Managing Policy Templates
Policy templates can be applied to new AWS keys during and after creation. Policy templates are supported for all Native, BYOK, and CloudHSM keys.
For HYOK keys, policy templates are applicable to linked keys only.
Note
Consult the AWS Key Management Service Developer Guide for details on the effects of AWS key policies.
This section covers the following topics:
Adding Policy Templates
You must have the Add Key (BYOK, HYOK, or Native) or CloudHSM - Add Key permission to add a policy template.
To add a policy template:
Open the Cloud Key Manager application. By default, the AWS Keys tab is selected.
Click the Policy Templates tab.
Click Create Policy. The Select Account and Name Policy screen is displayed.
Select Account and Name Policy
Specify the policy Name.
Select the AWS Account. The policy will be added to this account.
Click Next. The Configure Policy screen is displayed.
Configure Policy
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
You can configure policy in either the Basic view or Raw view. The default view is Basic.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Click Save.
The newly created policy template appears on the Policy Templates tab. The status of the template is Unverified.
Viewing Policy Templates
The Policy Templates tab of the AWS Keys page shows the list of existing key policy templates. Filter the policy templates by Template Name, Account Name, or Account ID.
You must have the View Key (BYOK, HYOK, or Native) / CloudHSM - View Key permission to view policy templates.
To view the policy templates:
Open the Cloud Key Manager application. By default, the AWS Keys tab is selected.
Click the Policy Templates tab. The list of available policy templates is displayed. The tab shows the following details:
| Column Name | Description |
|---|---|
| Template Name | Name of the policy template. |
| Status | Status of the policy template - Verified or Unverified. |
| Account Name | Name of the AWS KMS account. |
| Account ID | ID of the AWS KMS account. |
| Cloud | Name of the AWS cloud - AWS, AWS Gov Cloud, or AWS China. |
| Creation Date | Time when the template is created. |
Viewing Details of Policy Templates
The detail view of a policy template shows the associated keys and the policy.
You must have the View Key (BYOK, HYOK, or Native) / CloudHSM - View Key permission to view the policy templates.
To view the details of a policy template:
Open the Cloud Key Manager application.
Click the Policy Templates tab. The list of available policy templates is displayed.
Click the Template Name link of the desired template.
Alternatively, click the overflow icon (
) corresponding to the desired template and click View Details.
The detail view shows the details of the associated keys and the policy under KEYS and POLICY sections.
Deleting Policy Templates
You must have the Schedule Key Delete, Delete Key (HYOK), or CloudHSM - Delete Key permission to delete a policy template.
To delete a policy template:
Open the Cloud Key Manager application. By default, the AWS Keys tab is selected.
Click the Policy Templates tab.
Click the overflow icon (
) corresponding to the desired template.Click Delete Template. A message box appears prompting to confirm the template deletion.
Click Delete Template. The template is deleted.
