Skip to main content
Back to Admin Console Bring Your Own Key (BYOK) lets your enterprise retain control of encryption keys while protecting data on the Kore.ai platform. Kore.ai integrates with AWS Key Management Service (KMS) to use your Customer Master Keys (CMKs) for encrypting application and bot data.

Prerequisites

  • Active Kore.ai subscription with BYOK enabled
  • AWS account with administrative access to IAM and KMS
  • Permissions to create IAM roles, policies, and KMS keys

Information Exchange

InformationDescriptionProvided By
Service Role ARNKore.ai’s IAM role ARN in their AWS account. Add this to your IAM role’s trust policy.
For platform.kore.ai: arn:aws:iam::358587034707:role/SegBots-Servers-Role
Contact Kore.ai Support if your SaaS instance differs.		Kore.ai
External IDUnique identifier Kore.ai uses when assuming your IAM role. Auto-populated in the AI for Service Admin Console.Kore.ai
Role ARNARN of the IAM role you create in your AWS account. Example: arn:aws:iam::<your-account-id>:role/BYOK_RoleCustomer
CMK ARNARN of your Customer Managed Key in AWS KMS. Example: arn:aws:kms:<region>:<your-account-id>:key/<key-id>Customer

Integration Process

Step 1: Create IAM Policy

  1. Go to AWS Console > IAM > Policies.
  2. Select Create policy and choose the JSON tab.
  3. Paste the following policy: 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BYOKKMSPermissions",
      "Effect": "Allow",
      "Action": [
        "kms:Encrypt",
        "kms:Decrypt",
        "kms:GenerateDataKey*",
        "kms:DescribeKey"
      ],
      "Resource": "arn:aws:kms:REGION:ACCOUNT_ID:key/KEY_ID"
    }
  ]
}
  4. Select Next, name the policy (for example, BYOK_KMS_Policy), add a description, and select Create policy.
Replace REGION, ACCOUNT_ID, and KEY_ID with your values. You can use "Resource": "*" initially and update it after creating your KMS key.

Step 2: Create IAM Role

  1. Go to AWS Console > IAM > Roles and select Create role.
  2. Select AWS Account as the trusted entity type, then This account.
  3. Attach the BYOK_KMS_Policy from Step 1.
  4. Name the role BYOK_Role and select Create role.
Update the Trust Policy:
  1. Open the BYOK_Role, select the Trust relationships tab, then Edit trust policy.
  2. Replace the policy with: 
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::358587034707:role/SegBots-Servers-Role"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<EXTERNAL-ID>"
        }
      }
    }
  ]
}
  3. Select Update policy.

Step 3: Create KMS Key

  1. Go to AWS Console > KMS > Customer managed keys and select Create key.
  2. Select Symmetric key type and Encrypt and decrypt key usage.
  3. Enter an alias (for example, byok-kore-ai-key) and a description.
  4. Add your administrator users or roles as key administrators.
  5. Add the BYOK_Role as a key user.
  6. Review and select Finish.

Step 4: Update KMS Key Policy

  1. Open your KMS key and select the Key policy tab, then Edit.
  2. Add the following statement to the existing Statement array (don’t remove other statements): 
    {
  "Sid": "Allow use of the key",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::ACCOUNT_ID:role/BYOK_Role"
  },
  "Action": [
    "kms:Encrypt",
    "kms:Decrypt",
    "kms:GenerateDataKey*",
    "kms:DescribeKey"
  ],
  "Resource": "*"
}
  3. Save the policy.
Replace ACCOUNT_ID with your AWS account ID.

Step 5: Verify Configuration

ItemVerification
IAM PolicyConfirm BYOK_KMS_Policy exists with correct KMS actions
Policy AttachmentVerify policy is attached to BYOK_Role under the Permissions tab
Trust RelationshipConfirm the Trust relationships tab shows Kore.ai’s Service Role ARN
KMS Key PolicyVerify key policy includes both root account and BYOK_Role statements
Key UsersConfirm BYOK_Role appears under Key users in the KMS console

Step 6: Share with Kore.ai

Contact Kore.ai Support and provide:
  • CMK ARN: arn:aws:kms:<region>:<your-account-id>:key/<key-id>
  • Role ARN: arn:aws:iam::<your-account-id>:role/BYOK_Role
Kore.ai configures the trust relationship on their end and notifies you when complete.

Configure BYOK in AI for Service

After Kore.ai confirms the integration, enable BYOK in the Admin Console.
  1. Go to Admin Console > Enterprise Key.
  2. Under Bring Your Own Key, select Create Key. BYOK Create Key
  3. Enter AWS details:
    FieldValue
    Cloud ProviderAmazon Web Services (AWS)
    Assume Role External IDAuto-populated
    Provider ARNYour CMK ARN
    Role ARNYour Role ARN
  4. Set the Enforcement Date — the date your CMK begins encrypting data.
    You can modify the CMK and retest until the enforcement date. After this date, you can only rotate the key or update which apps/bots are encrypted.
  5. Select Test Configuration to validate the connection (tests connectivity, authentication, encryption, and decryption).
  6. Select Next to view all apps and bots.
    • All apps and bots are selected by default.
    • Deselect any that should remain on Kore.ai’s default encryption.
    Select Apps and Bots
  7. Select Proceed to complete setup. Encryption begins on the enforcement date.

Validation (Optional)

After the enforcement date, verify encryption is working. Option 1: View Analytics Check analytics data for recent chat interactions to confirm encrypted data is accessible. Option 2: Test Application Authorization
  1. Open the application and run Authorization Profiles and Dialogs.
  2. Execute BasicAuthValidationDialog.
  3. When the bot shows the authorization link, select it and enter credentials (admin/password). BYOK Validation BYOK Success
If successful, the system displays “Basic authentication successful.”