Posted On: Oct 5, 2023

AWS AppConfig is launching new encryption options for additional security considerations with feature flags and other types of configuration data. Using AWS Key Management Service’s customer managed keys (CMKs), customers can use keys that they themselves manage to encrypt/decrypt configuration data hosted by AWS AppConfig. AWS AppConfig helps engineers move faster and safer by decoupling feature releases from code deployments; with AWS AppConfig, you can change your software’s behavior on production without pushing out new code. 

Previously, CMK support was limited to AppConfig Configuration Profiles using AWS Secrets Manager, Parameter Store Secure Strings, and S3. Additionally, AWS-managed keys have been supported for all configuration data sources integrated with AWS AppConfig. With this launch, customers wishing to create, own, and manage their own keys can use those CMKs with AWS AppConfig’s feature flags and Hosted Configuration data. This adds additional security options which may be important for additional security or compliance-related reasons. Customers can add a CMK to a Hosted Configuration Profile or set of feature flags when they create or update them.

This new CMK support is available in all commercial and the AWS GovCloud (US) Regions. To learn more about AWS AppConfig Security, visit the security documentation. For information on getting started on AWS AppConfig, visit our documentation and blog post about feature flags.