01 Sign in to your Cloud Conformity console, access Check for Existence of Specific AWS KMS CMKs rule settings and copy the alias (name) of the Customer Master Key (CMK) that you want to create in your AWS account.
02 Define the access policy that enables the specified AWS IAM users and/or roles to administer the new CMK and the selected IAM users and/or roles to encrypt/decrypt data using the Key Management Service (KMS) API. Create a new JSON document, name it cmk-access-policy.json and paste the following data (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Id": "custom-cmk-access-policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:root
"
]
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>
"
]
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow use of the key",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>
"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:user/<USER_NAME>
"
]
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}
03 Run create-key command (OSX/Linux/UNIX) using the policy document defined at the previous step (i.e. cmk-access-policy.json), to create the required Amazon KMS Customer Master Key (CMK) in the selected AWS region:
aws kms create-key
--region us-east-1
--description 'Specific KMS CMK for encrypting production data'
--policy file://cmk-access-policy.json
04 The command output should return the new KMS CMK metadata:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "aabbccdd-1234-abcd-1234-aabbccdd1234",
"Description": "Specific KMS CMK for encrypting production data",
"KeyManager": "CUSTOMER",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 15198439962.150,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/aabbccdd-1234-abcd-1234-aabbccdd1234",
"AWSAccountId": "123456789012"
}
}
05 Run create-alias command (OSX/Linux/UNIX) using the ARN of the newly created key to attach the alias copied at step no. 1 to the new Customer Master Key. The alias must always start with the prefix, i.e. "alias/" (the command does not produce an output):
aws kms create-alias
--alias-name alias/cc-highlyprotected-key
--target-key-id arn:aws:kms:us-east-1:123456789012:key/aabbccdd-1234-abcd-1234-aabbccdd1234
06 Repeat steps no. 2 – 5 to create other specific Amazon KMS Customer Master Keys to be used in the selected AWS region.
07 If required, change the AWS region by updating the --region command parameter value and repeat the entire process for other regions.