Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.devin.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

By default, Cognition encrypts all customer data at rest using Cognition-managed keys. For organizations that require direct control over their encryption keys, Devin supports Customer Managed Keys (CMK) using AWS Key Management Service (KMS). With CMK, you provide your own AWS KMS key, and Cognition uses it to encrypt data stored in your dedicated tenant — including session data and VM snapshots. This gives you full control over the key lifecycle, including the ability to rotate, disable, or revoke access at any time.
CMK is available exclusively for Enterprise Dedicated deployments and must be configured during initial deployment setup. For more information on deployment models, see Enterprise Deployment.

How It Works

In an Enterprise Dedicated deployment, Devin stores customer data in Amazon S3 buckets within your dedicated tenant. When CMK is enabled:
  1. Your AWS KMS key is used for server-side encryption of all data written to these S3 buckets.
  2. Cognition’s infrastructure uses the key to encrypt data at write time and decrypt it at read time.
  3. You retain ownership of the key in your own AWS account and can manage its lifecycle independently.
If you do not provide a KMS key, Cognition creates and manages an encryption key on your behalf.

Prerequisites

Before setting up CMK, ensure you have:
  • An Enterprise Dedicated deployment with Cognition (CMK must be configured during initial deployment)
  • An AWS KMS key in the same AWS region as your Devin deployment
  • Permissions to modify your KMS key policy
Contact your Cognition account team to confirm the AWS region of your dedicated tenant.

Setup

Step 1: Create or Select a KMS Key

Use an existing symmetric AWS KMS key or create a new one in the same region as your Cognition dedicated tenant. The key must be a symmetric encryption key (the default key type in AWS KMS).

Step 2: Configure the Key Policy

Update your KMS key policy to allow Cognition’s AWS accounts to use the key for encryption and decryption. Add the following statement to your key policy: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::272506498303:root",
                    "arn:aws:iam::063509147090:root"
                ]
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "*"
        }
    ]
}
  1. Open the AWS KMS Console.
  2. Select your key and go to the Key policy tab.
  3. Choose Edit.
  4. Add the statement above to the Statement array in your existing key policy.
  5. Save the policy.

Step 3: Provide the Key ARN to Cognition

Send your KMS key ARN to your Cognition account team. The ARN has the following format: 
arn:aws:kms:<region>:<your-account-id>:key/<key-id>
Once Cognition receives your key ARN, the team will configure your dedicated tenant to use it for encryption. No further action is required on your part.

Key Management

Key Rotation

AWS KMS supports automatic key rotation for customer managed keys. When enabled, AWS automatically creates new cryptographic material for your key every year while retaining the old material to decrypt previously encrypted data. Cognition recommends enabling automatic key rotation.

Revoking Access

You can revoke Cognition’s access to your KMS key at any time by removing the policy statement added in Step 2. Note that revoking access will prevent Cognition from reading or writing encrypted data in your tenant, which will disrupt Devin’s functionality until access is restored.
Disabling or deleting your KMS key, or revoking Cognition’s access, will make all encrypted customer data in your tenant unreadable. Ensure you understand the implications before making changes to your key or its policy.

Monitoring Key Usage

You can monitor all usage of your KMS key through AWS CloudTrail. CloudTrail logs every API call made to your key, including calls from Cognition’s accounts, providing a full audit trail of encryption and decryption operations.

FAQs

Your KMS key is used to encrypt customer data stored in Amazon S3 within your dedicated tenant, including session data and VM snapshots.
No. Your KMS key must be in the same AWS region as your Devin deployment. Contact your Cognition account team to confirm your tenant’s region.
Cognition will create and manage an encryption key on your behalf. All data is still encrypted at rest — CMK simply gives you direct control over the key.
No. CMK is currently available only for Enterprise Dedicated deployments.
Yes. Contact your Cognition account team to update the KMS key ARN for your tenant. Previously encrypted data will remain encrypted with the original key unless re-encrypted.