AWS Resources
This section describes prerequisites to manage AWS resources on the CCKM.
Prerequisites
Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.
Appropriate permissions to manage the AWS KMS must be added on the AWS console.
Permissions to list regions: Add the IAM permission
ec2:DescribeRegions
to list the AWS regions.
For example:{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:DescribeRegions", "Resource": "*" } ] }
Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:
kms:ListAliases
kms:ListKeyPolicies
kms:ListKeys
kms:ListResourceTags
kms:DescribeKey
kms:GetKeyPolicy
kms:GetKeyRotationStatus
kms:GetParametersForImport
kms:GetPublicKey
kms:TagResource
kms:UntagResource
kms:CancelKeyDeletion
kms:CreateAlias
kms:CreateKey
kms:DeleteAlias
kms:DeleteImportedKeyMaterial
kms:DisableKey
kms:DisableKeyRotation
kms:DescribeCustomKeyStores
kms:EnableKey
kms:EnableKeyRotation
kms:ImportKeyMaterial
kms:ScheduleKeyDeletion
kms:UpdateAlias
kms:UpdateKeyDescription
kms:PutKeyPolicy
iam:ListGroups
iam:ListRoles
iam:ListUsers
logs:DescribeLogGroups
logs:FilterLogEvents
For example:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DisableKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListResourceTags", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:GetParametersForImport", "kms:GetPublicKey", "kms:TagResource", "kms:UntagResource", "kms:CancelKeyDeletion", "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:DeleteImportedKeyMaterial", "kms:DescribeCustomKeyStores", "kms:DisableKeyRotation", "kms:EnableKey", "kms:EnableKeyRotation", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion", "kms:UpdateAlias", "kms:UpdateKeyDescription", "kms:PutKeyPolicy", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:FilterLogEvents" ], "Resource": "*" } ] }
Note
To manage a multi-region key, an additional IAM permission
iam:CreateServiceLinkedRole
is required.To manage the External Custom Key Stores or CloudHSM Key Stores, additional IAM permissions required to use AWS resources are:
cloudhsm:DescribeClusters
kms:CreateCustomKeyStore
kms:ConnectCustomKeyStore
kms:DeleteCustomKeyStore
kms:DisconnectCustomKeyStore
kms:UpdateCustomKeyStore
iam:CreateServiceLinkedRole
Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.
Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.
Note
To use AWS IAM Roles Anywhere with CCKM, additional configuration is required.
AWS GovCloud does not support AWS IAM Roles Anywhere.
Additional Configuration for AWS IAM Roles Anywhere
The AWS IAM Roles Anywhere service allows non-federated identities outside AWS to assume IAM roles and use their permissions to access resources. The service provides a secure way for the workloads that run outside of AWS such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credential. This eliminates the need to manage long-term credentials for external workloads.
To use IAM Roles Anywhere, external workloads must use X.509 certificates issued by a Certificate Authority (CA). The CA needs to be registered as a trust anchor with the IAM Roles Anywhere service to establish trust between them. Alternatively, AWS Private Certificate Authority (AWS Private CA) can be used to create a CA and then use that to establish trust with IAM Roles Anywhere.
CA and Client Certificate Requirements
Client certificates must satisfy the following requirements for authentication:
The certificates must be X.509v3
Basic constraints must include
CA: false
The key usage must include Digital Signature
The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected)
Certificates used as trust anchors must satisfy the following requirements for signature algorithm:
The certificates must be X.509v3
Basic constraints MUST include
CA: true
The key usage must include Certificate Sign, and may include CRL Sign
The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected)
Certificate Revocation Lists (CRLs) are an optional feature of IAM Roles Anywhere
Configuration Steps
To use IAM Roles Anywhere for authentication to AWS from external workloads:
Create a trust anchor. This anchor is essentially a reference to a CA that IAM Roles Anywhere service will use to validate the authentication requests. Both the root and intermediate CAs can be used as trust anchors.
Create an IAM role that trusts the IAM Roles Anywhere service principal.
Create a profile that lists the roles IAM Roles Anywhere assumes. In the profile, you can limit the permissions for a created session with IAM managed policies.
By adding one or more roles to a profile and enabling IAM Roles Anywhere to assume these roles, a non-AWS workload can use the client certificate issued by the trusted CA to make secure requests to AWS and get temporary credentials to access the AWS environment.
Note
- When the CipherTrust Manager is in AWS VPC, the trust anchor, and profile must be created in the same region from where the CipherTrust Manager instance is launched.
- Refer to the AWS IAM Roles Anywhere documentation for detailed instructions.
Add an AWS connection on the CipherTrust Manager with IAM Roles Anywhere enabled. While adding the connection for IAM Roles Anywhere, you need to specify:
The AWS Resource Names (ARNs) of the trust anchor, IAM role, and profile created in the above steps
Client's private key and certificate
Refer to Connection Manager for details.
Note
If you are using an access key and secrets-based AWS connection and you want to move to an AWS IAM Roles-based connection, refer to Migrating to IAM Roles Anywhere Connections.