Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CCKM Administration

Managing AWS Accounts

search

Please Note:

print

Managing AWS Accounts

This section describes how to manage AWS accounts on the CCKM.

copy link to clipboardPrerequisites

  • Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Keys & Access Management > Connections page of the CipherTrust Manager GUI. Refer to Connection Manager for details.

  • Appropriate permissions to manage the AWS KMS must be added on the AWS console.

    1. Permissions to list regions: Add the IAM permission ec2:DescribeRegions to list AWS regions.

      For example:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        }
    ]
}

    2. Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:

      • kms:ListAliases

      • kms:ListKeyPolicies

      • kms:ListKeys

      • kms:ListResourceTags

      • kms:DescribeKey

      • kms:GetKeyPolicy

      • kms:GetKeyRotationStatus

      • kms:GetParametersForImport

      • kms:GetPublicKey

      • kms:TagResource

      • kms:UntagResource

      • kms:CancelKeyDeletion

      • kms:CreateAlias

      • kms:CreateKey

      • kms:DeleteAlias

      • kms:DeleteImportedKeyMaterial

      • kms:DisableKey

      • kms:DisableKeyRotation

      • kms:EnableKey

      • kms:EnableKeyRotation

      • kms:ImportKeyMaterial

      • kms:ScheduleKeyDeletion

      • kms:UpdateAlias

      • kms:UpdateKeyDescription

      • kms:PutKeyPolicy

      • iam:ListGroups

      • iam:ListRoles

      • iam:ListUsers

      • logs:DescribeLogGroups

      • logs:FilterLogEvents

      For example:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DisableKey",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:GetParametersForImport",
                "kms:GetPublicKey",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:CancelKeyDeletion",
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:DeleteImportedKeyMaterial",
                "kms:DisableKey",
                "kms:DisableKeyRotation",
                "kms:EnableKey",
                "kms:EnableKeyRotation",
                "kms:ImportKeyMaterial",
                "kms:ScheduleKeyDeletion",
                "kms:UpdateAlias",
                "kms:UpdateKeyDescription",
                "kms:PutKeyPolicy",
                "iam:ListGroups",
                "iam:ListRoles",
                "iam:ListUsers",
                "logs:DescribeLogGroups",
                "logs:FilterLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Note

Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.

Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.

copy link to clipboardAdding AWS Accounts

To add an AWS account to the CCKM:

  1. Log on to the CipherTrust Manager GUI as administrator.

  2. Open the Cloud Key Manager application.

  3. In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed.

  4. Click Add Account.

  5. On the Add AWS Account screen, select /enter the following details:

    1. Specify a unique Name.

    2. From the AWS Connection drop-down list, select the desired connection.

      The AWS Account ID and Available Regions of the selected AWS connection are displayed.

    3. In the Available Regions section, select the desired regions.

      By default, all the regions are selected. You can also use the Search box to filter the regions.

    4. Click the right arrow button (Right Arrow). The selected regions move to the Selected regions list.

    5. Click Save. The AWS account is added to the CCKM.

copy link to clipboardSynchronizing AWS Keys

Synchronizing is the process to download keys created on the AWS KMS to the CCKM.

To synchronize AWS keys:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of AWS accounts.

  3. Click the overflow icon (ellipsis) corresponding to the desired AWS account and click Sync Now.

A message Synchronization started... is displayed on the screen.

The synchronized keys are listed on the Cloud Keys > AWS > AWS Keys page.

The synchronization process is started in the background. You can use the get /v1/cckm/aws/synchronization-jobs API to view the status of the synchronization. If you click Sync Now during an ongoing synchronization process, a message sync already in progress is displayed on the screen.

copy link to clipboardViewing/Editing Details of AWS Accounts

copy link to clipboardViewing AWS Account Details

To view the details of an AWS account:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Settings > AWS Accounts. The AWS Accounts page displays the following details:

    ColumnDescription
    NameName of the AWS account.
    Account IDID of the AWS account.
    ConnectionName of the connection.
    CloudCloud name.
    RegionsRegions in which the account is added.

copy link to clipboardEditing AWS Accounts Details

To edit the details of an AWS account:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of added AWS accounts.

  3. Click the overflow icon (ellipsis) corresponding to the desired AWS account and click View/Edit Details.

    You can edit the following details:

copy link to clipboardManaging User Permissions on AWS Accounts

To work with the AWS, users/ group must have the minimum set of permissions that allow them to use the AWS resources such as keys and AWS KMS. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.

To add permission for user/group:

  1. In the Access Control section, click Assign User/Group.

  2. On the Assign User/Group screen, select the user or group to be assigned permissions from the User/Group drop-down list.

  3. Click Save.

The newly added user/ group is displayed under Name in the Access Control section.

CCKM allows the following operations on the AWS accounts:

  • View Key, Add Key, Edit Key, Upload Key

  • Import Material, Delete Material

  • Schedule Key Deletion, Cancel Key Delete

  • Rotate Key, Sync Key

  • Unassign

To grant permissions to the user to perform any of these tasks:

  1. Select the check-box under the respective action. A Success message is displayed on the screen.

To remove current permissions assigned to the user permissions:

  1. Under Unassign, click the X button corresponding to the desired user.

  2. On the Unassign User screen, click Unassign.

This step removes the explicitly added permissions and restores the default permission for the user.

Note

Only the users who are member of the CCKM Users group will be granted permissions to perform actions on the AWS account. Refer to User Roles for details.

copy link to clipboardModifying Regions

To add regions to the AWS account:

  1. In the Available Regions section, select the desired regions.

  2. Click the right arrow button (Right Arrow). The selected regions move to the Selected regions list.

  3. Click Update.

To remove regions from the AWS account:

  1. In the Selected Regions section, select the desired regions.

  2. Click the left arrow button (Left Arrow). The selected regions move to the Available regions list.

  3. Click Update.

copy link to clipboardDeleting AWS Accounts

To delete an AWS account:

  1. Open the Cloud Key Manager application.

  2. In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of added AWS accounts.

  3. Click the overflow icon (ellipsis) corresponding to the desired AWS account and click Delete.

  4. On the Delete Key Account screen, select I wish to delete this account.

  5. Click Delete Account.

Note

After an AWS account is deleted from the CipherTrust Manager, the keys existing in the AWS KMS account (native and BYOK) are not affected. However, you can no longer manage those keys from CCKM. The AWS services using the AWS KMS keys continue to function without any issues.

On this page