With customer-managed keys, you control the master key that Fivetran uses to encrypt your data. You can disable access to the key at any time to stop Fivetran from accessing your data. The key can be re-enabled later at any point and the syncs can be resumed.
Fivetran supports multi-region AWS Key Management Service keys for this feature. Customer-managed keys require additional setup. See the setup guide for instructions.
IMPORTANT: Do not delete the key before you have reverted the encryption in Fivetran. If you delete the key in AWS before this, all connectors with source and destination credentials encrypted by that key will break.
In the case of a compromised AWS key, we recommend the following workflow:
Revert the encryption with the current key.
Create a new AWS key. That implies rotating the compromised key manually in AWS.