Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Key Life Cycle Management APIs

Replicating Multi-Region AWS Keys

search

Please Note:

You are not viewing the most recent version of this page. 2.19 is the latest version available.

printsuggest an edit

Replicating Multi-Region AWS Keys

Use the post /v1/cckm/aws/keys/{id}/replicate-key API to replicate a multi-region AWS key to different AWS regions. When replicating the key, specify the desired AWS region.

When you replicate a multi-region primary key with imported key material (that is uploaded from CCKM), instead of returning a replica key with the same key material as the primary key, the replicate process returns a replica key with no key material and a key state of PendingImport. To enable the replica key, you must import the same key material into the replica key that you imported into its primary key.

copy link to clipboardSyntax

curl -k '<IP>/api/v1/cckm/aws/keys/{id}/replicate-key' -H 'Authorization: Bearer AUTHTOKEN' -H 'Content-Type: application/json' --data-binary $'{\n  "replica_region": "<replication-region>",\n  "aws_param": {<aws parameters>}}' --compressed

Here, {id} represents the resource ID of the primary multi-region AWS key.

copy link to clipboardRequest Parameters

ParameterTypeDescription
AUTHTOKENstringAuthorization token.
replica_regionstringName of the region where the key is to be replicated.
aws_paramJSONKey parameters such as alias, description, and usage. Refer to AWS Key Parameters for details.
external_accountsarray of stringsAWS accounts that can use this key.
key_adminsarray of stringsIAM users who can administer this key using the KMS API.
key_admins_rolesarray of stringsIAM roles that can administer this key using the KMS API.
key_usersarray of stringsIAM users who can use this key in cryptographic operations.
key_users_rolesarray of stringsIAM roles that can use the CMK in cryptographic operations.
policytemplatestringID of the policy template to apply.
Note: When a policy template is applied to an AWS key, CCKM adds the template tag (cckm_policy_template_id) to the key. Do not modify or delete this tag on the AWS cloud.

Note

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

copy link to clipboardAWS Key Parameters

ParameterTypeDescription
AliasstringAlias of the key.
BypassPolicyLockoutSafetyCheckbooleanFlag to bypass the key policy lockout safety check.
DescriptionstringDescription of the key.
OriginstringSource of the AWS customer master key (CMK) key material. The key origin cannot be changed. The origin of the key can be:
• AWS_KMS
• EXTERNAL
PolicyJSONKey policy to attach to the CMK.
Tagsarray of JSONsAn optional parameter to add additional information to the key. The value must be specified as the key-value pair. CCKM allows the following characters in tag values:
• Alphanumeric characters
• Special characters ** _ . / = + - @ **

Note

Specify Policy, policytemplate, or one of key_admins, key_admins_roles, key_users, key_users_roles, and external_accounts. They are mutually exclusive. If no parameters are specified, the default policy is used.

copy link to clipboardExample Request

curl -k 'https://127.0.0.1/api/v1/cckm/aws/keys/baf58871-2503-4d13-a84a-339aeb8fdfaf/replicate-key' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNWMwZGJlNC1lMmJmLTQ3M2MtODY4MC01NWVkMWIzMDEzMmEiLCJzdWIiOiJsb2NhbHxhNjdjMzc0OC05YTRiLTRhZGQtYjNkOS0wNTRiYTIwYmUzYWMiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiMDhkNDI5ZjktNDgzYi00ODdlLWJjOTQtNGE1Mjc2ZDI2ZjZjIiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6ImU5YWUwYTI3LWVlYjQtNGNhZi04YjE4LTdhNzIzMDBkOTA0MCIsImlhdCI6MTYwNDU1ODEzOCwiZXhwIjoxNjA0NTU4NDM4fQ.MIMArFeC4cpPNTYOd39mu6_-yihdN0CDl_917eH8-kY' -H 'Content-Type: application/json' --data-binary $'{\n  "ReplicaRegion": "ap-south-1",\n  "aws_param": {\n  "Description": "Replicated key",\n    "Tags": [\n      {\n        "TagKey": "key",\n        "TagValue": "value"\n      }\n    ]\n  }\n}' --compressed

copy link to clipboardExample Response

{
    "id": "a152ad26-df3f-4116-abae-b93a914e76ac",
    "uri": "kylo:kylo:cckm:aws-replica-key:a152ad26-df3f-4116-abae-b93a914e76ac",
    "account": "kylo:kylo:admin:accounts:kylo",
    "application": "ncryptify:gemalto:admin:apps:kylo",
    "devAccount": "ncryptify:gemalto:admin:accounts:gemalto",
    "createdAt": "2021-08-10T05:55:49.010163222Z",
    "updatedAt": "2021-08-10T05:55:49.008870847Z",
    "kms_id": "10fa8bf3-3070-4bdc-8f19-f7cbed593f40",
    "kms": "kms",
    "synced_at": "2021-08-10T05:55:48.907773918Z",
    "rotation_status": "",
    "cloud_name": "aws",
    "key_type": "symmetric",
    "basic_view_enabled": false,
    "region": "ap-south-1",
    "gone": false,
    "key_material_origin": "native",
    "aws_param": {
        "AWSAccountId": "556782317223",
        "Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
        "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
        "Description": "Replicated key",
        "Enabled": false,
        "EncryptionAlgorithms": [
            "SYMMETRIC_DEFAULT"
        ],
        "KeyID": "mrk-6ad3ab90026044a2a24fef020c5d02dc",
        "KeyManager": "CUSTOMER",
        "KeyState": "Creating",
        "KeyUsage": "ENCRYPT_DECRYPT",
        "Origin": "AWS_KMS",
        "CreationDate": "2021-08-10T05:55:48.542Z",
        "Alias": [
            "alias/ab-mr-key"
        ],
        "KeyRotationEnabled": false,
        "MultiRegion": true,
        "MultiRegionConfiguration": {
            "MultiRegionKeyType": "REPLICA",
            "PrimaryKey": {
                "Arn": "arn:aws:kms:ap-south-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
                "Region": "ap-south-1"
            },
            "ReplicaKeys": [
                {
                    "Arn": "arn:aws:kms:ap-southeast-1:556782317223:key/mrk-6ad3ab90026044a2a24fef020c5d02dc",
                    "Region": "ap-southeast-1"
                }
            ]
        },
        "ReplicaPolicy": {
            "Version": "2012-10-17",
            "Id": "key-default-1",
            "Statement": [
                {
                    "Sid": "Enable IAM User Permissions",
                    "Effect": "Allow",
                    "Principal": {
                        "AWS": "arn:aws:iam::556782317223:root"
                    },
                    "Action": "kms:*",
                    "Resource": "*"
                }
            ]
        },
        "ReplicaTags": [
            {
                "TagKey": "key",
                "TagValue": "value"
            }
        ]
    }
}

The sample output shows that the AWS key (with the unique ID baf58871-2503-4d13-a84a-339aeb8fdfaf of the AWS region ap-south-1) is replicated to the AWS region "ap-southeast-1". The unique ID of the replica key is a152ad26-df3f-4116-abae-b93a914e76ac.

copy link to clipboardResponse Codes

Response CodeDescription
2xxSuccess
4xxClient errors
5xxServer errors

Refer to HTTP status codes for details.

On this page