diff --git a/source/_static/badges/ent-cloud-dedicated.rst b/source/_static/badges/ent-cloud-dedicated.rst
new file mode 100644
index 00000000000..56430fc4df0
--- /dev/null
+++ b/source/_static/badges/ent-cloud-dedicated.rst
@@ -0,0 +1,18 @@
+:orphan:
+:nosearch:
+
+.. raw:: html
+
+
+
+|plans-img| Available only on `Enterprise `__ plans
+
+|deployment-img| Available only for `Cloud Dedicated `__ deployments
+
+.. |plans-img| image:: ../_static/images/badges/flag_icon.svg
+
+.. |deployment-img| image:: ../_static/images/badges/deployment_icon.svg
+
+.. raw:: html
+
+
diff --git a/source/configure/reporting-configuration-settings.rst b/source/configure/reporting-configuration-settings.rst
index 2f4d26502f9..269f29ffe45 100644
--- a/source/configure/reporting-configuration-settings.rst
+++ b/source/configure/reporting-configuration-settings.rst
@@ -22,7 +22,7 @@ Site statistics
| sessions, commands, webhooks, active users, connections, | - ``config.json setting``: N/A |
| and playbooks. | - Environment variable: N/A |
+---------------------------------------------------------------+-------------------------------------------------------------+
-| **Note**: Inactive and deactivated users, as well as remote users in |
+| **Note**: Deactivated users as well as synthetic users in |
| `Microsoft Teams integrations `__ |
| and `shared channels users `__, aren't counted towards the total number of active users. |
+---------------------------------------------------------------+-------------------------------------------------------------+
@@ -39,7 +39,7 @@ Team statistics
| number of public and private channels, total post count, and | - ``config.json`` setting: N/A |
| count of paid users (self-hosted only). | - Environment variable: N/A |
+---------------------------------------------------------------+---------------------------------------------------------------+
-| **Note**: Inactive and deactivated users are not counted towards the total number of active users. |
+| **Note**: Deactivated users are not counted towards the total number of active users. |
+---------------------------------------------------------------+---------------------------------------------------------------+
----
diff --git a/source/guides/cloud-workspace-management.rst b/source/guides/cloud-workspace-management.rst
index 8fd61fae46a..b9b635bfc7f 100644
--- a/source/guides/cloud-workspace-management.rst
+++ b/source/guides/cloud-workspace-management.rst
@@ -15,3 +15,4 @@ Cloud workspace management
* :doc:`Workspace usage ` - Keep your workspace active.
* :doc:`Workspace migration ` - Migrate your workspace using the mmctl tool.
* :doc:`Cloud data residency ` - Find information about your data in the Cloud.
+* :doc:`Cloud Bring Your Own Key (BYOK) ` - Learn how to manage data encryption processes within a Mattermost Cloud Enterprise Dedicated deployment.
diff --git a/source/manage/cloud-byok.rst b/source/manage/cloud-byok.rst
new file mode 100644
index 00000000000..57de32f9499
--- /dev/null
+++ b/source/manage/cloud-byok.rst
@@ -0,0 +1,81 @@
+Cloud Dedicated Bring Your Own Key
+===================================
+
+.. include:: ../_static/badges/ent-cloud-dedicated.rst
+ :start-after: :nosearch:
+
+Bring Your Own Key (BYOK) provides Enterprise Cloud customers with autonomy over their encryption key life cycle. BYOK supports encryption at rest with custom KMS keys that the enterprise provides and maintains.
+
+BYOK requires a subscription to Mattermost Cloud Enterprise Dedicated, which offers enhanced data security and compliance by ensuring that enterprises have full control over their data encryption processes.
+
+In Mattermost Cloud Enterprise Dedicated, you can use KMS keys in 2 ways:
+
+- One KMS key for all services; or,
+- Per-service KMS keys (EBS, RDS, S3)
+ - Keys do not need to be unique to each service.
+ - All services must be encrypted at rest.
+ - Selective enablement of this feature can be supported.
+ - In cases where a global database is needed, we recommend providing 2 KMS keys (1 per region).
+
+Configure BYOK
+------------------------
+1. Enterprise customer provides their AWS KMS ARN to the Mattermost Infrastructure SRE team.
+2. Enterprise customer adds the following blocks to their KMS Policy for the AWS KMS ARN provided:
+
+.. code-block:: JSON
+
+ {
+ "Sid": "Allow use of the key",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam:::user/mattermost-cloud--provisioning-"
+ },
+ "Action": [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:DescribeKey"
+ ],
+ "Resource": ""
+ },
+ {
+ "Sid": "Allow use of the key role nodes",
+ "Effect": "Allow",
+ "Principal": {
+ "AWS": "arn:aws:iam:::role/nodes.-kops.k8s.local"
+ },
+ "Action": [
+ "kms:Encrypt",
+ "kms:Decrypt",
+ "kms:ReEncrypt*",
+ "kms:GenerateDataKey*",
+ "kms:DescribeKey"
+ ],
+ "Resource": ""
+ },
+
+3. The Mattermost Infrastructure SRE team updates the kops cluster and S3, RDS resources after the KMS policy is updated on the customer's end.
+
+Alternatively, the Enterprise customer can provide an external key (non-KMS) to the Mattermost Infrastructure SRE team that Mattermost maintains on behalf of the customer.
+This path offers less control to customers but simplifies the setup process.
+
+Requirements
+~~~~~~~~~~~~~~~~~~~~~~~
+
+- Customers must own their AWS Account. (In the alternative path mentioned above this is delegated to Mattermost.)
+- Customers oversee the maintenance life cycle of their custom KMS key.
+- A valid AWS KMS ARN for encrypting storage and databases should be provided to the Infrastructure SRE team.
+- The customer should incorporate the provided policy blocks from the Infrastructure SRE team into their KMS key policy.
+
+Considerations
+~~~~~~~~~~~~~~~~~~~~~~~
+- Changing the AWS KMS key in the database necessitates downtime due to AWS Aurora's encryption `limitations. `__
+- Proper communication is essential for setting expectations and scheduling changes.
+
+Conclusion
+--------------
+
+If you are a large enterprise with compliance requirements, or are working in highly-regulated industries, using Mattermost Cloud Dedicated with BYOK ensures full data control.
+
+For any further assistance or queries, `contact our support team `__.
diff --git a/source/manage/logging.rst b/source/manage/logging.rst
index 37fab65eb24..e46049aedb5 100644
--- a/source/manage/logging.rst
+++ b/source/manage/logging.rst
@@ -461,7 +461,7 @@ Frequently asked questions
Does Mattermost have an audit log besides the system ``auditd``?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Yes. See the `audit logging <#audit-logging-experimental-beta>`__ documentation for details.
+Yes. See the `audit logging <#audit-logging-beta>`__ documentation for details.
When syslog is configured as the target, does it contain the IP address of the emitter of the data (i.e., the Mattermost app node)?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -486,4 +486,4 @@ See `enable-webhook-debugging `__
\ No newline at end of file
+See `maximum-field-size `__