Set up for data encryption

  • Updated on Sep 17, 2025
  • Published on Apr 15, 2024
  • 1 minute(s) read
  • Deborah Landau
  • Jeff Aftel
 Prev Next

You can use cryptographic keys stored and managed in your AWS account KMS to encrypt your organization's data stored in Gong.

For Gong to use the external KMS keys, two conditions must be met:

  • The KMS should have a policy that allows a Gong-owned principal (specifically an IAM role), to use the KMS with a set of predefined permissions, for example, Encrypt or Decrypt.

  • The principal should have an attached policy to use the KMS with appropriate permissions.

To meet these conditions, your administrator must set up the KMS in your AWS account as explained in this article.

Required permissions

This table explains the permissions we need for your key and why:

Permission

Why we need the permission

Decrypt
Encrypt
GenerateDataKey

To enable Gong to store encrypted files for your organization.

DescribeKey

To enable Gong to verify that the key is a symmetric key that meets requirements.

ListGrants

To enable Gong to list existing grants for the CMK.

CreateGrant

To enable Gong to delegate permissions dynamically from the ExternalCmkAccessGranter principal to the various services in Gong that store and read encrypted data.

RevokeGrant RetireGrant

To enable Gong to remove the created grant, retire in regular cases, and revoke if some services get forcefully shutdown.

Create and configure your CMK

  1. For customers whose Gong data center is located in USA, make sure your AWS region is us-east-1.
    For customers whose Gong data center is located in Europe, make sure your AWS region is eu-west-1.

  2. In AWS KMS, create a symmetric encryption.

    CMK_config

  3. Paste the following to add a policy that enables access from the Gong AWS account.
    For the US data center, the Gong account number is: 655275192472
    For the European data center, the Gong account number is: 891377286368

    {            
    "Sid": "Allow Gong.io to use this CMK",
    "Effect": "Allow",
    "Principal": {
"AWS":"arn:aws:iam::<Gong account number>:role/ExternalCmkAccessGranter"            
    },
    "Action":[                
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:RevokeGrant",
    "kms:GenerateDataKey",
    "kms:DescribeKey",
    "kms:RetireGrant",    
    "kms:CreateGrant",
    "kms:ListGrants"
    ],
    "Resource": "*"        
}

    The screenshot below is an example of the policy snippet for the US data center:

    CMK_edit

After the KMS is created, make a note of the KMS ARN, for example:

arn:aws:kms::1234567890:key/12345678-90ab-cdef-1234-123456789ab

Gong uses this key to encrypt all new S3 files stored in your organization’s Gong account. Existing files will not be re-encrypted.

This key is used to encrypt your organization's data in Gong.

Related articles