Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

CCKM Administration

Managing AWS Resources

search

Please Note:

print

Managing AWS Resources

This section describes prerequisites to manage AWS resources on the CCKM.

copy link to clipboardPrerequisites

  • Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.

  • Appropriate permissions to manage the AWS KMS must be added on the AWS console.

    1. Permissions to list regions: Add the IAM permission ec2:DescribeRegions to list the AWS regions.
      For example:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        }
    ]
}

    2. Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:

      • kms:ListAliases

      • kms:ListKeyPolicies

      • kms:ListKeys

      • kms:ListResourceTags

      • kms:DescribeKey

      • kms:GetKeyPolicy

      • kms:GetKeyRotationStatus

      • kms:GetParametersForImport

      • kms:GetPublicKey

      • kms:TagResource

      • kms:UntagResource

      • kms:CancelKeyDeletion

      • kms:CreateAlias

      • kms:CreateKey

      • kms:DeleteAlias

      • kms:DeleteImportedKeyMaterial

      • kms:DisableKey

      • kms:DisableKeyRotation

      • kms:EnableKey

      • kms:EnableKeyRotation

      • kms:ImportKeyMaterial

      • kms:ScheduleKeyDeletion

      • kms:UpdateAlias

      • kms:UpdateKeyDescription

      • kms:PutKeyPolicy

      • iam:ListGroups

      • iam:ListRoles

      • iam:ListUsers

      • logs:DescribeLogGroups

      • logs:FilterLogEvents

      For example:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DisableKey",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:GetParametersForImport",
                "kms:GetPublicKey",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:CancelKeyDeletion",
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:DeleteImportedKeyMaterial",
                "kms:DisableKey",
                "kms:DisableKeyRotation",
                "kms:EnableKey",
                "kms:EnableKeyRotation",
                "kms:ImportKeyMaterial",
                "kms:ScheduleKeyDeletion",
                "kms:UpdateAlias",
                "kms:UpdateKeyDescription",
                "kms:PutKeyPolicy",
                "iam:ListGroups",
                "iam:ListRoles",
                "iam:ListUsers",
                "logs:DescribeLogGroups",
                "logs:FilterLogEvents"
            ],
            "Resource": "*"
        }
    ]
}

Note

Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.

Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.

On this page