Amazon Chime SDK Media Pipelines Update: Added support for Media Capture Pipeline and Media Concatenation Pipeline for customer managed server side encryption. Now Media Capture Pipeline can use IAM sink role to get access to KMS key and encrypt/decrypt recorded artifacts. KMS key ID can also be supplied with encryption context.

AWS · AWS · commit 3fd77916402c · 2024-11-08T19:15:02.000Z
diff --git a/.changes/next-release/feature-AmazonChimeSDKMediaPipelines-7b8c6c8.json b/.changes/next-release/feature-AmazonChimeSDKMediaPipelines-7b8c6c8.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "Amazon Chime SDK Media Pipelines",
+    "contributor": "",
+    "description": "Added support for Media Capture Pipeline and Media Concatenation Pipeline for customer managed server side encryption. Now Media Capture Pipeline can use IAM sink role to get access to KMS key and encrypt/decrypt recorded artifacts. KMS key ID can also be supplied with encryption context."
+}
diff --git a/services/chimesdkmediapipelines/src/main/resources/codegen-resources/service-2.json b/services/chimesdkmediapipelines/src/main/resources/codegen-resources/service-2.json
@@ -783,7 +783,7 @@
         },
         "IdentifyMultipleLanguages":{
           "shape":"Boolean",
-          "documentation":"<p>Turns language identification on or off for multiple languages.</p>"
+          "documentation":"<p>Turns language identification on or off for multiple languages.</p> <note> <p>Calls to this API must include a <code>LanguageCode</code>, <code>IdentifyLanguage</code>, or <code>IdentifyMultipleLanguages</code> parameter. If you include more than one of those parameters, your transcription job fails.</p> </note>"
         },
         "LanguageOptions":{
           "shape":"LanguageOptions",
@@ -1288,6 +1288,14 @@
           "shape":"ChimeSdkMeetingConfiguration",
           "documentation":"<p>The configuration for a specified media pipeline. <code>SourceType</code> must be <code>ChimeSdkMeeting</code>.</p>"
         },
+        "SseAwsKeyManagementParams":{
+          "shape":"SseAwsKeyManagementParams",
+          "documentation":"<p>An object that contains server side encryption parameters to be used by media capture pipeline. The parameters can also be used by media concatenation pipeline taking media capture pipeline as a media source.</p>"
+        },
+        "SinkIamRoleArn":{
+          "shape":"Arn",
+          "documentation":"<p>The Amazon Resource Name (ARN) of the sink role to be used with <code>AwsKmsKeyId</code> in <code>SseAwsKeyManagementParams</code>. Can only interact with <code>S3Bucket</code> sink type. The role must belong to the caller’s account and be able to act on behalf of the caller during the API call. All minimum policy permissions requirements for the caller to perform sink-related actions are the same for <code>SinkIamRoleArn</code>.</p> <p>Additionally, the role must have permission to <code>kms:GenerateDataKey</code> using KMS key supplied as <code>AwsKmsKeyId</code> in <code>SseAwsKeyManagementParams</code>. If media concatenation will be required later, the role must also have permission to <code>kms:Decrypt</code> for the same KMS key.</p>"
+        },
         "Tags":{
           "shape":"TagList",
           "documentation":"<p>The tag key-value pairs.</p>"
@@ -2416,6 +2424,14 @@
         "ChimeSdkMeetingConfiguration":{
           "shape":"ChimeSdkMeetingConfiguration",
           "documentation":"<p>The configuration for a specified media pipeline. <code>SourceType</code> must be <code>ChimeSdkMeeting</code>.</p>"
+        },
+        "SseAwsKeyManagementParams":{
+          "shape":"SseAwsKeyManagementParams",
+          "documentation":"<p>An object that contains server side encryption parameters to be used by media capture pipeline. The parameters can also be used by media concatenation pipeline taking media capture pipeline as a media source.</p>"
+        },
+        "SinkIamRoleArn":{
+          "shape":"Arn",
+          "documentation":"<p>The Amazon Resource Name (ARN) of the sink role to be used with <code>AwsKmsKeyId</code> in <code>SseAwsKeyManagementParams</code>.</p>"
         }
       },
       "documentation":"<p>A media pipeline object consisting of an ID, source type, source ARN, a sink type, a sink ARN, and a configuration object.</p>"
@@ -3326,6 +3342,21 @@
       },
       "documentation":"<p>The configuration settings for the SQS sink.</p>"
     },
+    "SseAwsKeyManagementParams":{
+      "type":"structure",
+      "required":["AwsKmsKeyId"],
+      "members":{
+        "AwsKmsKeyId":{
+          "shape":"String",
+          "documentation":"<p>The KMS key you want to use to encrypt your media pipeline output. Decryption is required for concatenation pipeline. If using a key located in the current Amazon Web Services account, you can specify your KMS key in one of four ways:</p> <ul> <li> <p>Use the KMS key ID itself. For example, <code>1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p> </li> <li> <p>Use an alias for the KMS key ID. For example, <code>alias/ExampleAlias</code>.</p> </li> <li> <p>Use the Amazon Resource Name (ARN) for the KMS key ID. For example, <code>arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p> </li> <li> <p>Use the ARN for the KMS key alias. For example, <code>arn:aws:kms:region:account-ID:alias/ExampleAlias</code>.</p> </li> </ul> <p>If using a key located in a different Amazon Web Services account than the current Amazon Web Services account, you can specify your KMS key in one of two ways:</p> <ul> <li> <p>Use the ARN for the KMS key ID. For example, <code>arn:aws:kms:region:account-ID:key/1234abcd-12ab-34cd-56ef-1234567890ab</code>.</p> </li> <li> <p>Use the ARN for the KMS key alias. For example, <code>arn:aws:kms:region:account-ID:alias/ExampleAlias</code>.</p> </li> </ul> <p>If you don't specify an encryption key, your output is encrypted with the default Amazon S3 key (SSE-S3).</p> <p>Note that the role specified in the <code>SinkIamRoleArn</code> request parameter must have permission to use the specified KMS key.</p>"
+        },
+        "AwsKmsEncryptionContext":{
+          "shape":"String",
+          "documentation":"<p>Base64-encoded string of a UTF-8 encoded JSON, which contains the encryption context as non-secret key-value pair known as encryption context pairs, that provides an added layer of security for your data. For more information, see <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/encrypt_context.html\">KMS encryption context</a> and <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html\">Asymmetric keys in KMS</a> in the <i>Key Management Service Developer Guide</i>.</p>"
+        }
+      },
+      "documentation":"<p>Contains server side encryption parameters to be used by media capture pipeline. The parameters can also be used by media concatenation pipeline taking media capture pipeline as a media source.</p>"
+    },
     "StartSpeakerSearchTaskRequest":{
       "type":"structure",
       "required":[
