Alteryx Designer Ideas

Share your Designer product ideas - we're listening!
Submitting an Idea?

Be sure to review our Idea Submission Guidelines for more information!

Submission Guidelines
Nominations are open for the Alteryx Excellence Awards through March 26! We want to celebrate the impact you've had and give you the visibility you deserve! Make your submission here.

SSE-KMS encryption support for Alteryx AWS S3 connector

Alteryx S3 connector currently supports only SSE-S3 encryption. Current version of alteryx S3 connector does not use AWS Signature Version 4, so it fails to upload/download S3 objects which encrypted using AWS KMS keys. This is much needed feature for S3 connector.

5 Comments
AdrianKwong_whi
5 - Atom
This capability to specify different forms of SSE encryption including SSE-S3 default encryption, SSE-KMS with the default key (aws/s3), or a KMS Key Id (either the key id or alias), or SSE-C where the workflow provides the 256-bit key and the object calculates the md5 sum and encodes the key into the appropriate metadata fields is very much needed. This encryption capability should also be included in the Redshift Bulk Data Loader path because it currently just uploads the raw data entirely unencrypted and that's not good for security.
afcooley
5 - Atom

Proper support would include support for all supported methods of the S3 library.  That would include server side and client side encryption using either a user supplied master key or a KMS-ID.  The current product forces users to do decryption server side using the bucket's default key.  This is not totally secure because the key will be used on a machine with shared tennancy and the data will be decrypted on that machine as well.  It also does not allow the owner of the data complete control over the encryption and decription of that data.

AdrianKwong_whi
5 - Atom
In Alteryx Designer 11.5, the S3 Upload connector now supports SSE-KMS with a workflow specified KMS Key ID. However, the AWS Access Key and Secret Key must still be specified based on an IAM User credential (does not appear to support access through an Instance IAM Role). The Redshift Bulk Connection now appears to allow you to specify SSE-KMS along with a KMS Key ID. So it is now safe to use Redshift Bulk Connection for protected query results. Additionally, AWS has now added Bucket level Default Encryption (in AWS Console, select the bucket used for bulk loading, select properties, select default encryption) -- so you can enforce encryption for existing workflows or existing connectors that have not yet been updated to explicitly specify SSE.
Community_Admin
Alteryx
Alteryx
Status changed to: Inactive
 
Community_Admin
Alteryx
Alteryx

The status of this idea has been changed to 'Inactive'. This status indicates that:

 

1. The idea has not had activity in the form of likes or comments in over a year.

2. The idea has not reached ten likes.

3. The idea is still in the 'New Idea' status. 

 

However, this doesn't mean your idea won't be implemented! The Community can still like and comment on this idea. With enough renewed interest, this idea can be brought back into the 'New Idea' status. 

 

Thank you for contributing to the Alteryx Community and the Alteryx Product Idea Boards!