Managing AWS Accounts
This section describes how to manage AWS accounts on the CCKM.
Before proceeding, make sure to fulfill prerequisites.
Adding AWS Accounts
To add an AWS account to the CCKM:
Log on to the CipherTrust Manager GUI as administrator.
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
Click Add Account.
On the Add AWS Account screen, select /enter the following details:
Specify a unique Name.
From the AWS Connection drop-down list, select the desired connection.
The AWS Account ID and Available Regions of the selected AWS connection are displayed.
In the Available Regions section, select the desired regions.
By default, all the regions are selected. You can also use the Search box to filter the regions.
Click the right arrow button (). The selected regions move to the Selected regions list.
Click Save. The AWS account is added to the CCKM.
Synchronizing AWS Accounts
Synchronizing is the process to download keys created on the AWS KMS to the CCKM. You can synchronize individual or all KMS accounts.
Synchronizing an AWS Account
To synchronize an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click Sync Now.
On the Sync Now screen, select the desired account regions to be synchronized.
Click Sync.
A message Synchronization started... is displayed on the screen. If you want to cancel the synchronization, click Cancel Sync.
The synchronized keys are listed on the Cloud Keys > AWS > AWS Keys page. Refer to Viewing AWS Keys for details.
Synchronizing All AWS Accounts
To synchronize all AWS accounts:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of AWS accounts.
Click Sync All.
Note
Sync all KMS Accounts is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Sync All.
A message Synchronization started... is displayed on the screen. If you want to cancel the synchronization, click Cancel Sync.
The synchronized keys are listed on the Cloud Keys > AWS > AWS Keys page. Refer to Viewing AWS Keys for details.
Viewing/Editing Details of AWS Accounts
Viewing AWS Account Details
To view the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page displays the following details:
Column Description Name Name of the AWS account. Account ID ID of the AWS account. Connection Name of the connection. Cloud Cloud name. Regions Regions in which the account is added.
Editing AWS Accounts Details
To edit the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of added AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click View/Edit Details.
You can edit the following details:
Manage user permissions on the AWS account: Refer to Managing User Permissions on AWS Accounts for details.
Modify regions: Refer to Modifying Regions for details.
Managing User Permissions on AWS Accounts
To work with the AWS, users/ group must have the minimum set of permissions that allow them to use the AWS resources such as keys and AWS KMS. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
To add permission for user/group:
In the Access Control section, click Assign User/Group.
On the Assign User/Group screen, select the user or group to be assigned permissions from the User/Group drop-down list.
Click Save.
The newly added user/ group is displayed under Name in the Access Control section.
CCKM allows the following operations on the AWS accounts:
View Key, Add Key, Edit Key, Upload Key
Import Material, Delete Material
Schedule Key Deletion, Cancel Key Delete
Rotate Key, Sync Key
Unassign
To grant permissions to the user to perform any of the above operations, select the check-box under the respective action. A Success message is displayed on the screen.
To remove current permissions assigned to the user:
Under Unassign, click the X button corresponding to the desired user.
On the Unassign User screen, click Unassign.
This step removes the explicitly added permissions and restores the default permission for the user.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform actions on the AWS account. Refer to User Roles for details.
Modifying Regions
To add regions to the AWS account:
In the Available Regions section, select the desired regions.
Click the right arrow button (). The selected regions move to the Selected regions list.
Click Update.
To remove regions from the AWS account:
In the Selected Regions section, select the desired regions.
Click the left arrow button (). The selected regions move to the Available regions list.
Click Update.
Deleting AWS Accounts
To delete an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of added AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click Delete.
On the Delete Key Account screen, select I wish to delete this account.
Click Delete Account.
Note
After an AWS account is deleted from the CipherTrust Manager, the keys existing in the AWS KMS account (native and BYOK) are not affected. However, you can no longer manage those keys from CCKM. The AWS services using the AWS KMS keys continue to function without any issues.