Managing AWS Accounts
This section describes how to manage AWS accounts on the CCKM.
Before proceeding, make sure to fulfill prerequisites.
Adding AWS Accounts
CCKM allows adding same AWS account in one CipherTrust Manager domain with different names, with each entry having a unique set of regions. By default, only the KMSs linked with the AWS account that is used for connection with the CipherTrust Manager can be added. However, if you want, you can assume a role within the same or a different account, while adding KMS over the same connection.
To add an AWS account to the CCKM:
Log on to the CipherTrust Manager GUI as administrator.
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
Click Add Account. The Add AWS Account screen is displayed.
Select/enter the following details:
Specify a unique Name.
From the AWS Connection drop-down list, select the desired connection.
The AWS Account ID and Available regions of the selected AWS connection are displayed.
In the Available regions section, select the desired regions.
By default, all the regions are selected. You can also use the Search box to filter the regions.
If you select a subset of available regions, then the remaining regions can be added under a different AWS KMS account name but under the same AWS Account ID.
Click the right arrow button (). The selected regions move to the Selected regions list.
Click Save. The AWS account is added to the CCKM.
Adding AWS KMS Account and Regions by AssumeRole
CCKM allows adding same AWS account in one CipherTrust Manager domain with different names, with each entry having a unique set of regions. By default, only the KMSs linked with the AWS account that is used for connection with the CipherTrust Manager can be added. However, if you want, you can assume a role within the same or a different account, while adding KMS over the same connection. To do this, you need to specify the ARN and/or external ID of the role to be assumed.
Note
An AssumeRole provides a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. Refer to AWS documentation for details on AWS AssumeRole.
Tip
To configure AWS accounts for AssumeRole, refer to IAM tutorial: Delegate access across AWS accounts using IAM roles.
To add an AWS account and regions by AssumeRole:
Log on to the CipherTrust Manager GUI as administrator.
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
Click Add Account. The Add AWS Account screen is displayed.
Select/enter the following details:
Specify a unique Name.
From the AWS Connection drop-down list, select the desired connection.
The AWS Account ID and Available regions of the selected AWS connection are displayed.
Specify the AssumeRole details:
Select Add Assumed Role. The following fields are displayed:
Assume Role: Specify the Amazon Resource Name (ARN) of the role to be assumed. This is a mandatory field.
Assume Role External ID: Specify the external ID for the role to be assumed.
Click Test Connection. When the connection is successful, the AWS Account ID associated with the assumed role is displayed. The Available regions section is populated with the available regions.
In the Available regions section, select the desired regions.
By default, all the regions are selected. You can also use the Search box to filter the regions.
If you select a subset of available regions, then the remaining regions can be added under a different AWS KMS account name but under the same AWS Account ID.
Click the right arrow button (). The selected regions move to the Selected regions list.
Click Save. The AWS account is added to the CCKM.
Refreshing AWS Accounts
Refreshing is the process to download keys and key stores created on the AWS KMS to the CCKM. You can refresh keys and key stores from individual or all KMS accounts.
Refreshing Specific AWS Accounts
To refresh an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click Refresh Now.
On the Refresh Now screen, select the desired account regions to be refreshed.
Click Refresh.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page. Refer to Viewing AWS Keys for details.
Refreshed CloudHSM key stores and external custom key stores appear in the account details.
Refreshing All AWS Accounts
To refresh all AWS accounts:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of AWS accounts.
Click Refresh All.
Note
Refresh all KMS Accounts is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page. Refer to Viewing AWS Keys for details.
Refreshed CloudHSM key stores and external custom key stores appear in the account details of individual accounts.
Viewing/Editing Details of AWS Accounts
The AWS KMS Accounts page shows the list of existing AWS KMS accounts. Search for the KMS accounts by KMS Name or KMS Account ID.
Viewing AWS Account Details
To view the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page displays the following details:
Column Description Name Name of the AWS account. Last Refreshed When the AWS account was last refreshed. Never
is displayed for accounts that are never refreshed.Account ID ID of the AWS account. If the role of another AWS user is assumed, then the associated account ID is displayed. Connection Name of the connection. Cloud Cloud name. Regions Regions in which the account is added. If the role of another AWS user is assumed, then regions associated with the account ID are displayed.
The Assume Role ARN column is hidden by default. This column specifies Amazon Resource Name (ARN) of the assumed role. To show/hide a column, click the custom view icon (), select/clear the desired column, and click OK.
Editing AWS Accounts Details
To edit the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of added AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click View/Edit Details. The mini detail view shows the details of the AWS KMS account, such as account ID, connection, Assume Role ARN with its external ID, and associated regions etc.
On this page, you can perform the following:
Manage user permissions on the AWS account: Refer to Managing User Permissions on AWS Accounts for details.
Modify connection and regions: Refer to Modifying Connection and Regions for details.
Add or remove assume role: Refer to Adding or Removing Assume Role for details.
Managing User Permissions on AWS Accounts
To work with the AWS, users/groups must have the minimum set of permissions that allow them to use the AWS resources such as keys and AWS KMS. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform actions on the AWS account. Refer to User Roles for details.
To add permission for user/group:
In the ACCESS CONTROL section, click Assign User/Group.
On the Assign User/Group screen, select the user or group to be assigned permissions from the User/Group drop-down list.
Click Save.
The newly added user/group is displayed under Name in the Access Control section.
Note
Use the All Keys, BYOK Keys, Native Keys, HYOK Keys, and Custom Key Store tabs to specify permissions for different key types. These tabs display the operations allowed on the AWS accounts. The default tab All Keys shows permissions for all keys.
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
Under the ACCESS CONTROL section, click the desired tab.
Select the check box under the desired operation corresponding to the desired users or groups.
Note
On the BYOK Keys, HYOK keys, and Native Keys tab, the View Key permission is required for granting the Add Key permission. If you grant the Add Key permission, the View Key permission is automatically added, even if it not granted already.
Similarly, on the Custom Key Store tab, the View permission is required for granting the Add permission. If you grant the Add permission, the View permission is automatically added, even if it not granted already.
Click Update.
A success message is displayed on the screen.
Removing a Permission
To remove a permission assigned to a user or group:
Under the ACCESS CONTROL section, click the desired tab.
Clear the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
Under the ACCESS CONTROL section, click the desired tab.
Under Unassign, click the X button corresponding to the desired user/group.
On the Unassign User / Unassign Group screen, click Unassign.
Note
Unassigning this user/group will remove all permissions currently assigned to the user/group. Are you sure you want to continue?
Click Unassign.
This step removes the explicitly added permissions and restores the default permission for the user.
Modifying Connection and Regions
You can update AWS connection and AssumeRole credentials as long as they point to the same AWS account.
To change the connection linked with the AWS account:
Under GENERAL INFO, from the AWS Connection drop-down list, select the desired connection.
Click Update.
To add regions to the AWS account:
Under GENERAL INFO > Select Regions, in the All Available Regions section, select the desired regions.
Click the right arrow button (). The selected regions move to the All Selected Regions list.
Click Update.
To remove regions from the AWS account:
Under GENERAL INFO > Select Regions, in the All Selected Regions section, select the regions to be removed.
Click the left arrow button (). The selected regions move to the All Available Regions list.
Click Update.
Adding or Removing Assume Role
You can update AWS connection and AssumeRole credentials as long as they point to the same AWS account.
To add an Assume Role:
Under GENERAL INFO, select Add Assume Role.
Select Add Assumed Role. The following fields are displayed:
Assume Role: Specify the Amazon Resource Name (ARN) of the role to be assumed. This is a mandatory field.
Assume Role External ID: Specify the external ID for the role to be assumed.
Click Test Connection. When the connection is successful, the All Available Regions section is populated with available regions.
Add or remove regions as appropriate.
Click Update.
To change an Assume Role:
Under GENERAL INFO, change the following details:
Assume Role: Specify the Amazon Resource Name (ARN) of the role to be assumed. This is a mandatory field.
Assume Role External ID: Specify the external ID for the role to be assumed.
Click Test Connection.
Add or remove regions as appropriate.
Click Update.
Deleting AWS Accounts
To delete an AWS KMS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of added AWS KMS accounts.
Click the overflow icon () corresponding to the desired AWS account and click Delete. The Delete AWS Account message is displayed.
Select I wish to delete this account.
Click Delete Account.
Note
After an AWS account is deleted from the CipherTrust Manager, the keys existing in the AWS KMS account (native and BYOK) are not affected. However, you can no longer manage those keys from CCKM. The AWS services using the AWS KMS keys continue to function without any issues.