Using Customer Managed Key with AWS

The Customer Managed Key service allows organizations to provide and manage their own encryption keys for certain customer content stored in the Zoom Cloud. Zoom supports Amazon Key Management Service (KMS), Oracle OCI Vault, or Azure Key Vault. Organizations need to manage the keys with one of these cloud KMS providers. This allows for encryption of applicable content stored in the Zoom Cloud using the keys that the organization controls.

Note: Please refer to our list for more information on all the Zoom services and assets supported with Customer Managed Key.

This article covers:

Prerequisites for using Customer Managed Key

Limitations of Customer Managed Key

Configurable options available through Zoom

Zoom Phone

Administrators can configure Zoom Phone to drop calls if encryption/decryption keys are not available for operation. This option needs to be requested via a Support ticket

How to use Customer Managed Key with AWS

How to set up your AWS account           

To set up your AWS account, sign up at 

Where to create an AWS KMS key

Create your KMS in the same location/region where you have configured your account data to reside. This is US East 1 region by default.

How to configure Customer Managed Key in AWS

The AWS KMS keys that you create are considered Customer Managed Keys. Customer Managed Keys are KMS keys in your AWS account that you create, own, and manage. Before you get started with Customer Managed Key service in the Zoom cloud, follow the steps below:

  1. Create a KMS key with the following configuration:
    • Key type: Symmetric
    • Key usage: Encrypt and decrypt
    • Key material origin: KMS
    • Regionality: Multi-Region key
  2. Replicate the KMS key to other AWS regions you wish to host the key in, for redundancy. 
  3. Configure your key policy and IAM (Identity access management) policy appropriately in all of your AWS regions to specify access to your keys by copying and editing the template below into your AWS console.

Configuring your key’s policy

In order to configure your key’s policy, go to the Customer Managed Key page in the Encryption Keys section of the AWS KMS management console.

The policy needs to include the following:

There are two ways to add these: 

  1. The recommended way is to select the Add other AWS accounts found in the Key policy tab.
    Include the Account number# 409910850980 as the Zoom Key broker account to allow access to your KMS key.
    This creates the JSON policy with the account and IAM role (arn:aws:iam::409910850980:root) as well as all  the required valid key operations.
    You could choose to grant key access to the Zoom key broker either at the root or role level. At the root level it would be arn:aws:iam::409910850980:root and at the role level arn:aws:iam::409910850980:role/keybroker-role
  2. Another way would be to Switch to policy view in order to see and edit the JSON representation.

This is an example template of a key policy that you could customize to meet your organization's needs:

{ "Version": "2012-10-17",
   "Statement": [
       {   "Effect": "Allow",
           "Principal": {
                   "AWS": "arn:aws:iam::YOUR_AWS_ACCOUNT_NUMBER:root"
                   "Action": "kms:*",
                   "Resource": "*"
           "Principal": {
               "AWS": [
       "Action": [

Note: If you enable Multi-region key (MRK), the key policy will be replicated to the MRK secondary region. However, if you manually edit the MRK primary key policy you will need to ensure those changes are also manually added for the MRK replica key as well.  

Search data encryption

If you plan to enable search data encryption, you also need to allow the CMK search service to access your organization's key. 

            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
            "Action": [
            "Resource": "*"

How to enroll your keys with Zoom

  1. Sign in to the Zoom web portal.
  2. In the navigation menu, click Advanced then Security.
  3. Under Customer Managed Key, click Add Key.
  4. Choose Amazon AWS.
  5. Enter the key information and click Create. Enter the ARN of the KMS key.
  6. A message will appear displaying the ARNs that will be used for different regions. Click Continue when you are done reviewing. 
  7. Click + Add Services and determine which items will be encrypted. Place a check in the box next to any of the data types / services you want encrypted with your key, then click Add.   
  8. Click +Add recipient and add the users who will be notified by email if there is a key status change.

How to assign Customer Managed Key licenses to users

Users with assigned Customer Managed Key licenses will have their data encrypted. 

  1. Sign in to the Zoom web portal.
  2. Click User Management, then Users.
  3. Locate the user(s) you want to assign a license to. Check the box to the left of the user’s name then click the License drop down. 
  4. Click Zoom Customer Managed Key, then check the box next to the Feature
  5. Click Save

How to edit your keyset

  1. Sign in to the Zoom web portal.
  2. In the navigation menu, click Advanced then Security.
  3. Under Customer Managed Key, click Rotate Key.
  4. Add the key information and click Save.

Approaches to managing keys

To learn more about different approaches to managing keys, such as auto key rotation, manual key management, and external HSM key management, see Key management concepts.

Guidelines to help monitor keys

Fallback Control

Access to the customer’s key at all times is critical to create and access any content which has been selected to be secured by CMK. Zoom not only encourages the use of replicated keys, but also supports a global "fallback control" option. If enabled and the customer’s key is not available for any reason, CMK falls back to a Zoom provided backup key for encryption. If the fallback option is not enabled and the customer’s key is not available, content will not be stored. Once the customer’s key becomes available again, CMK will re-encrypt all content with the customer’s key.

Customer Managed Key deprovisioning

  1. If you want to revert to let Zoom manage encryption, schedule a date with your Zoom representative to deprovision this service.
    NOTE: Organization’s must keep their key available until the Zoom representative informs them that it can be deactivated. 
  2. Your Zoom representative will confirm the deprovisioning dates with our operations team.
  3. Your Zoom representative will let you know once deprovisioning has concluded, so that you can disable your keys.