Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

back

CCKM Administration

AWS Resources

search

Please Note:

AWS Resources

This section describes prerequisites to manage AWS resources on the CCKM.

Prerequisites

  • Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connections Management for details.

  • Appropriate permissions to manage the AWS KMS must be added on the AWS console.

    1. Permissions to list regions: Add the IAM permission ec2:DescribeRegions to list the AWS regions.
      For example:

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": "ec2:DescribeRegions",
                  "Resource": "*"
              }
          ]
      }
      
    2. Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:

      • kms:DisableKey

      • kms:ListAliases

      • kms:ListKeyPolicies

      • kms:ListKeys

      • kms:ListResourceTags

      • kms:DescribeKey

      • kms:GetKeyPolicy

      • kms:GetKeyRotationStatus

      • kms:GetParametersForImport

      • kms:GetPublicKey

      • kms:TagResource

      • kms:UntagResource

      • kms:CancelKeyDeletion

      • kms:CreateAlias

      • kms:CreateKey

      • kms:DeleteAlias

      • kms:DeleteImportedKeyMaterial

      • kms:DisableKey

      • kms:DisableKeyRotation

      • kms:EnableKey

      • kms:EnableKeyRotation

      • kms:ImportKeyMaterial

      • kms:ScheduleKeyDeletion

      • kms:UpdateAlias

      • kms:UpdateKeyDescription

      • kms:PutKeyPolicy

      • iam:ListGroups

      • iam:ListRoles

      • iam:ListUsers

      • logs:DescribeLogGroups

      • logs:FilterLogEvents

      For example:

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      42
      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "kms:DisableKey",
                      "kms:ListAliases",
                      "kms:ListKeyPolicies",
                      "kms:ListKeys",
                      "kms:ListResourceTags",
                      "kms:DescribeKey",
                      "kms:GetKeyPolicy",
                      "kms:GetKeyRotationStatus",
                      "kms:GetParametersForImport",
                      "kms:GetPublicKey",
                      "kms:TagResource",
                      "kms:UntagResource",
                      "kms:CancelKeyDeletion",
                      "kms:CreateAlias",
                      "kms:CreateKey",
                      "kms:DeleteAlias",
                      "kms:DeleteImportedKeyMaterial",
                      "kms:DisableKey",
                      "kms:DisableKeyRotation",
                      "kms:EnableKey",
                      "kms:EnableKeyRotation",
                      "kms:ImportKeyMaterial",
                      "kms:ScheduleKeyDeletion",
                      "kms:UpdateAlias",
                      "kms:UpdateKeyDescription",
                      "kms:PutKeyPolicy",
                      "iam:ListGroups",
                      "iam:ListRoles",
                      "iam:ListUsers",
                      "logs:DescribeLogGroups",
                      "logs:FilterLogEvents"                            
                  ],
                  "Resource": "*"
              }
          ]
      }
      

Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.

Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.