Set up the AWS Key Encryption Key (KEK)

When a customer's Verint WFO cloud system supports AWS Key Management Server (KMS), customers can create the Key Encryption Key (KEK) in their AWS Console. AWS refers to this KEK as the Customer-Managed Key (CMK).

How AWS secures keys

The AWS KMS integration uses the AWS KMS API to store the Key Encryption Key (KEK). The KEK is used to encrypt and decrypt the Data Encryption Key (DEK). The DEK is used to encrypt the customer's interaction In Speech Analytics, an interaction represents a single part of the contact between one employee and the same customer. In Text Analytics, an interaction is the communication session between one or more employees and the same customer with a unifying contextual element. media and transcription Process in Speech Analytics of converting audio files of the recorded agent-customer conversation to text. data, such as recorded voice calls.

The customer creates and provides the KEK. Verint provides the DEK and the Amazon DynamoDB that stores it. Every day, the Verint recording solution uses the KEK to generate a new DEK. In this way, the KEK is secured because AWS manages the encryption and decryption of the KEK and the DEK through the AWS KMS API.

Verint does not receive and is not obligated to receive or back-up the customer's KEK.

Procedure 

  1. In the customer's AWS account, create an IAM user (optional) and an IAM role (best practice) that include the AWSKeyManagementServicePowerUser policy.

    Best practices discourage the use of IAM users with long-term One to five words that are meaningful to a specific type of business, or phrases that stand out in interactions in Speech and Text Analytics. credentials. Whenever possible, use IAM roles, which provide temporary credentials.

  2. Take note of the Client access key ID and Client secret access key.

    Save the access key ID and secret access key in a secure location. The secret access key is available only at the time that it is created. If the secret access key is lost, the customer must delete the access key and create a new one in AWS KMS. Then change the Secret Access Key in the Verint KMS encryption settings page.

  3. If an IAM role is in use, get the AWS role ARN and External ID of the IAM role.

  4. Create an AWS KMS key (AWS KMS Developer Guide).

    • When using an asymmetric key, set Key Usage to Encrypt and Decrypt, and set Key Spec to RSA_4096.

    • When using a symmetric key, there are no specific settings to configure.

    • Take note of the AWS region and the Key Alias.

Related topics 

Configure Encryption Key Management

AWS KMS encryption settings for bring your own key

Related information 

AWS Key Management Service (AWS KMS Documentation)