AWS Resources
This section describes prerequisites to manage AWS resources on the CCKM.
Prerequisites
Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.
Appropriate permissions to manage the AWS KMS must be added on the AWS console.
Permissions to list regions: Add the IAM permission
ec2:DescribeRegions
to list the AWS regions.
For example:{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:DescribeRegions", "Resource": "*" } ] }
Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:
kms:ListAliases
kms:ListKeyPolicies
kms:ListKeys
kms:ListResourceTags
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:GetParametersForImport
kms:GetPublicKey
kms:TagResource
kms:UntagResource
kms:CancelKeyDeletion
kms:CreateAlias
kms:CreateKey
kms:DeleteAlias
kms:DeleteImportedKeyMaterial
kms:DisableKey
kms:DisableKeyRotation
kms:DescribeCustomKeyStores
kms:EnableKey
kms:EnableKeyRotation
kms:ImportKeyMaterial
kms:ScheduleKeyDeletion
kms:UpdateAlias
kms:UpdateKeyDescription
kms:PutKeyPolicy
iam:ListGroups
iam:ListRoles
iam:ListUsers
logs:DescribeLogGroups
logs:FilterLogEvents
For example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DisableKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListResourceTags", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:GetParametersForImport", "kms:GetPublicKey", "kms:TagResource", "kms:UntagResource", "kms:CancelKeyDeletion", "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:DeleteImportedKeyMaterial", "kms:DescribeCustomKeyStores", "kms:DisableKeyRotation", "kms:EnableKey", "kms:EnableKeyRotation", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion", "kms:UpdateAlias", "kms:UpdateKeyDescription", "kms:PutKeyPolicy", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:FilterLogEvents" ], "Resource": "*" } ] }
If you want to manage the External Custom Key Stores or CloudHSM Key Stores, additional IAM permissions required to use AWS resources are:
cloudhsm:DescribeClusters
kms:CreateCustomKeyStore
kms:ConnectCustomKeyStore
kms:DeleteCustomKeyStore
kms:DisconnectCustomKeyStore
kms:UpdateCustomKeyStore
iam:CreateServiceLinkedRole
Note
To manage a multi-region key, an additional IAM permission
iam:CreateServiceLinkedRole
is required.Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.
Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.