AWS Resources
This section describes prerequisites to manage AWS resources on the CCKM.
Prerequisites
- Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details. 
- Appropriate permissions to manage the AWS KMS must be added on the AWS console. - Permissions to list regions: Add the IAM permission - ec2:DescribeRegionsto list the AWS regions.
 For example:- { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "ec2:DescribeRegions", "Resource": "*" } ] }
- Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources: - kms:ListAliases 
- kms:ListKeyPolicies 
- kms:ListKeys 
- kms:ListResourceTags 
- kms:DescribeKey 
- kms:GetKeyPolicy 
- kms:GetKeyRotationStatus 
- kms:GetParametersForImport 
- kms:GetPublicKey 
- kms:TagResource 
- kms:UntagResource 
- kms:CancelKeyDeletion 
- kms:CreateAlias 
- kms:CreateKey 
- kms:DeleteAlias 
- kms:DeleteImportedKeyMaterial 
- kms:DisableKey 
- kms:DisableKeyRotation 
- kms:DescribeCustomKeyStores 
- kms:EnableKey 
- kms:EnableKeyRotation 
- kms:ImportKeyMaterial 
- kms:ScheduleKeyDeletion 
- kms:UpdateAlias 
- kms:UpdateKeyDescription 
- kms:PutKeyPolicy 
- iam:ListGroups 
- iam:ListRoles 
- iam:ListUsers 
- logs:DescribeLogGroups 
- logs:FilterLogEvents 
 - For example: - { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "kms:DisableKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListResourceTags", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:GetParametersForImport", "kms:GetPublicKey", "kms:TagResource", "kms:UntagResource", "kms:CancelKeyDeletion", "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:DeleteImportedKeyMaterial", "kms:DescribeCustomKeyStores", "kms:DisableKeyRotation", "kms:EnableKey", "kms:EnableKeyRotation", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion", "kms:UpdateAlias", "kms:UpdateKeyDescription", "kms:PutKeyPolicy", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:FilterLogEvents" ], "Resource": "*" } ] }
 
Note
- To manage a multi-region key, an additional IAM permission - iam:CreateServiceLinkedRoleis required.
- To manage the External Custom Key Stores or CloudHSM Key Stores, additional IAM permissions required to use AWS resources are: - cloudhsm:DescribeClusters 
- kms:CreateCustomKeyStore 
- kms:ConnectCustomKeyStore 
- kms:DeleteCustomKeyStore 
- kms:DisconnectCustomKeyStore 
- kms:UpdateCustomKeyStore 
- iam:CreateServiceLinkedRole 
 
- Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry. 
Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.
Note
- To use AWS IAM Roles Anywhere with CCKM, additional configuration is required. 
- Grant permissions to the IAM user management account to use the Automatic Cloud Key Discovery schedule. Refer to the below section for details. 
- AWS GovCloud does not support AWS IAM Roles Anywhere. 
Additional Configuration for AWS IAM Roles Anywhere
The AWS IAM Roles Anywhere service allows non-federated identities outside AWS to assume IAM roles and use their permissions to access resources. The service provides a secure way for the workloads that run outside of AWS such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credential. This eliminates the need to manage long-term credentials for external workloads.
To use IAM Roles Anywhere, external workloads must use X.509 certificates issued by a Certificate Authority (CA). The CA needs to be registered as a trust anchor with the IAM Roles Anywhere service to establish trust between them. Alternatively, AWS Private Certificate Authority (AWS Private CA) can be used to create a CA and then use that to establish trust with IAM Roles Anywhere.
CA and Client Certificate Requirements
- Client certificates must satisfy the following requirements for authentication: - The certificates must be X.509v3 
- Basic constraints must include - CA: false
- The key usage must include Digital Signature 
- The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected) 
 
- Certificates used as trust anchors must satisfy the following requirements for signature algorithm: - The certificates must be X.509v3 
- Basic constraints MUST include - CA: true
- The key usage must include Certificate Sign, and may include CRL Sign 
- The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected) 
- Certificate Revocation Lists (CRLs) are an optional feature of IAM Roles Anywhere 
 
Configuration Steps
To use IAM Roles Anywhere for authentication to AWS from external workloads:
- Create a trust anchor. This anchor is essentially a reference to a CA that IAM Roles Anywhere service will use to validate the authentication requests. Both the root and intermediate CAs can be used as trust anchors. 
- Create an IAM role that trusts the IAM Roles Anywhere service principal. 
- Create a profile that lists the roles IAM Roles Anywhere assumes. In the profile, you can limit the permissions for a created session with IAM managed policies. - By adding one or more roles to a profile and enabling IAM Roles Anywhere to assume these roles, a non-AWS workload can use the client certificate issued by the trusted CA to make secure requests to AWS and get temporary credentials to access the AWS environment. - Note - When the CipherTrust Manager is in AWS VPC, the trust anchor, and profile must be created in the same region from where the CipherTrust Manager instance is launched.
- Refer to the AWS IAM Roles Anywhere documentation for detailed instructions.
 
- Add an AWS connection on the CipherTrust Manager with IAM Roles Anywhere enabled. While adding the connection for IAM Roles Anywhere, you need to specify: - The AWS Resource Names (ARNs) of the trust anchor, IAM role, and profile created in the above steps 
- Client's private key and certificate 
 - Refer to Connection Manager for details. 
Note
To migrate an AWS connection from using access keys and secrets to one that uses IAM roles, refer to Migrating to IAM Roles Anywhere Connections.
Configurations to Discover all AWS accounts
To allow CCKM to discover all AWS accounts within an AWS Organization.
- Create an IAM user in the management account. 
- Grant the IAM user the following permissions to manage KMS keys in member accounts through CCKM, as defined in the sample policy below: - List all organizational units (OUs) and accounts within the organization. 
- Assume a role in each member account. 
 - Sample policy: - { "Version": "2012-10-17", "Statement": [ { "Sid": "AutoDiscoveryOrgPermissions", "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListChildren", "organizations:ListParents", "organizations:ListAccountsForParent", "organizations:ListOrganizationalUnitsForParent" ], "Resource": "*" }, { "Sid": "AutoDiscoveryAssumeRolePermissions", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam::*:role/<Member Accounts role name e.g. AutoDiscoveryRole>" } ] }
- Create a trust relationship between the role in the member account and the user in the management account. Then, assign the necessary permissions as defined in the sample policy below. - Sample policy: - { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Management Account ID>:user/<Management Account IAM user name>" }, "Action": "sts:AssumeRole" } ] }
- Create an AWS CloudFormation StackSet (or simply StackSet) to automatically add a role to the member accounts. Refer to Create StackSet (self-managed permissions) for details. - When creating a StackSet, select Service-managed permissions, update the management account ID, username, and member accounts' role name in the sample CloudFormation template provided below, and then upload the updated template. - Activate automatic deployment to allow StackSets to automatically create or delete CloudFormation stacks when a new AWS account joins or leaves the organization. - To use StackSets in AWS Organizations, the master account must enable data sharing between CloudFormation and Organizations. This can be done from the StackSets console. Once enabled, you can deploy stacks to all accounts in the organization or to specific organizational units (OUs). For more details, refer to Activate Trusted Access with AWS Organizations. - Sample CloudFormation template: - { "Description": "Create IAM roles and policies to grant access to KMS", "Parameters": { "AwsAccountId": { "Type": "Number", "Default": "<Management Account ID>" }, "AwsUserName": { "Type": "String", "Default": "<Management Account user name>" } }, "Resources": { "AutoDiscoveryRole": { "Type": "AWS::IAM::Role", "Properties": { "RoleName": "AutoDiscoveryRole", "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": { "Fn::Sub": "arn:aws:iam::${AwsAccountId}:user/${AwsUserName}" } }, "Action": "sts:AssumeRole" } ] } } }, "AutoDiscoveryKMSPolicy": { "Type": "AWS::IAM::Policy", "Properties": { "PolicyName": "AutoDiscoveryKMSPolicy", "PolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRegions", "kms:DisableKey", "kms:ListAliases", "kms:ListKeyPolicies", "kms:ListKeys", "kms:ListResourceTags", "kms:DescribeKey", "kms:GetKeyPolicy", "kms:GetKeyRotationStatus", "kms:GetParametersForImport", "kms:GetPublicKey", "kms:TagResource", "kms:UntagResource", "kms:CancelKeyDeletion", "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:DeleteImportedKeyMaterial", "kms:DescribeCustomKeyStores", "kms:DisableKeyRotation", "kms:EnableKey", "kms:EnableKeyRotation", "kms:ImportKeyMaterial", "kms:ScheduleKeyDeletion", "kms:UpdateAlias", "kms:UpdateKeyDescription", "kms:PutKeyPolicy", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "logs:DescribeLogGroups", "logs:FilterLogEvents" ], "Resource": "*" } ] }, "Roles": [ { "Ref": "AutoDiscoveryRole" } ] } } }, "Outputs": { "RoleId": { "Description": "The ID of the IAM role", "Value": { "Ref": "AutoDiscoveryRole" } }, "RoleArn": { "Description": "The ARN of the IAM role", "Value": { "Fn::GetAtt": [ "AutoDiscoveryRole", "Arn" ] } }, "KmsPolicyId": { "Description": "The ID of the IAM policy for AWS KMS", "Value": { "Ref": "AutoDiscoveryKMSPolicy" } } } }
After all of the above mentioned configurations are done, you need to add an AWS connection in CCKM using the management account IAM user credentials.
Refer to Connection Manager for details.