Set up BYOB with SSE-KMS Key
You can use your own S3 bucket with Illumina Connected Analytics (ICA) for data storage. This section describes how to configure your AWS account to allow ICA to connect to an S3 bucket with SSE-KMS key. General instructions for configuring your AWS account to allow ICA to connect to an S3 bucket are found on this page.
- Note: S3-SSE-KMS must be in the same region as your ICA v2.0 project. See the ICA S3 bucket documentation for more information.
In the "Default encryption" section, enable Server-side encryption and choose
AWS Key Management Service key (SSE-KMS)
. Then select Choose your AWS KMS key
.- If you do not have an existing customer managed key, click
Create a KMS key
and follow these steps from AWS.

sse-kms-0
Once the bucket is set, the user is recommended also to create a folder that will be connected to ICA as a prefix. If the user makes a new folder in the bucket that will be linked in the ICA storage configuration, the encryption must be enabled in AWS console.

sse-kms-1
- Add permission to use KMS key by adding
kms:Decrypt
,kms:Encrypt
, andkms:GenerateDataKey
- Add the ARN KMS key
arn:aws:kms:xxx
on the first "Resource"{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["kms:Decrypt","kms:Encrypt","kms:GenerateDataKey","s3:PutBucketNotification","s3:ListBucket","s3:GetBucketNotification","s3:GetBucketLocation"],"Resource": ["arn:aws:kms:xxx","arn:aws:s3:::BUCKET_NAME"]},{"Effect": "Allow","Action": ["s3:PutObject","s3:GetObject","s3:RestoreObject","s3:DeleteObject"],"Resource": "arn:aws:s3:::BUCKET_NAME/*"},{"Effect": "Allow","Action": ["sts:GetFederationToken"],"Resource": ["*"]}]}
At the end of the policy setting, there should be 3 permissions listed in the "Summary".

sse-kms-2
On step 3 in process above, continue with the
[Optional] Server Side Encryption
to enter the algorithm and key name for server-side encryption processes.- On "Algorithm", input
aws:kms
- On "Key Name", input the ARN KMS key:
arn:aws:kms:xxx
- "Key prefix" is optional, but recommended. "Key prefix" refers to the folder name in the bucket the user previously created above.

sse-kms-3
Last modified 5mo ago