEncryptionSettings](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_streaming_MedicalScribeEncryptionSettings.html) in your [MedicalScribeConfigurationEvent](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_streaming_MedicalScribeConfigurationEvent.html).
## AWS KMS encryption context
AWS KMS encryption context is a map of plain text, non-secret key:value pairs. This map represents additional authenticated data, known as encryption context pairs, which provide an added layer of security for your data. AWS HealthScribe requires a symmetric encryption key to encrypt AWS HealthScribe output into a customer-specified Amazon S3 bucket. To learn more, see [Asymmetric keys in AWS KMS](https://docs.aws.amazon.com//kms/latest/developerguide/symmetric-asymmetric.html).
When creating your encryption context pairs, *do not* include sensitive information. Encryption context is not secret — it is visible in plain text within your CloudTrail logs (so you can use it to identify and categorize your cryptographic operations). Your encryption context pair can include special characters, such as underscores (`_`), dashes (`-`), slashes (`/`, `\`) and colons (`:`).
**Tip**
It can be useful to relate the values in your encryption context pair to the data being encrypted. Although not required, we recommend you use non-sensitive metadata related to your encrypted content, such as file names, header values, or unencrypted database fields.
To use output encryption with the API, set the [KMSEncryptionContext](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_StartMedicalScribeJob.html#transcribe-StartMedicalScribeJob-request-KMSEncryptionContext) parameter in the [StartMedicalScribeJob](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_StartMedicalScribeJob.html) operation. In order to provide encryption context for the output encryption operation, the [OutputEncryptionKMSKeyId](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_StartMedicalScribeJob.html#transcribe-StartMedicalScribeJob-request-OutputEncryptionKMSKeyId) parameter must reference a symmetric AWS KMS key ID.
For streaming, you specify the key value pairs for the `KmsEncryptionContext` in the [MedicalScribeEncryptionSettings](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_streaming_MedicalScribeEncryptionSettings.html) in your [MedicalScribeConfigurationEvent](https://docs.aws.amazon.com//transcribe/latest/APIReference/API_streaming_MedicalScribeConfigurationEvent.html).
You can use [AWS KMS condition keys](https://docs.aws.amazon.com//kms/latest/developerguide/policy-conditions.html#conditions-kms) with IAM policies to control access to a symmetric encryption AWS KMS key based on the encryption context that was used in the request for a [cryptographic operation](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#cryptographic-operations). For an example encryption context policy, see [AWS KMS encryption context policy](https://docs.aws.amazon.com//transcribe/latest/dg/security_iam_id-based-policy-examples.html#kms-context-policy).
Using encryption context is optional, but recommended. For more information, see [Encryption context](https://docs.aws.amazon.com//kms/latest/developerguide/concepts.html#encrypt_context).
### AWS HealthScribe encryption context
AWS HealthScribe uses the same encryption context in all AWS Key Management Service cryptographic operations. The encryption context is a map of String to String that can be customized to anything you want.
```
"encryptionContext": {
"ECKey": "ECValue"
...
}
```
For AWS HealthScribe streams, the following is the default service generated encryption context. It applies this context on top of any encryption context that you provide.
```
"encryptionContext": {
"aws::transcribe:medical-scribe:session-id": "1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
```
For AWS HealthScribe transcription jobs, the following is the default service generated encryption context. It applies this context on top of any encryption context that you provide.
```
"encryptionContext": {
"aws::transcribe:medical-scribe:job-name": "",
"aws::transcribe:medical-scribe:start-time-epoch-ms": ""
}
```
If you don’t provide any encryption context, only service generated encryption context will be used for all AWS KMS cryptographic operations.
**Monitoring AWS HealthScribe with encryption context**
When you use a symmetric customer managed key to encrypt your data at rest in AWS HealthScribe, you can also use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in logs generated by AWS CloudTrail or CloudWatch Logs.
**Using encryption context to control access to your customer managed key**
You can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key.
The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the KMS key usages have an encryption context constraint that specifies the encryption context.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToResourceAccessRoleForMedicalScribe",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ResourceAccessRole"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "arn:aws:kms:us-west-2:111122223333:key/KMS-Example-KeyId",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:aws:us-east-1:transcribe:medical-scribe:session-id": "1234abcd-12ab-34cd-56ef-123456SAMPLE",
"kms:EncryptionContext:ECKey": "ECValue"
}
}
},
{
"Sid": "AllowAccessToResourceAccessRoleForDescribeKey",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/ResourceAccessRole"
},
"Action": "kms:DescribeKey",
"Resource": "arn:aws:kms:us-west-2:111122223333:key/KMS-Example-KeyId"
}
]
}
```
------
## Monitoring your encryption keys for AWS HealthScribe
When you use an AWS Key Management Service customer managed key with AWS HealthScribe, you can use AWS CloudTrail or CloudWatch logs to track requests that AWS HealthScribe sends to AWS KMS.
The following examples are CloudTrail Encrypt and Decrypt events you can use that allow you to monitor how AWS HealthScribe uses of your customer managed key.
**Encrypt**
```
{
"eventVersion":"1.09",
"userIdentity":{
"type":"AssumedRole",
"principalId":"AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn":"arn:aws:sts::123456789012:assumed-role/Admin/Sampleuser01",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE3",
"sessionContext":{
"sessionIssuer":{
"type":"Role",
"principalId":"AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn":"arn:aws:sts::123456789012:assumed-role/Admin/Sampleuser01",
"accountId":"123456789012",
"userName":"Admin"
},
"attributes":{
"creationDate":"2024-08-16T01:10:05Z",
"mfaAuthenticated":"false"
}
},
"invokedBy":"transcribe.streaming.amazonaws.com"
},
"eventTime":"2024-08-16T01:10:05Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Encrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"transcribe.streaming.amazonaws.com",
"userAgent":"transcribe.streaming.amazonaws.com",
"requestParameters":{
"encryptionContext":{
"aws:us-east-1:transcribe:medical-scribe:session-id":"1234abcd-12ab-34cd-56ef-123456SAMPLE"
},
"encryptionAlgorithm":"SYMMETRIC_DEFAULT",
"keyId":"1234abcd-12ab-34cd-56ef-1234567890ab"
},
"responseElements":null,
"requestID":"cbe0ac33-8cca-49e5-9bb5-dc2b8dfcb389",
"eventID":"1b9fedde-aa96-48cc-9dd9-a2cce2964b3c",
"readOnly":true,
"resources":[
{
"accountId":"123456789012",
"type":"AWS::KMS::Key",
"ARN":"arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType":"AwsApiCall",
"managementEvent":true,
"recipientAccountId":"123456789012",
"eventCategory":"Management"
}
```
**Decrypt**
```
{
"eventVersion":"1.09",
"userIdentity":{
"type":"AssumedRole",
"principalId":"AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn":"arn:aws:sts::123456789012:assumed-role/Admin/Sampleuser01",
"accountId":"123456789012",
"accessKeyId":"AKIAIOSFODNN7EXAMPLE3",
"sessionContext":{
"sessionIssuer":{
"type":"Role",
"principalId":"AROAIGDTESTANDEXAMPLE:Sampleuser01",
"arn":"arn:aws:sts::123456789012:assumed-role/Admin/Sampleuser01",
"accountId":"123456789012",
"userName":"Admin"
},
"attributes":{
"creationDate":"2024-08-16T20:47:04Z",
"mfaAuthenticated":"false"
}
},
"invokedBy":"transcribe.streaming.amazonaws.com"
},
"eventTime":"2024-08-16T20:47:04Z",
"eventSource":"kms.amazonaws.com",
"eventName":"Decrypt",
"awsRegion":"us-east-1",
"sourceIPAddress":"transcribe.streaming.amazonaws.com",
"userAgent":"transcribe.streaming.amazonaws.com",
"requestParameters":{
"keyId":"mrk-de27f019178f4fbf86512ab03ba860be",
"encryptionAlgorithm":"SYMMETRIC_DEFAULT",
"encryptionContext":{
"aws:us-east-1:transcribe:medical-scribe:session-id":"1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
},
"responseElements":null,
"requestID":"8b7fb865-48be-4e03-ac3d-e7bee3ba30a1",
"eventID":"68b7a263-d410-4701-9e2b-20c196628966",
"readOnly":true,
"resources":[
{
"accountId":"123456789012",
"type":"AWS::KMS::Key",
"ARN":"arn:aws:kms:us-west-2:123456789012:key/1234abcd-12ab-34cd-56ef-123456SAMPLE"
}
],
"eventType":"AwsApiCall",
"managementEvent":true,
"recipientAccountId":"123456789012",
"eventCategory":"Management"
}
```