Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

CCKM Administration

AWS Resources

search

Please Note:

AWS Resources

This section describes prerequisites to manage AWS resources on the CCKM.

Prerequisites

  • Before you can add an AWS account to the CCKM, an AWS connection must already exist on the CipherTrust Manager. A CipherTrust Manager administrator manages connections to external resources on the Access Management > Connections Management page of the CipherTrust Manager GUI. Refer to Connection Manager for details.

  • Appropriate permissions to manage the AWS KMS must be added on the AWS console.

    1. Permissions to list regions: Add the IAM permission ec2:DescribeRegions to list the AWS regions.
      For example:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DescribeRegions",
            "Resource": "*"
        }
    ]
}

    2. Permissions to manage AWS resources: Add the following IAM permissions to manage AWS resources:

      • kms:ListAliases

      • kms:ListKeyPolicies

      • kms:ListKeys

      • kms:ListResourceTags

      • kms:DescribeKey

      • kms:GetKeyPolicy

      • kms:GetKeyRotationStatus

      • kms:GetParametersForImport

      • kms:GetPublicKey

      • kms:TagResource

      • kms:UntagResource

      • kms:CancelKeyDeletion

      • kms:CreateAlias

      • kms:CreateKey

      • kms:DeleteAlias

      • kms:DeleteImportedKeyMaterial

      • kms:DisableKey

      • kms:DisableKeyRotation

      • kms:DescribeCustomKeyStores

      • kms:EnableKey

      • kms:EnableKeyRotation

      • kms:ImportKeyMaterial

      • kms:ScheduleKeyDeletion

      • kms:UpdateAlias

      • kms:UpdateKeyDescription

      • kms:PutKeyPolicy

      • iam:ListGroups

      • iam:ListRoles

      • iam:ListUsers

      • logs:DescribeLogGroups

      • logs:FilterLogEvents

      For example:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:DisableKey",
                "kms:ListAliases",
                "kms:ListKeyPolicies",
                "kms:ListKeys",
                "kms:ListResourceTags",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:GetParametersForImport",
                "kms:GetPublicKey",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:CancelKeyDeletion",
                "kms:CreateAlias",
                "kms:CreateKey",
                "kms:DeleteAlias",
                "kms:DeleteImportedKeyMaterial",
                "kms:DisableKey",
                "kms:DisableKeyRotation",
                "kms:EnableKey",
                "kms:EnableKeyRotation",
                "kms:ImportKeyMaterial",
                "kms:ScheduleKeyDeletion",
                "kms:UpdateAlias",
                "kms:UpdateKeyDescription",
                "kms:PutKeyPolicy",
                "iam:ListGroups",
                "iam:ListRoles",
                "iam:ListUsers",
                "logs:DescribeLogGroups",
                "logs:FilterLogEvents"                            
            ],
            "Resource": "*"
        }
    ]
}

Note

If you want to manage the External Custom Key Stores or CloudHSM Key Stores, additional IAM permissions required to use AWS resources are:

Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.

  • cloudhsm:DescribeClusters

  • kms:CreateCustomKeyStore

  • kms:ConnectCustomKeyStore

  • kms:DeleteCustomKeyStore

  • kms:DisconnectCustomKeyStore

  • kms:UpdateCustomKeyStore

  • iam:CreateServiceLinkedRole

Note

Permissions might take some time to be effective on AWS. Until then, a permission error might occur. Wait for some time and retry.

Now, AWS accounts and AWS keys can be managed on the CipherTrust Manager.

Note

  • To use AWS IAM Roles Anywhere with CCKM, additional configuration is required.

  • AWS GovCloud does not support AWS IAM Roles Anywhere.

Additional Configuration for AWS IAM Roles Anywhere

The AWS IAM Roles Anywhere service allows non-federated identities outside AWS to assume IAM roles and use their permissions to access resources. The service provides a secure way for the workloads that run outside of AWS such as servers, containers, and applications to use X.509 digital certificates to obtain temporary AWS credential. This eliminates the need to manage long-term credentials for external workloads.

To use IAM Roles Anywhere, external workloads must use X.509 certificates issued by a Certificate Authority (CA). The CA needs to be registered as a trust anchor with the IAM Roles Anywhere service to establish trust between them. Alternatively, AWS Private Certificate Authority (AWS Private CA) can be used to create a CA and then use that to establish trust with IAM Roles Anywhere.

CA and Client Certificate Requirements

  • Client certificates must satisfy the following requirements for authentication:

    • The certificates must be X.509v3

    • Basic constraints must include CA: false

    • The key usage must include Digital Signature

    • The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected)

  • Certificates used as trust anchors must satisfy the following requirements for signature algorithm:

    • The certificates must be X.509v3

    • Basic constraints MUST include CA: true

    • The key usage must include Certificate Sign, and may include CRL Sign

    • The signing algorithm must include SHA256 or a stronger algorithm (MD5 and SHA1 signing algorithms are rejected)

    • Certificate Revocation Lists (CRLs) are an optional feature of IAM Roles Anywhere

Configuration Steps

To use IAM Roles Anywhere for authentication to AWS from external workloads:

  1. Create a trust anchor. This anchor is essentially a reference to a CA that IAM Roles Anywhere service will use to validate the authentication requests. Both the root and intermediate CAs can be used as trust anchors.

  2. Create an IAM role that trusts the IAM Roles Anywhere service principal.

  3. Create a profile that lists the roles IAM Roles Anywhere assumes. In the profile, you can limit the permissions for a created session with IAM managed policies.

    By adding one or more roles to a profile and enabling IAM Roles Anywhere to assume these roles, a non-AWS workload can use the client certificate issued by the trusted CA to make secure requests to AWS and get temporary credentials to access the AWS environment.

    Note

    • When the CipherTrust Manager is in AWS VPC, the trust anchor, and profile must be created in the same region from where the CipherTrust Manager instance is launched.
    • Refer to the AWS IAM Roles Anywhere documentation for detailed instructions.

  4. Add an AWS connection on the CipherTrust Manager with IAM Roles Anywhere enabled. While adding the connection for IAM Roles Anywhere, you need to specify:

    • The AWS Resource Names (ARNs) of the trust anchor, IAM role, and profile created in the above steps

    • Client's private key and certificate

    Refer to Connection Manager for details.

Note

If you are using an access key and secrets base AWS connection and you want to move to an AWS IAM Roles based connection, refer to Migrating to IAM Roles Anywhere Connections.