01 Define the access policy that enables the specified IAM users and/or roles to manage the new KMS Customer Master Key and to encrypt and decrypt tape data using the AWS KMS API. Create a new policy document, name it virtual-tape-cmk-policy.json, and paste the following content (replace the highlighted details, i.e. the ARNs for the IAM users and/or roles, with your own details):
{
"Version": "2012-10-17",
"Id": "sg-volume-custom-key-policy",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root
"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Grant access to CMK manager",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/SGTapeManager
"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
},
{
"Sid": "Allow the use of the CMK",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/SGTapeAdmin
"
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "Allow attachment of persistent resources",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/SGTapeAdmin
"
},
"Action": [
"kms:CreateGrant",
"kms:ListGrants",
"kms:RevokeGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}
02 Run create-key command (OSX/Linux/UNIX) using the file name of the policy document created at the previous step (i.e. virtual-tape-cmk-policy.json) as command parameter to create the new Amazon KMS CMK:
aws kms create-key
--region us-east-1
--description 'KMS CMK for encrypting virtual tape data.'
--policy file://virtual-tape-cmk-policy.json
03 The command output should return the new KMS CMK metadata. Copy the key Amazon Resource Name (Arn parameter value - highlighted) as this information will be required later when you have to specify the key required for tape data encryption:
{
"KeyMetadata": {
"Origin": "AWS_KMS",
"KeyId": "abcd1234-abcd-1234-abcd-1234ancd1234",
"Description": "KMS CMK for encrypting virtual tape data.",
"Enabled": true,
"KeyUsage": "ENCRYPT_DECRYPT",
"KeyState": "Enabled",
"CreationDate": 1517237395.290,
"Arn": "arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234ancd1234
",
"AWSAccountId": "123456789012"
}
}
04 Run create-alias command (OSX/Linux/UNIX) using the key ARN returned at the previous step to add an alias to the new CMK. The alias must start with the prefix "alias/" (the command does not produce an output):
aws kms create-alias
--region us-east-1
--alias-name alias/SGTapeCustomCMK
--target-key-id arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234ancd1234
05 Run create-tapes command (OSX/Linux/UNIX) to create a new virtual tape for the specified tape gateway. Use the ARN of the newly created Customer Master Key (CMK) as value for the --kms-key parameter, to configure data encryption using customer-managed keys:
aws storagegateway create-tapes
--region us-east-1
--gateway-arn arn:aws:storagegateway:us-east-1:123456789012:gateway/sgw-12AB34CD
--tape-size-in-bytes 161061273600
--client-token AAAABBBB
--num-tapes-to-create 2
--tape-barcode-prefix ABC
--kms-encrypted
--kms-key arn:aws:kms:us-east-1:123456789012:key/abcd1234-abcd-1234-abcd-1234ancd1234
06 The output should return the create-tapes command request metadata:
{
"TapeARNs": [
"arn:aws:storagegateway:us-east-1:123456789012:tape/AABBCCDD0",
"arn:aws:storagegateway:us-east-1:123456789012:tape/12340ABCD"
]
}
07 Repeat step no. 5 to configure encryption at rest using AWS KMS Customer Master Keys for other Amazon Storage Gateway volumes available in the selected region.
08 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 6 to perform the process for other regions.