Managing AWS Accounts
This section describes how to manage AWS accounts on the CCKM.
Before proceeding, make sure to fulfill prerequisites.
Adding AWS Accounts
CCKM allows adding same AWS account in one CipherTrust Manager domain with different names, with each entry having a unique set of regions.
To add an AWS account to the CCKM:
Log on to the CipherTrust Manager GUI as administrator.
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed.
Click Add Account. The Add AWS Account screen is displayed.
Select/enter the following details:
Specify a unique Name.
From the AWS Connection drop-down list, select the desired connection.
The AWS Account ID and Available Regions of the selected AWS connection are displayed.
In the Available regions section, select the desired regions.
By default, all the regions are selected. You can also use the Search box to filter the regions.
If you select a subset of available regions, then the remaining regions can be added under a different AWS KMS account name but under the same AWS Account ID.
Click the right arrow button (). The selected regions move to the Selected regions list.
Click Save. The AWS account is added to the CCKM.
Refreshing AWS Accounts
Refreshing is the process to download keys created on the AWS KMS to the CCKM. You can refresh keys from individual or all KMS accounts.
Refreshing Specific AWS Accounts
To refresh an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click Refresh Now.
On the Refresh Now screen, select the desired account regions to be refreshed.
Click Refresh.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page. Refer to Viewing AWS Keys for details.
Refreshing All AWS Accounts
To refresh all AWS accounts:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of AWS accounts.
Click Refresh All.
Note
Refresh all KMS Accounts is a time intensive operation that could take several hours or days to complete. It will continue running in the background. Do you want to continue?
Click Refresh All.
A message Refresh started... is displayed on the screen. To cancel the refresh, click Cancel Refresh.
The refreshed keys are listed on the Cloud Keys > AWS > AWS Keys page. Refer to Viewing AWS Keys for details.
Viewing/Editing Details of AWS Accounts
The AWS KMS Accounts page shows the list of existing AWS KMS accounts. Search for the KMS accounts by KMS Name or KMS Account ID.
Viewing AWS Account Details
To view the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page displays the following details:
Column Description Name Name of the AWS account. Last Refreshed When the AWS account was last refreshed. Never
is displayed for accounts that are never refreshed.Account ID ID of the AWS account. Connection Name of the connection. Cloud Cloud name. Regions Regions in which the account is added.
Editing AWS Accounts Details
To edit the details of an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Containers > AWS KMS Accounts. The AWS KMS Accounts page is displayed. This page displays the list of added AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click View/Edit Details.
You can edit the following details:
Manage user permissions on the AWS account: Refer to Managing User Permissions on AWS Accounts for details.
Modify regions: Refer to Modifying Regions for details.
Managing User Permissions on AWS Accounts
To work with the AWS, users/ group must have the minimum set of permissions that allow them to use the AWS resources such as keys and AWS KMS. Initially, the user only has permission to view the keys. However, if required, the CCKM administrator can grant and revoke permissions.
Note
Only the users who are member of the CCKM Users group will be granted permissions to perform actions on the AWS account. Refer to User Roles for details.
To add permission for user/group:
In the Access Control section, click Assign User/Group.
On the Assign User/Group screen, select the user or group to be assigned permissions from the User/Group drop-down list.
Click Save.
The newly added user/group is displayed under Name in the Access Control section.
CCKM allows the following operations on the AWS accounts:
View Key, Add Key, Edit Key, Upload Key
Import Material, Delete Material
Schedule Key Delete, Cancel Key Delete
Rotate Key, Refresh Key
Unassign
Granting Permission to Perform an Operation
To grant permissions to the user or group to perform any of the above mentioned operations:
Select the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
Removing a Permission
To remove a permission assigned to a user or group:
Clear the check box under the desired operation corresponding to the desired users or groups.
Click Update.
A success message is displayed on the screen.
Removing Permission from a User/Group
To remove current permissions assigned to the user/group:
Under Unassign, click the X button corresponding to the desired user/group.
On the Unassign User / Unassign Group screen, click Unassign.
Note
Unassigning this user/group will remove all permissions currently assigned to the user/group. Are you sure you want to continue?
Click Unassign.
This step removes the explicitly added permissions and restores the default permission for the user.
Modifying Regions
To add regions to the AWS account:
In the Available Regions section, select the desired regions.
Click the right arrow button (). The selected regions move to the Selected regions list.
Click Update.
To remove regions from the AWS account:
In the Selected Regions section, select the desired regions.
Click the left arrow button (). The selected regions move to the Available regions list.
Click Update.
Deleting AWS Accounts
To delete an AWS account:
Open the Cloud Key Manager application.
In the left pane, click Settings > AWS Accounts. The AWS Accounts page is displayed. This page displays the list of added AWS accounts.
Click the overflow icon () corresponding to the desired AWS account and click Delete. The Delete Key Account message is displayed.
Select I wish to delete this account.
Click Delete Account.
After an AWS account is deleted from the CipherTrust Manager, the keys existing in the AWS KMS account (native and BYOK) are not affected. However, you can no longer manage those keys from CCKM. The AWS services using the AWS KMS keys continue to function without any issues.