Login
    Contents x
    Set up for data encryption
    • 1 minute read
    • Contributors
    • PDF
    Contents

    Set up for data encryption

    • 1 minute read
    • Contributors
    • PDF
    Article summary

    You can use cryptographic keys stored and managed in your AWS account KMS to encrypt your organization's data stored in Gong.

    For Gong to use the external CMK (Customer Managed Key), two conditions must be satisfied:

    • The CMK should have a policy that allows a Gong-owned principal (specifically an IAM role), to use the CMK with a set of predefined permissions, for example, Encrypt or Decrypt.

    • The principal should have an attached policy to use the CMK with appropriate permissions.

    To satisfy these conditions, your administrator must set up the CMK in your AWS account as explained in this article.

    Required permissions

    This table explains the permissions we need for your key and why:

    Permission

    Why we need the permission

    Decrypt
Encrypt
GenerateDataKey

    To enable Gong to store encrypted files for your organization.

    DescribeKey

    To enable Gong to verify that the key is a symmetric key that meets requirements.

    ListGrants

    To enable Gong to list existing grants for the CMK.

    CreateGrant

    To enable Gong to delegate permissions dynamically from the ExternalCmkAccessGranter principal to the various services in Gong that store and read encrypted data.

    RevokeGrant RetireGrant

    To enable Gong to remove the created grant, retire in regular cases, and revoke if some services get forcefully shutdown.

    Create and configure your CMK

    1. Make sure your region is us-east-1.

    2. In AWS KMS, create a symmetric encryption.

       CMK_config

    3. When you are asked to add a policy, paste the following snippet to enable access from the Gong AWS account:

      {            
    "Sid": "Allow Gong.io to use this CMK",
    "Effect": "Allow",
    "Principal": {
"AWS":"arn:aws:iam::655275192472:role/ExternalCmkAccessGranter"            
    },
    "Action":[                
    "kms:Decrypt",
    "kms:Encrypt",
    "kms:RevokeGrant",
    "kms:GenerateDataKey",
    "kms:DescribeKey",
    "kms:RetireGrant",    
    "kms:CreateGrant",
    "kms:ListGrants"
    ],
    "Resource": "*"        
}

       CMK_edit

    After the CMK is created, make a note of the CMK’s ARN, for example:

    arn:aws:kms::1234567890:key/12345678-90ab-cdef-1234-123456789ab

    This is the key you need when you encrypt your organization's data in Gong.

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Eddy, a genAI helper, will scrub our help center to give you an answer that summarizes our content. Ask a question in plain language and let me do the rest.