When users have completed the retirement process a job will archive their retirement rows to an encrypted S3 bucket for auditing purposes. The retirement should be locked down to just those with a need to access that sensitive information. The process for setting this up from the Athena end and querying that data is detailed herein.
Create KMS Keys
- If you're going to use KMS keys for bucket encryption you should set them up ahead of time.
Configure S3
- Create a new S3 bucket (we use Terraform for this) in the region of your choice
- Take note of the bucket name and region you choose
- Make sure to turn on "automatically encrypt objects when they are stored in S3", this is what keeps our learner data safe at rest!
- You will need to choose an encryption algorithm. You must use AES-256 otherwise uploading from Tubular will not work.
- You may wish to turn on versioning or other features, but they are not required
- You may wish to add permissions for other accounts at this time, but make sure public permissions and system permissions are not granted
...