Managing Policies
Policies can be applied to new AWS keys during and after creation. Saved policies (policy templates) are supported for all Native, BYOK, and CloudHSM keys.
For HYOK keys, policy templates are applicable to linked keys only.
Note
Consult the AWS Key Management Service Developer Guide for details on the effects of AWS key policies.
The
ListResourceTags
,TagResource
, andUntagResource
permissions are needed to manage saved policies.
This section covers the following topics:
Creating New Policies
You must have the Add Key (BYOK, HYOK, or Native) or CloudHSM - Add Key permission to create a policy.
To create a policy:
Open the Cloud Key Manager application. By default, the AWS Keys tab is selected.
Click the Saved Policies tab.
Click Create Policy. The Select Account and Name Policy screen is displayed.
Select Account and Name Policy
Specify a unique policy Name.
Select the AWS KMS Account. The policy will be added to this account.
(Optional) Enable Create Policy at Account ID Level.
Note
You can create the policy with a KMS Account or Account ID.
Click Next. The Configure Policy screen is displayed.
Configure Policy
Select the key admins, key users, and additional accounts for the policy. The Key Admins and Key Users tabs display the list of available AWS users and roles.
You can configure policy in either the Basic view or Raw view. The default view is Basic.
In the Basic view, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Add external accounts in the Add Accounts field and click +.
These accounts have user permissions. Similarly, you can add more external accounts. To remove an account, click the close (X) icon in the account name.
To switch to the Raw view, click Switch to policy (Raw) View. In the Raw view, paste a policy in JSON format in the Raw Policy field.
Note
Any edits made in the policy (Raw) view will be retained exclusively in the policy (Raw) view.
Click Next. The Review and Add screen is displayed.
Review and Add
Before adding the policy, review all the details. After the policy is added, certain features cannot be edited.
Review the policy and account details. If the details are incorrect or you want to modify them, click Back and update the details.
Click Add Policy.
The newly created policy appears on the Saved Policies tab. The status of the policy is Unverified.
Viewing Saved Policies
The Saved Policies tab of the AWS Keys page shows the list of existing key policies. Filter the policies by Policy Name, Account Name, or Account ID.
You must have the View Key (BYOK, HYOK, or Native) / CloudHSM - View Key permission to view policies.
To view the saved policies:
Open the Cloud Key Manager application. By default, the AWS Keys tab is selected.
Click the Saved Policies tab. The list of available policies is displayed. The tab shows the following details:
Column Name | Description |
---|---|
Policy Name | Name of the policy. |
Status | Status of the policy - Verified or Unverified. If a policy is linked with an AWS key, its status is Verified, otherwise, the status is Unverified. |
Account Name | Name of the AWS KMS account. |
Account ID | ID of the AWS KMS account. |
Cloud | Name of the AWS cloud - AWS, AWS Gov Cloud, or AWS China. |
Creation Date | Time when the policy is created. |
Viewing Details of Saved Policies
The detail view of a policy shows the associated keys and the policy.
You must have the View Key (BYOK, HYOK, or Native) / CloudHSM - View Key permission to view the policies.
To view the details of a policy:
Open the Cloud Key Manager application.
Click the Saved Policies tab. The list of available policies is displayed.
Click the Policy Name link of the desired policy.
Alternatively, click the overflow icon () corresponding to the desired policy and click View Details.
The detail view shows the details of the associated keys and the policy under KEYS and POLICY sections.
Updating Saved Policies
To update saved policies:
Open the Cloud Key Manager application.
Click the Saved Policies tab. The list of available policies is displayed.
Click the overflow icon () corresponding to the desired Saved Policy and click View Details.
Alternatively, click the saved policy link under the Policy Name field to view the Saved Policy details.
Scroll down to the POLICY section, and select the view to update the policy, the options are Raw View and Basic View.
Click the desired tab to view the instructions.
Make the necessary changes in the policy.
In the Basic View, Key Admins is the default tab.
On the Key Admins tab, select the desired key admins.
Click the Key Users tab.
Select the desired key users.
Note
If you make changes in one of the views and switch to the other view without updating the policy, you will see a Warning message. Click Yes to continue.
Click Update. The Update Policy message is displayed.
Note
To save the changes as a new policy, select the DO NOT Push Changes check box, and enter New Policy.
Click Apply.
Deleting Saved Policies
You must have the Schedule Key Delete, Delete Key (HYOK), or CloudHSM - Delete Key permission to delete a policy.
Only the policies with the status Unverified can be deleted. If a policy is associated with (or being used by) an AWS key, it cannot be deleted. So, before deleting a policy, make sure that is not associated with any AWS key.
To delete a policy:
Open the Cloud Key Manager application. By default, the AWS Keys tab is selected.
Click the Saved Policies tab.
Click the overflow icon () corresponding to the desired policy.
Click Delete Policy. A message box appears prompting to confirm the policy deletion.
Deleting a policy is permanent and cannot be undone. After deletion, the policy cannot be retrieved.
Click Delete Policy. The policy is deleted.