Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

AWS APIs

AWS Permissions

search

Please Note:

AWS Permissions

This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on AWS resources using CCKM.

Create Operations (post)

OperationRequired PermissionsACLs
Create Custom Key StoreReadKMSCCKM
AddAWSCKS
ReadAWSCKS
UpdateAWSCKS		viewkeystore
keystoreadd
keystoreupdate
Create AWS Key in Custom Key StoreReadKMSCCKM
ReadAWSCKS
CreatKeyCCKM
ReadKeyCCKM		viewkeystore
cloudhsmkeycreate
viewcloudhsmkey
Block Custom Key StoreReadKMSCCKM
ReadAWSCKS
BlockAWSCKS		viewkeystore
keystoreblock
Unblock Custom Key StoreReadKMSCCKM
ReadAWSCKS
UnBlockAWSCKS		viewkeystore
keystoreunblock
Connect Custom Key StoreReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS
ConnectAWSCKS		viewkeystore
keystoreconnect
Disconnect Custom Key StoreReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS
DisconnectAWSCKS		viewkeystore
keystoredisconnect
Link Custom Key StoreReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS
LinkAWSCKS		viewkeystore
keystorelink
Create sync job for Custom Key StoreReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
SyncKeysCCKM
SyncStatusKeysCCKM		viewkeystore
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keysynchronize
Cancel Custom Key Stores sync jobSyncStatusKeysCCKMkeysynchronize
Rotate credential of a Custom Key StoreReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS		viewkeystore
keystoreupdate
Get unused cloud HSM clustersReadKMSCCKMviewkeystore
Create HYOK KeyReadKMSCCKM
ReadAWSCKS
CreatKeyCCKM
ReadKeyCCKM
If "source_key_tier" == "hsm-luna":
    ReadVirtualKey
If "source_key_tier" == "local":
    The user should be or have any of the following
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey and UseKey permissions on the existing key
If "linked_state" == true:
    DeleteKeyCCKM
    DeleteHyokUnlinkedKey
    DeleteCloudHSMKey
    ReadAuthConfigCCKM
    CreateAuthConfigCCKM
viewkeystore
hyokkeycreate
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
If "linked_state" == true:
    hyokkeydelete
    cloudhsmkeydelete
Block a KeyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
hyokkeyblockunblock
Unblock a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
hyokkeyblockunblock
Link a keyReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
UpdateKeyCCKM
LinkHyokKey		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
viewkeystore
hyokkeylink
keyupdate
Get IAM UsersReadKeyCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Get IAM RolesReadKeyCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Create a keyCreatKeyCCKM
ReadKeyCCKM		• To create BYOK Key: viewbyok and keyupload
• To create Native Key: viewnative and keycreate
Create sync jobReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
SyncKeysCCKM
SyncStatusKeysCCKM		viewkeystore
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keysynchronize
Cancel a sync jobSyncStatusKeysCCKMkeysynchronize
Enable key rotation jobReadKeyCCKM
UpdateKeyCCKM
ReadJob		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Disable key rotation jobReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Import key materialReadKeyCCKM
ImportKeyMaterialCCKM
If "source_key_tier" == "local":
    The user should have any of the following:
    - Part of Key Admins group
    - Part of Key Users group and existing key owner
    - ReadKey, UseKey, and UploadKey permissions on the existing key
    - Part of Key Users group, CreateKey, and CreateKeyVersion permissions
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keymaterialimport
Delete key materialReadKeyCCKM
DeleteKeyMaterialCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keymaterialdelete
Rotate a keyReadKeyCCKM
If "key_material_origin" == "HYOK-CCKM":
    If "source_key_tier" == "local", then any one of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey and UseKey permissions on the existing key
        - Part of Key Users group, CreateKey, and CreateKeyVersion permissions
    If "source_key_tier" == "hsm-luna":
        ReadKeyCCKM on CCKM Luna partition
        ReadVirtualKey
        UpdateVirtualKey
If "key_material_origin" == "CloudHSM":
    ReadKMSCCKM
    ReadAWSCKS
    CreatKeyCCKM
    UpdateKeyCCKM
else
    CreatKeyCCKM
    UpdateKeyCCKM
    RotateKeyCCKM
    If "source_key_tier" == "local":
    Any one of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey, UseKey, and UploadKey permissions on the existing key
        - Part of Key Users group, CreateKey, and CreateKeyVersion permissions
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyrotate

For native key rotation:
viewnative
keycreate

For BYOK key rotation:
viewbyok
keyupload
keymaterialimport

For HYOK key rotation:
viewkeystore
viewhyokkey

For Cloud HSM key rotation:
viewkeystore
viewcloudhsmkey
cloudhsmkeycreate
If "source_key_tier" == "hsm-luna"
view (on Luna HSM Partition)
Schedule deletion of a keyReadKeyCCKM
DeleteKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keydelete / hyokkeydelete / cloudhsmkeydelete
Create policy in a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Update decription of a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Enable a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Disable a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Add tags in a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Remove tags from a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Add alias in a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Delete alias from a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Cancel deletion of a keyReadKeyCCKM
DeleteKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keycanceldelete
Enable auto rotation of a keyReadKeyCCKM
KeyRotationCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Disable auto rotation of a keyReadKeyCCKM
KeyRotationCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Upload a keyReadKeyCCKM
CreatKeyCCKM
UploadKeyCCKM
If "source_key_tier" == "dsm":
    ReadKeyCCKM on CCKM DSM domain

If "source_key_tier" == "hsm-luna":
    ReadKeyCCKM on CCKM Luna partition

If "source_key_tier" == "local":
    Any of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey, UseKey, and UploadKey permissions on the existing key
        - Part of Key Users group, and CreateKey and CreateKeyVersion permissions
viewbyok
keyupload
keymaterialimport

If "source_key_tier" == "dsm":
view (on DSM domain container)

If "source_key_tier" == "hsm-luna":
view (on Luna HSM partition)
Verify aliasReadKeyCCKM
Create policy templateCreatKeyCCKMkeycreate / keyupload / hyokkeycreate / cloudhsmkeycreate
Replicate a keyReadKeyCCKM
CreatKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keycreate
Update primary region of a keyReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Add KMS accountAddKmsCCKM
Update ACLs in a KMS accountReadKMSCCKM
ApplyAclsCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Get AWS accountsGetAwsAccountCCKM
Create a reportReadKMSCCKM
CreateReportCCKM
ReportStatusCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
getreports
Get Log GroupsGetAwsAccountCCKM
Create a virtual keyReadKeyCCKM
AddVirtualKey		view (on Luna HSM partitions)

Read Operations (get)

OperationRequired PermissionsACLs
List Custom Key StoresReadKMSCCKM
ReadAWSCKS		viewkeystore
Read Custom Key StoreReadKMSCCKM
ReadAWSCKS		viewkeystore
List Custom Key Stores sync jobsSyncStatusKeysCCKM
Read Custom Key Stores sync jobSyncStatusKeysCCKM
List credentials of a Custom Key StoreReadKMSCCKM
ReadAWSCKS		viewkeystore
Read credential of a Custom Key StoreReadKMSCCKM
ReadAWSCKS		viewkeystore
List key versionsReadKeyCCKM
If "source_key_tier" == "hsm-luna":
    ReadAWSHyokKeyVersions

If "source_key_tier" == "local":
    Any one of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey and UseKey permissions on the existing key
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List keysReadKeyCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Read a keyReadKeyCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Download public keyReadKeyCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List sync jobSyncStatusKeysCCKM
Read a sync jobSyncStatusKeysCCKM
List policy templatesReadKeyCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Read a policy templateReadKeyCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List KMS accountsReadKMSCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Read a KMS accountReadKMSCCKMviewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List all reportsReportStatusCCKM
Read a reportReportStatusCCKM
View contents of a reportReportStatusCCKM
Download a reportReportStatusCCKM
List virtual keysReadVirtualKey
Read a virtual keyReadVirtualKey
List versions of a virtual keyReadVirtualKey

Update Operations (patch)

OperationRequired PermissionsACLs
Update Custom Key StoreReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS		viewkeystore
keystoreupdate
Update a policy templateReadKeyCCKM
UpdateKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Update KMS accountReadKMSCCKM
UpdateKmsCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Update a virtual keyReadVirtualKey
UpdateVirtualKey

Delete Operations (delete)

OperationRequired PermissionsACLs
Delete Custom Key StoreReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
DeleteAWSCKS		viewkeystore
keystoredelete
viewhyokkey / viewcloudhsmkey
Delete credential of a Custom Key StoreReadKMSCCKM
ReadAWSCKS
DeleteAWSCKS		viewkeystore
keystoredelete
Delete a keyReadKeyCCKM
DeleteKeyCCKM
If "key_material_origin" == "HYOK-CCKM":
    DeleteHyokUnlinkedKey

If "key_material_origin" == "CloudHSM":
    DeleteCloudHSMKey
else:    ReadAuthConfigCCKM and CreateAuthConfigCCKM
For Native key: viewnative

For BYOK key: viewbyok

For HYOK CCKM key: viewhyokkey and hyokkeydelete

For HYOK Cloud HSM key: viewcloudhsmkey and cloudhsmkeydelete
Delete a policy templateReadKeyCCKM
DeleteKeyCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keydelete / hyokkeydelete / cloudhsmkeydelete
Delete a KMS accountReadKMSCCKM
ReadAWSCKS
DeleteKMSCCKM		viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
viewkeystore
Delete a reportReportStatusCCKM
DeleteReportsCCKM
Delete a virtual keyReadVirtualKey
DeleteVirtualKey