diff --git a/_site/redirects.json b/_site/redirects.json index 574493ca..d2b3d7d4 100644 --- a/_site/redirects.json +++ b/_site/redirects.json @@ -2706,5 +2706,9 @@ { "destination": "https://clickhouse.com/blog/ai-redrawing-database-market", "source": "/get-started/use-cases/machine-learning-and-genai/agent-facing-analytics" + }, + { + "destination": "/products/cloud/guides/security/cmek", + "source": "/products/cloud/guides/security/cmek-migration" } ] \ No newline at end of file diff --git a/products/cloud/guides/index.mdx b/products/cloud/guides/index.mdx index de8a6971..c2ba1fe2 100644 --- a/products/cloud/guides/index.mdx +++ b/products/cloud/guides/index.mdx @@ -61,7 +61,6 @@ keywords: ['cloud guides', 'documentation', 'how-to', 'cloud features', 'tutoria | [Manage my account](/products/cloud/guides/security/cloud-access-management/manage-my-account) | This page describes how you can accept invitations, manage MFA settings, and reset passwords | | [Manage SQL console role assignments](/products/cloud/guides/security/cloud-access-management/manage-sql-console-role-assignments) | Guide showing how to manage SQL console role assignments | | [Managing AWS service limits and quotas](/products/bring-your-own-cloud/reference/aws-service-limits) | AWS service quotas to verify before BYOC onboarding, how to request increases, and what to monitor as services scale | -| [Migrating from CMEK v1 to v2](/products/cloud/guides/security/cmek-migration) | Migration instructions to move from legacy CMEK to version 2 | | [Multi tenancy](/products/cloud/guides/best-practices/multitenancy) | Best practices to implement multi tenancy | | [Optimizing ClickHouse Assistant agent conversations with a semantic layer](/products/cloud/features/ai-ml/aichat/customizing-semantic-layer) | Guide to using AGENTS.md to provide custom business logic and data-specific instructions to the ClickHouse Assistant chat agent | | [Overview](/products/cloud/guides/infrastructure/deployment-options/byoc/overview) | Deploy ClickHouse on your own cloud infrastructure | diff --git a/products/cloud/guides/security/cmek-migration.mdx b/products/cloud/guides/security/cmek-migration.mdx deleted file mode 100644 index 07082a8b..00000000 --- a/products/cloud/guides/security/cmek-migration.mdx +++ /dev/null @@ -1,104 +0,0 @@ ---- -sidebarTitle: 'Legacy CMEK migration' -slug: /cloud/security/cmek-migration -title: 'Migrating from CMEK v1 to v2' -description: 'Migration instructions to move from legacy CMEK to version 2' -doc_type: 'guide' -keywords: ['ClickHouse Cloud', 'encryption', 'CMEK'] ---- - -We're improving the security of customer managed encryption keys (CMEK) services. All services are now configured with a unique AWS role per service to authorize using customer keys to encrypt and decrypt services. This new role is only shown in the service configuration screen. - -OpenAPI and Terraform are both supported for this new process. For more information, check out our docs ([Enhanced Encryption](/products/cloud/guides/security/cmek), [Cloud API](/products/cloud/features/admin-features/api/api-overview), [Official Terraform Provider](https://registry.terraform.io/providers/ClickHouse/clickhouse/latest/docs)). - - -Customers utilizing CMEK v1 must migrate services no later than June 1st, 2026. After this date customer managed keys will be rotated to ClickHouse managed keys by default. Customers may rotate back to customer managed keys after the default migration. - - -## Manual migration {#manual-migration} - -Complete the following steps to migrate to the new process: -1. Sign in to https://console.clickhouse.cloud -2. Click on the encrypted service -3. Click on Service Settings on the left -4. Scroll to the bottom of the screen and expand View service details -5. Copy the Encryption Role ID (IAM) -6. Go to your KMS key in AWS and update the Key Policy to add the following: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": ["Encryption role ID (ARN)"] - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:DescribeKey" - ], - "Resource": "*" -} -``` -7. In ClickHouse Cloud, open a support case to let us know we can enable the new method. This change requires a service restart, please let us know if there is a day/ time that is best to restart the service. -8. Once we restart the service, go to your KMS key in AWS and remove the following from the Key Policy: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::576599896960:role/prod-kms-request-role" - }, - "Action": ["kms:GetPublicKey", - "kms:Decrypt", - "kms:GenerateDataKeyPair", - "kms:Encrypt", - "kms:GetKeyRotationStatus", - "kms:GenerateDataKey", - "kms:DescribeKey"], - "Resource": "*" -} -``` -9. The update is complete! - -## Terraform migration {#terraform-migration} -1. Update to [Terraform version 3.5.0 or higher](https://registry.terraform.io/providers/ClickHouse/clickhouse/latest/docs) -2. Apply Terraform without changes. A new field for transparent_data_encryption will appear in the Terraform state. Make note of the role_id here. -3. Go to your KMS key in AWS and update the Key Policy to add the following: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": ["Encryption role ID (ARN)"] - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:DescribeKey" - ], - "Resource": "*" -} -``` -4. In ClickHouse Cloud, open a support case with the service name to let us know we can enable the new method. This change requires a service restart, please let us know if there is a day/ time that is best to restart the service. -5. After we restart the service, you can update the transparent_data_encryption.enabled setting to ‘True’ and remove the tier setting in Terraform and apply. This will result in no changes. -6. Go to your KMS key in AWS and remove the following from the Key Policy: -```json -{ - "Sid": "Allow ClickHouse Access", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::576599896960:role/prod-kms-request-role" - }, - "Action": ["kms:GetPublicKey", - "kms:Decrypt", - "kms:GenerateDataKeyPair", - "kms:Encrypt", - "kms:GetKeyRotationStatus", - "kms:GenerateDataKey", - "kms:DescribeKey"], - "Resource": "*" -} -``` -7. The update is complete! diff --git a/products/cloud/navigation.json b/products/cloud/navigation.json index 7e36ef49..dc0499ae 100644 --- a/products/cloud/navigation.json +++ b/products/cloud/navigation.json @@ -323,8 +323,7 @@ "expanded": false, "pages": [ "products/cloud/guides/security/data-masking", - "products/cloud/guides/security/cmek", - "products/cloud/guides/security/cmek-migration" + "products/cloud/guides/security/cmek" ] }, {