Using Customer Managed Key Hybrid with AWS

The Customer Managed Key (CMK) Hybrid service allows organizations to provide and manage their own encryption keys for certain customer content stored in the Zoom Cloud. Zoom CMK Hybrid can be used with Amazon Key Management Service (KMS). This allows for encryption of applicable content stored in the Zoom Cloud using the keys that the organization controls.

Note: Please refer to our standard instructions if you are not configuring CMK hybrid. 

Requirements for using Customer Managed Key Hybrid with AWS

• Account owner or Admin with edit access to:
  • Security
  • Zoom Node
  • Customer Managed Key Hybrid
• Zoom Node for Hybrid Customer Managed Key Plan
• Customer Managed Key Plan and CMK hybrid license
• 2 Zoom Node Virtual Machines (VMs) installed and registered
• An external IP address (if external clients are needed)
• 2 Internal IP Addresses (minimum)
• AWS Key Management Service Key for Customer Managed (Cloud) Key
• AWS Key Management Service Key for Customer Managed Hybrid Key
• AWS IAM user to access Key Management Service for Customer Managed Key Hybrid
• Redis Instance endpoint (not provided by Zoom)
• SAML entity ID and metadata url

How to install Customer Managed Key Hybrid

Setup AWS Key for Zoom Use

Follow these instructions to configure an AWS Key for cloud usage.

Install CMK Hybrid Key

Configure CMK Hybrid Key in AWS

The Hybrid CMK Key should be separate from the Zoom Cloud CMK Key. The newly generated KMS Key can also be for one or more regions.

In addition to generating a key, you will need to generate a user and credentials to be used by the Hybrid CMK Node to connect to the KMS.

Generate a new CMK Hybrid Key in AWS

For this step, please create a key meeting your default KMS Policy.

DO NOT give access to Zoom's Cloud Key Broker Role or User.

Create a Key Connector User in AWS and generate a credential:

For this step, you will need to create an IAM user in AWS. For more details on how to do so, please follow your internal IAM policies. AWS Documentation on this step can be found here. 

1. Create a Key Connector User in your AWS IAM.
2. Navigate to IAM and click Create Group.
3. Create a KeyConnector Group.
   No Policies or users need to be connected yet.
4. Add policies to the Group that allow it access to the Hybrid CMK Key. Select the Group and click Add Permissions, then click Create inline policy.
5. Click JSON for the policy type.
6. Replace the content of the Statement with the following, substitute the ARN for the Hybrid CMK Key for $KeyARN. If you have a multi-region key, be sure to include all Key ARNs.

   
   "Sid": "HybridCMKPolicy",
     "Effect": "Allow",
     "Action": [
       "kms:Decrypt",
       "kms:Encrypt",
       "kms:GenerateDataKey",
       "kms:DescribeKey"
     ],
     "Resource": "$KeyARN"

7. Click Next at the bottom. This will allow you to review the policies and add a policy name.
8. Click Create to finish and associate the policy with the group permissions.
9. Navigate back to IAM and click Create User.
10. Enter a name. This user does not need access to the management console
11. Assign the previously created IAM group to the user and click Next.
12. Review the information and click Create user.
13. Navigate to IAM and click Users report.
14. Click on the user and then click Security Credentials.
15. Click Create access key.
16. Select Application running outside AWS and click Next.
17. On the next page, provide a descriptive tag and click Create access Key.
18. Copy and store the Access key and secret (you can download it as a .CSV as well).

Configure CMK Hybrid in the Zoom Admin Web Portal

1. Sign into the Zoom web portal.
2. Click Advanced, then Security, then click CMK Hybrid.
3. Click Add Key.
4. Add one or more ARN for the Main and Replica keys. Use the + to add additional lines as needed.
5. The keys will show as Pending until the service uses it for the first time.

Install CMK Hybrid Services in Node

Note: For high availability we recommend installing at least two Node VMs, updating them to the latest node agents, and keeping them online.

1. Sign in to the Zoom web portal.
2. Click Advanced, then Security, then click CMK Hybrid.
3. Click the Nodes tab and select the Key Connector VM.
4. Click Add next to External Storage.
5. Enter the IP address / FQDN and share for an NFS Server. Click Save when you are finished.
   External Storage should now display a green circle next to it.
6. Click the Services tab and click Add Service.
7. Add a Key Connector service.
8. Select the Node VM which you just added the external storage to, then select the Internal IP Address, and point it at your redis instance (do not include the port, it assumes 8080).
   The Key Connector will install but it cannot be started until the Load Balancer is installed.
9. On the Services tab, select the other VM that you did not install the Key Connector on.
10. Click Add Service, then add a Load Balancer.
11. Select the Node IP address under External IP. The Load Balancer can either use an external IP address, or only be accessible internally.
12. Navigate to the local web portal for the Load Balancer. 
    The address is https://<IP_ADDRESS OF LOAD BALANCER>:8443
13. Sign In using the zoom-setup password.
14. On the left side, click Secrets.
15. Click Update then add the AWS Key you saved earlier.
16. Input the Access Key and Secret.

Configure  SSO  for key access

You will need to create an application in your SSO provider. Zoom recommends that this be a different app than your Zoom app. The relevant details are as follows:

• SignOn URL:  The public or private URL for the load balancer, for example: https://private-z46xysgh2g3znu6n.demo104-dev-zoomdemos.zoomonprem.com/saml/sso
• Recipient URL and Destination URL: Same as above
• Audience Restriction: The vanity URL of your account. For example: demo104-dev-zoomdemos.zoom.us

Once the app is configured, you need to add information about it to the Zoom Web portal.

1. Sign in to the Zoom web portal.
2. Click Advanced, then click Security.
3. Find Customer Managed Key Hybrid, then CMK Hybrid SAML configuration and click Edit.
4. Enter the following information and click Save:
   • Identifier: The vanity ural for your account.
   • Metadata URL: The Metadata URL for the App you created in SSO.

Assign users to CMK Hybrid

Determine how you'd like your users to be selected to use CMK Hybrid:

• All Users on the Account
• Specific Groups.

For testing, you may want to use a specific group at first before enabling for your entire account.

Using CMK Hybrid with Client Level Encryption

Client side encryption will apply to all users in the account or to specific groups. When these users sign into Zoom without SSO, they will be shown the following notification for chat messages: Unable to decrypt message.

Users will not be able to send or receive chat messages until they have authenticated using SSO. The Unable to decrypt message notification allows them to do this by clicking Authenticate. This will take the users to the configured SSO URL. Once they have verified their identities, they will be redirected back to Zoom and will be able to view client-side CMK Hybrid (CSE) encrypted messages.