Merge pull request #7502 from camunda/3285-byok-behavior

create doc on key state behavior

Author: christinaausley

docs/components/saas/byok/aws-kms-setup.md

@@ -17,9 +17,10 @@ Learn how to configure encryption at rest for your Camunda 8 SaaS Orchestration
 
 :::warning Important
 
-- Deleting or disabling your AWS KMS key will make your cluster and data inaccessible.
+- Deleting or disabling your AWS KMS key will make your cluster and data inaccessible. To understand how Camunda behaves if a key is disabled, deleted, or its policy is changed, see [key state behavior](/components/saas/byok/key-state-behavior.md).
 - Key management is fully customer-side in AWS KMS. Camunda cannot rotate keys.
-  :::
+
+:::
 
 ## Step 1: Create a Camunda 8 SaaS Orchestration cluster
 

docs/components/saas/byok/faq-and-troubleshooting.md

@@ -74,6 +74,10 @@ Setup instructions: [external encryption setup guide](/components/saas/byok/aws-
 | CloudTrail does not show activity | AWS CloudTrail not enabled or retention too short             | Enable AWS CloudTrail in the cluster Region and store logs beyond 90 days. [View CloudTrail events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) |
 | Key rotation issues               | Cluster encryption update not supported                       | Create a new key and associate it with a new cluster. Verify encryption settings before use.                                                                                                |
 
+:::note
+For details on how Camunda responds when an external KMS key becomes disabled, deleted, or misconfigured, see [key state behavior](/components/saas/byok/key-state-behavior.md).
+:::
+
 :::note Support
 For persistent issues with key policies, Region, or key status, contact [AWS support](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html).  
 For Camunda-specific cluster provisioning issues, contact [Camunda support](https://camunda.com/services/support-guide/).

docs/components/saas/byok/index.md

@@ -47,7 +47,7 @@ With BYOK, you maintain visibility through **AWS CloudTrail** and **Amazon Cloud
 | Camunda  | Surface any key-related errors in the Console            |
 
 :::warning Key management
-If your AWS KMS key is disabled, deleted, or permissions are revoked, your cluster and its data become inaccessible.
+If your AWS KMS key is disabled, deleted, or permissions are revoked, your cluster and its data become inaccessible. For details on how Camunda responds when an external AWS KMS key becomes disabled, deleted, or misconfigured, see [key state behavior](/components/saas/byok/key-state-behavior.md).
 :::
 
 ## Cost implications

docs/components/saas/byok/key-rotation-audit-logging.md

@@ -25,7 +25,7 @@ To use a new AWS KMS key instead of rotating, contact [Camunda support](https://
 
 :::warning Key rotation caution
 
-- Do not delete or disable an old key until the cluster uses a replacement.
+- Do not delete or disable an old key until the cluster uses a replacement. For details on how Camunda responds when an external KMS key becomes disabled, deleted, or misconfigured, see [key state behavior](/components/saas/byok/key-state-behavior.md).
 - Improper key management may block data access.
 - Ensure backup storage and persistent volumes remain accessible.
 - See [KMS key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) and [S3 server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).

docs/components/saas/byok/key-state-behavior.md

@@ -0,0 +1,135 @@
+---
+id: key-state-behavior
+title: "Key state behavior"
+description: "Understand how Camunda 8 SaaS behaves when an external Amazon KMS key used for BYOK is disabled, scheduled for deletion, deleted, or misconfigured."
+keywords:
+  [BYOK, encryption, KMS, key disabled, key deletion, SaaS, troubleshooting]
+---
+
+Learn how Camunda 8 SaaS responds when your external Amazon KMS encryption key (BYOK) becomes unavailable during cluster startup or runtime.
+
+This page applies only to **external customer-managed keys** (AWS KMS). For encryption fundamentals, see the [encryption overview](/components/saas/byok/index.md).
+
+:::warning
+If your external encryption key is disabled, deleted, or its permissions are revoked, your cluster becomes inaccessible and may enter a frozen state. Camunda cannot recover encrypted data if the key is permanently deleted.
+:::
+
+## Key state summary
+
+The table below provides a high-level overview of how different KMS key states affect cluster startup, operation, and data availability.
+
+| Key state                  | Cluster startup   | Cluster runtime                               | Data accessible? | Recovery possible?            |
+| -------------------------- | ----------------- | --------------------------------------------- | ---------------- | ----------------------------- |
+| **Enabled**                | ✔ Starts normally | ✔ Operates normally                           | Yes              | Not needed                    |
+| **Disabled**               | ❌ Cannot start   | ❌ Freezes: no reads/writes, operations hang  | No               | ✔ Re-enable key               |
+| **Scheduled for deletion** | ❌ Cannot start   | ❌ Same as disabled                           | No               | ✔ Cancel deletion + re-enable |
+| **Permanently deleted**    | ❌ Cannot start   | ❌ Cluster remains non-functional permanently | No               | ❌ No — encrypted data lost   |
+| **Incorrect key policy**   | ❌ Cannot start   | ❌ Behaves like disabled key                  | No               | ✔ Fix policy                  |
+
+## What happens when a key becomes unavailable?
+
+When a cluster loses access to its KMS key:
+
+- All encryption/decryption requests fail immediately.
+- Zeebe, Elasticsearch, and backup operations **freeze**.
+- Console may still show the cluster as **Healthy**, even though no work can proceed.
+- Within ~15 minutes, the **Encryption at rest** panel displays:
+  > **External encryption key is not ready**
+
+### Timeline of effects
+
+1. **Immediate (0–1s):** Key becomes inaccessible.
+2. **Seconds:** Storage reads/writes hang.
+3. **Backup jobs:** Become stuck “In progress” indefinitely.
+4. **Suspend/Resume:** Requests appear accepted but never execute.
+5. **Console status:** May incorrectly continue to show “Healthy.”
+6. **After re-enabling:** Automatic recovery occurs, but timing depends on reconciliation and exponential backoff.
+
+## Component-level impact
+
+| Component/feature      | Requires key for                | Behavior when key unavailable             |
+| ---------------------- | ------------------------------- | ----------------------------------------- |
+| **Zeebe brokers**      | State storage (encrypted disks) | Execution freezes; no read/write activity |
+| **Elasticsearch**      | Persistent disk encryption      | Indexing and queries freeze               |
+| **Backups**            | Encrypting/decrypting snapshots | Backup requests hang forever              |
+| **Restore operations** | Decrypting snapshots            | Restore cannot proceed                    |
+| **Document storage**   | Encrypting stored files         | Document reads/writes freeze              |
+| **Suspend / resume**   | Changing cluster state          | Request is logged but not executed        |
+
+## Behavior by key lifecycle state
+
+### Disabled key
+
+- Cluster cannot start.
+- If cluster was running:
+  - All operations freeze.
+  - Suspend/resume does not complete.
+  - Backup operations get stuck.
+- Console eventually shows: **External encryption key is not ready**
+
+**Recovery:**  
+Re-enable the KMS key. Cluster resumes automatically, but recovery time increases the longer the key was disabled.
+
+### Key scheduled for deletion
+
+Scheduling deletion automatically **disables** the key.
+
+Behavior is identical to a disabled key.
+
+**Recovery:**  
+Cancel deletion → Re-enable the key.
+
+### Permanently deleted key
+
+Once the AWS deletion waiting period passes:
+
+- The key is irrecoverable.
+- The cluster becomes permanently unusable.
+- No encrypted data can be recovered.
+
+**Recovery:**  
+Not possible. Create a new cluster.
+
+### Incorrect or missing key policy
+
+If the KMS policy does not grant Camunda's AWS Role the required permissions:
+
+- Cluster cannot start or becomes frozen.
+- Behavior mirrors a disabled key.
+
+**Recovery:**  
+Update the KMS key policy using the Tenant Role ARN displayed in Console.
+
+## Error handling and user-visible messages
+
+Currently, Camunda displays a single unified message:
+
+```yaml
+External encryption key is not ready
+```
+
+More granular messaging is planned for future iterations.
+
+## Operator responsibilities and best practices
+
+### Customer responsibilities (BYOK model)
+
+- Maintain and monitor the key lifecycle in AWS.
+- Monitor for disable/delete events (CloudWatch & EventBridge).
+- Ensure policies remain correct.
+- Understand that deleting or disabling the key freezes the cluster.
+
+### Recommended monitoring
+
+Activate:
+
+- **CloudWatch alerts** for key disabled, scheduled deletion, access denied
+- **EventBridge** for policy changes
+- **CloudTrail** for Encrypt/Decrypt failures and audit logs
+
+## Related documentation
+
+- [Encryption overview](/components/saas/byok/index.md)
+- [External encryption setup guide](/components/saas/byok/aws-kms-setup.md)
+- [FAQ & troubleshooting](/components/saas/byok/faq-and-troubleshooting.md)
+- [Key rotation and audit logging](/components/saas/byok/key-rotation-audit-logging.md)

sidebars.js

@@ -1074,6 +1074,7 @@ module.exports = {
             "components/saas/encryption-at-rest",
             "components/saas/byok/aws-external-encryption-setup",
             "components/saas/byok/key-rotation-audit-logging",
+            "components/saas/byok/key-state-behavior",
             "components/saas/byok/faq-and-troubleshooting",
           ],
         },

versioned_docs/version-8.6/components/concepts/byok/aws-kms-setup.md

@@ -16,10 +16,9 @@ Learn how to configure encryption at rest for your Camunda 8 SaaS cluster using
 | Technical familiarity | Some experience with the AWS Management Console, IAM roles, and AWS KMS.    |
 
 :::warning Important
-
-- Deleting or disabling your AWS KMS key will make your cluster and data inaccessible.
+- Deleting or disabling your AWS KMS key will make your cluster and data inaccessible. To understand how Camunda behaves if a key is disabled, deleted, or its policy is changed, see [key state behavior](/components/concepts/byok/key-state-behavior.md).
 - Key management is fully customer-side in AWS KMS. Camunda cannot rotate keys.
-  :::
+:::
 
 ## Step 1: Create a Camunda 8 cluster
 

versioned_docs/version-8.6/components/concepts/byok/faq-and-troubleshooting.md

@@ -74,6 +74,10 @@ Setup instructions: [external encryption setup guide](/components/concepts/byok/
 | CloudTrail does not show activity | AWS CloudTrail not enabled or retention too short             | Enable AWS CloudTrail in the cluster Region and store logs beyond 90 days. [View CloudTrail events](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html) |
 | Key rotation issues               | Cluster encryption update not supported                       | Create a new key and associate it with a new cluster. Verify encryption settings before use.                                                                                                |
 
+:::note
+For details on how Camunda responds when an external KMS key becomes disabled, deleted, or misconfigured, see [key state behavior](/components/concepts/byok/key-state-behavior.md).
+:::
+
 :::note Support
 For persistent issues with key policies, Region, or key status, contact [AWS support](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html).  
 For Camunda-specific cluster provisioning issues, contact [Camunda support](https://camunda.com/services/support-guide/).

versioned_docs/version-8.6/components/concepts/byok/index.md

@@ -47,7 +47,7 @@ With BYOK, you maintain visibility through **AWS CloudTrail** and **Amazon Cloud
 | Camunda  | Surface any key-related errors in the Console            |
 
 :::warning Key management
-If your AWS KMS key is disabled, deleted, or permissions are revoked, your cluster and its data become inaccessible.
+If your AWS KMS key is disabled, deleted, or permissions are revoked, your cluster and its data become inaccessible. For details on how Camunda responds when an external AWS KMS key becomes disabled, deleted, or misconfigured, see [key state behavior](/components/concepts/byok/key-state-behavior.md).
 :::
 
 ## Cost implications

versioned_docs/version-8.6/components/concepts/byok/key-rotation-audit-logging.md

@@ -25,7 +25,7 @@ To use a new AWS KMS key instead of rotating, contact [Camunda support](https://
 
 :::warning Key rotation caution
 
-- Do not delete or disable an old key until the cluster uses a replacement.
+- Do not delete or disable an old key until the cluster uses a replacement. For details on how Camunda responds when an external KMS key becomes disabled, deleted, or misconfigured, see [key state behavior](/components/concepts/byok/key-state-behavior.md).
 - Improper key management may block data access.
 - Ensure backup storage and persistent volumes remain accessible.
 - See [KMS key rotation](https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) and [S3 server-side encryption](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html).