Hello everyone,
We are excited to announce that SonarQube Cloud Enterprise now supports Customer Managed Keys (CMK). This highly requested feature empowers you to Bring Your Own Key (BYOK) from AWS KMS to encrypt your source code at rest, and enhance your data sovereignty.
The feature is now officially in General Availability (GA) for all SonarQube Cloud Enterprise customers.
The feature lets you keep full control over the encryption keys protecting your source code at rest, by using your own AWS KMS customer-managed keys. This helps you:
-
Strengthen compliance: Align SonarQube Cloud with stricter internal security and compliance requirements.
-
Centralize key governance: Manage the entire key lifecycle (rotation, disable, revoke) directly in your own AWS account.
-
Mitigate risk: Retain ultimate control over data access. In case of credential or account compromise you hold the master switch to your encrypted data.
Scope and behavior
-
Code encryption at rest: All code stored for your Enterprise is encrypted with your KMS key.
-
Enterprise-scoped: Configuration is managed at the Enterprise level and applies to all organizations under that Enterprise.
-
Standard KMS integration: Simply provide the CMK ARN from your AWS account; SonarQube Cloud uses it through AWS KMS under a least-privilege model.
How to enable it
To enable it, Enterprise administrators can configure from SonarQube Cloud Enterprise → Administration → Code Encryption.
We appreciate your feedback, please feel free to reach out to us.
Thank you,
Elena