Create a AWS AIM user service account

Entrust KeyControl utilizes an AWS IAM user service account to perform the KMS functionality in BYOK.

In addition to the IAM user service account, the feature to utilize an AWS domain user to perform the KMS functionality is under consideration for a future release of Entrust KeyControl.

The following steps create a customer managed policy in AWS. Then create an IAM user service account with the customer managed policy.

Create a AWS BYOK service account policy

  1. Select Services / IAM.

  2. In the left pane select Access management / Policies. Then select the Create policy icon.

  3. In the Specify permissions window, select the JASON icon.

  4. Copy the following in the policy editor window. Then select Next

    {
    	"Version": "2012-10-17",
    	"Statement": [
    		{
    			"Sid": "ServiceAccountPolicy",
    			"Effect": "Allow",
    			"Action": [
    				"kms:*",
    				"ec2:DescribeRegions",
    				"ssm:GetParameter",
    				"iam:ListUsers",
    				"iam:GetUser",
    				"iam:CreateAccessKey",
    				"iam:UpdateAccessKey",
    				"iam:ListAccessKeys",
    				"iam:DeleteAccessKey"
    			],
    			"Resource": "*"
    		}
    	]
    }
    aws create service policy 1
  5. In the Review and create window, enter a name and description.

  6. In the Permissions defined for this policy section, select KMS. Then select Create policy.

    aws create service policy 2
  7. Notice the new policy created.

    aws create service policy 3

For further information, refer to the AWS BYOK Service Account Requirements.

Create AWS AIM user service account

This steps create an AWS IAM user with no console access, a service account, with policy created in Create a AWS BYOK service account policy.

  1. Select Services / IAM.

  2. In the left pane select Access management / Users. Then select the Create user icon.

  3. Enter the user name. Uncheck Provide user access to AWS Management Console - optional since we are creating a service account. Then select Next.

    For example:

    aws create service user 1
  4. In the Set permissions window, select the Attach policies directly radio button.

  5. In the Permissions policy section, enter the policy created in Create a AWS BYOK service account policy. Check the policy. Then select Next.

    aws create service user 2
  6. In the Review and create window, go to section Tags - optional and select Add new tag if required by your organization. Enter the key-value pair. Then select Create user.

    Some organizations uses tags manage IAM users key. Check your organization’s policies.

    For example:

    aws create service user 3
  7. Notice the new user created.

    aws create service user 4
  8. Select the new user. Then select the Security credentials tab.

  9. In the Access keys (0) section, select the create access key icon.

  10. In the Access key best practices & alternatives window, select the Third party service radio button. Check I understand the above recommendation and want to proceed to create an access key. Then select Next.

    Entrust KeyControl gives you the ability to rotate the access keys. You can set the rotation schedule later on, in Create an AWS CSP account.
    aws create service user 5
  11. In the Set description tag - optional window, enter a description tag if desired. Then select Create access key.

    aws create service user 6
  12. In the Retrieve access key window, select Download .csv file to download a file containing the Access key and Secret access key. Save these keys. You will need them to Create an AWS CSP account. Then select Done.

    aws create service user 7