Managing AWS Accounts
This section describes how to manage AWS accounts on the CCKM.
Prerequisites
Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Keys & Access Management > Connections page of the CipherTrust Manager GUI. Refer to Connection Manager for details.
Appropriate permissions to manage the AWS KMS must be added on the AWS console.
Permissions to list regions: Add the IAM permission
ec2:DescribeRegionsto list AWS regions.For example:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:DescribeRegions", "Resource": "*" } ] }Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:
kms:ListAliases
kms:ListKeyPolicies
kms:ListKeys
kms:ListResourceTags
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:GetParametersForImport
kms:GetPublicKey
kms:TagResource
kms:UntagResource
kms:CancelKeyDeletion
kms:CreateAlias
kms:CreateKey
kms:DeleteAlias
kms:DeleteImportedKeyMaterial
kms:DisableKey
kms:DisableKeyRotation
kms:EnableKey
kms:EnableKeyRotation
kms:ImportKeyMaterial
kms:ScheduleKeyDeletion
kms:UpdateAlias
kms:UpdateKeyDescription
kms:PutKeyPolicy
iam:ListGroups
iam:ListRoles
iam:ListUsers
logs:DescribeLogGroups
logs:FilterLogEvents
For example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DisableKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListResourceTags", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:GetParametersForImport", "kms:GetPublicKey", "kms:TagResource", "kms:UntagResource", "kms:CancelKeyDeletion", "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:DeleteImportedKeyMaterial", "kms:DisableKey", "kms:DisableKeyRotation", "kms:EnableKey", "kms:EnableKeyRotation", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion", "kms:UpdateAlias", "kms:UpdateKeyDescription", "kms:PutKeyPolicy", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:FilterLogEvents" ], "Resource": "*" } ] }
Note
Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.
Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.
Adding AWS Accounts
To add an AWS account to the CCKM:
Log on to the CipherTrust Manager GUI as administrator.
Open the Cloud Key Manager application.
In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed.
Click Add Account.
On the Add AWS Account screen, select /enter the following details:
Specify a unique Name.
From the AWS Connection drop-down list, select the desired connection.
The AWS Account ID and Available Regions of the selected AWS connection are displayed.
In the Available Regions section, select the desired regions.
By default, all the regions are selected. You can also use the Search box to filter the regions.
Click the right arrow button (
). The selected regions move to the Selected regions list.Click Save. The AWS account is added to the CCKM.
Synchronizing AWS Keys
Synchronizing is the process to download keys created on the AWS KMS to the CCKM.
To synchronize AWS keys:
Open the Cloud Key Manager application.
In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of AWS accounts.
Click the overflow icon (
) corresponding to the desired AWS account and click Sync Now.
A message Synchronization started... is displayed on the screen.
The synchronized keys are listed on the Cloud Keys > AWS > AWS Keys page.
The synchronization process is started in the background. You can use the get /v1/cckm/aws/synchronization-jobs API to view the status of the synchronization. If you click Sync Now during an ongoing synchronization process, a message sync already in progress is displayed on the screen.
Viewing/Editing Details of AWS Accounts
Viewing AWS Account Details
To view the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Settings > AWS Accounts. The AWS Accounts page displays the following details:
Column Description Name Name of the AWS account. Account ID ID of the AWS account. Connection Name of the connection. Cloud Cloud name. Regions Regions in which the account is added.
Editing AWS Accounts Details
To edit the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of added AWS accounts.
Click the overflow icon (
) corresponding to the desired AWS account and click View/Edit Details.You can edit the following details:
Manage user permissions on the AWS account: Refer to Managing User Permissions on AWS Accounts for details.
Modify regions: Refer to Modifying Regions for details.
Managing User Permissions on AWS Accounts
To work with the AWS, users/ group must have the minimum set of permissions that allow them to use the AWS resources such as keys and AWS KMS. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
To add permission for user/group:
In the Access Control section, click Assign User/Group.
On the Assign User/Group screen, select the user or group to be assigned permissions from the User/Group drop-down list.
Click Save.
The newly added user/ group is displayed under Name in the Access Control section.
CCKM allows the following operations on the AWS accounts:
View Key, Add Key, Edit Key, Upload Key
Import Material, Delete Material
Schedule Key Deletion, Cancel Key Delete
Rotate Key, Sync Key
Unassign
To grant permissions to the user to perform any of these tasks:
- Select the check-box under the respective action. A Success message is displayed on the screen.
To remove current permissions assigned to the user permissions:
Under Unassign, click the X button corresponding to the desired user.
On the Unassign User screen, click Unassign.
This step removes the explicitly added permissions and restores the default permission for the user.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform actions on the AWS account. Refer to User Roles for details.
Modifying Regions
To add regions to the AWS account:
In the Available Regions section, select the desired regions.
Click the right arrow button (
). The selected regions move to the Selected regions list.Click Update.
To remove regions from the AWS account:
In the Selected Regions section, select the desired regions.
Click the left arrow button (
). The selected regions move to the Available regions list.Click Update.
Deleting AWS Accounts
To delete an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of added AWS accounts.
Click the overflow icon (
) corresponding to the desired AWS account and click Delete.On the Delete Key Account screen, select I wish to delete this account.
Click Delete Account.
Note
After an AWS account is deleted from the CipherTrust Manager, the keys existing in the AWS KMS account (native and BYOK) are not affected. However, you can no longer manage those keys from CCKM. The AWS services using the AWS KMS keys continue to function without any issues.
