AWS Permissions
This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on AWS resources using CCKM.
Create Operations (post)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Create Custom Key Store | ReadKMSCCKM AddAWSCKS ReadAWSCKS UpdateAWSCKS |
viewkeystore keystoreadd keystoreupdate |
| Create AWS Key in Custom Key Store | ReadKMSCCKM ReadAWSCKS CreatKeyCCKM ReadKeyCCKM |
viewkeystore cloudhsmkeycreate viewcloudhsmkey |
| Block Custom Key Store | ReadKMSCCKM ReadAWSCKS BlockAWSCKS |
viewkeystore keystoreblock |
| Unblock Custom Key Store | ReadKMSCCKM ReadAWSCKS UnBlockAWSCKS |
viewkeystore keystoreunblock |
| Connect Custom Key Store | ReadKMSCCKM ReadAWSCKS UpdateAWSCKS ConnectAWSCKS |
viewkeystore keystoreconnect |
| Disconnect Custom Key Store | ReadKMSCCKM ReadAWSCKS UpdateAWSCKS DisconnectAWSCKS |
viewkeystore keystoredisconnect |
| Link Custom Key Store | ReadKMSCCKM ReadAWSCKS UpdateAWSCKS LinkAWSCKS |
viewkeystore keystorelink |
| Create sync job for Custom Key Store | ReadKMSCCKM ReadAWSCKS ReadKeyCCKM SyncKeysCCKM SyncStatusKeysCCKM |
viewkeystore viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keysynchronize |
| Cancel Custom Key Stores sync job | SyncStatusKeysCCKM | keysynchronize |
| Rotate credential of a Custom Key Store | ReadKMSCCKM ReadAWSCKS UpdateAWSCKS |
viewkeystore keystoreupdate |
| Get unused cloud HSM clusters | ReadKMSCCKM | viewkeystore |
| Create HYOK Key | ReadKMSCCKM ReadAWSCKS CreatKeyCCKM ReadKeyCCKM • If "source_key_tier" == "hsm-luna", then ReadVirtualKey • If "source_key_tier" == "local", then the user should be or have any of the following - Part of Key Admins group - Part of Key Users group and existing key owner - ReadKey and UseKey permissions on the existing key • If "linked_state" == true, then DeleteKeyCCKM DeleteHyokUnlinkedKey DeleteCloudHSMKey ReadAuthConfigCCKM CreateAuthConfigCCKM |
viewkeystore hyokkeycreate viewnative / viewbyok / viewhyokkey / viewcloudhsmkey • If "linked_state" == true, then hyokkeydelete and cloudhsmkeydelete |
| Block a Key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey hyokkeyblockunblock |
| Unblock a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey hyokkeyblockunblock |
| Link a key | ReadKMSCCKM ReadAWSCKS ReadKeyCCKM UpdateKeyCCKM LinkHyokKey |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey viewkeystore hyokkeylink keyupdate |
| Get IAM Users | ReadKeyCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Get IAM Roles | ReadKeyCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Create a key | CreatKeyCCKM ReadKeyCCKM |
• To create BYOK Key: viewbyok and keyupload • To create Native Key: viewnative and keycreate |
| Create sync job | ReadKMSCCKM ReadAWSCKS ReadKeyCCKM SyncKeysCCKM SyncStatusKeysCCKM |
viewkeystore viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keysynchronize |
| Cancel a sync job | SyncStatusKeysCCKM | keysynchronize |
| Enable key rotation job | ReadKeyCCKM UpdateKeyCCKM ReadJob |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Disable key rotation job | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Import key material | ReadKeyCCKM ImportKeyMaterialCCKM If "source_key_tier" == "local", then the user have any of the following: - Part of Key Admins group - Part of Key Users group and existing key owner - ReadKey, UseKey, and UploadKey permissions on the existing key - Part of Key Users group, CreateKey, and CreateKeyVersion permissions |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keymaterialimport |
| Delete key material | ReadKeyCCKM DeleteKeyMaterialCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keymaterialdelete |
| Rotate a key | ReadKeyCCKM If "key_material_origin" == "HYOK-CCKM": • If "source_key_tier" == "local", then any one of the following: - Part of Key Admins group - Part of Key Users group and existing key owner - ReadKey and UseKey permissions on the existing key - Part of Key Users group, CreateKey, and CreateKeyVersion permissions • If "source_key_tier" == "hsm-luna", then ReadKeyCCKM on CCKM Luna partition, ReadVirtualKey, and UpdateVirtualKey • If "key_material_origin" == "CloudHSM", then ReadKMSCCKM, ReadAWSCKS, CreatKeyCCKM, and UpdateKeyCCKM, else CreatKeyCCKM UpdateKeyCCKM RotateKeyCCKM • If "source_key_tier" == "local", any one of the following: - Part of Key Admins group - Part of Key Users group and existing key owner - ReadKey, UseKey, and UploadKey permissions on the existing key - Part of Key Users group, CreateKey, and CreateKeyVersion permissions |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyrotate For native key rotation: viewnative and keycreate For BYOK key rotation: viewbyok, keyupload, and keymaterialimport For HYOK key rotation: viewkeystore and viewhyokkey For Cloud HSM key rotation: viewkeystore, viewcloudhsmkey, and cloudhsmkeycreate |
| Schedule deletion of a key | ReadKeyCCKM DeleteKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keydelete / hyokkeydelete / cloudhsmkeydelete |
| Create policy in a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Update decription of a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Enable a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Disable a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Add tags in a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Remove tags from a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Add alias in a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Delete alias from a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Cancel deletion of a key | ReadKeyCCKM DeleteKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keycanceldelete |
| Enable auto rotation of a key | ReadKeyCCKM KeyRotationCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Disable auto rotation of a key | ReadKeyCCKM KeyRotationCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Upload a key | ReadKeyCCKM CreatKeyCCKM UploadKeyCCKM • If "source_key_tier" == "dsm", ReadKeyCCKM on CCKM DSM domain • If "source_key_tier" == "hsm-luna", ReadKeyCCKM on CCKM Luna partition • If "source_key_tier" == "local", any of the following: - Part of Key Admins group - Part of Key Users group and existing key owner - ReadKey, UseKey, and UploadKey permissions on the existing key - Part of Key Users group, and CreateKey and CreateKeyVersion permissions |
viewbyok keyupload keymaterialimport • If "source_key_tier" == "dsm", view (on DSM domain container) • If "source_key_tier" == "hsm-luna", view (on Luna HSM partition). |
| Verify alias | ReadKeyCCKM | |
| Create policy template | CreatKeyCCKM | keycreate / keyupload / hyokkeycreate / cloudhsmkeycreate |
| Replicate a key | ReadKeyCCKM CreatKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keycreate |
| Update primary region of a key | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Add KMS account | AddKmsCCKM | |
| Update ACLs in a KMS account | ReadKMSCCKM ApplyAclsCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Get AWS accounts | GetAwsAccountCCKM | |
| Create a report | ReadKMSCCKM CreateReportCCKM ReportStatusCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey getreports |
| Get Log Groups | GetAwsAccountCCKM | |
| Create a virtual key | ReadKeyCCKM AddVirtualKey |
view (on Luna HSM partitions) |
Read Operations (get)
| Operation | Required Permissions | ACLs |
|---|---|---|
| List Custom Key Stores | ReadKMSCCKM ReadAWSCKS |
viewkeystore |
| Read Custom Key Store | ReadKMSCCKM ReadAWSCKS |
viewkeystore |
| List Custom Key Stores sync jobs | SyncStatusKeysCCKM | |
| Read Custom Key Stores sync job | SyncStatusKeysCCKM | |
| List credentials of a Custom Key Store | ReadKMSCCKM ReadAWSCKS |
viewkeystore |
| Read credential of a Custom Key Store | ReadKMSCCKM ReadAWSCKS |
viewkeystore |
| List key versions | ReadKeyCCKM If "source_key_tier" == "hsm-luna": ReadAWSHyokKeyVersions If "source_key_tier" == "local": Any one of the following: - Part of Key Admins group - Part of Key Users group and existing key owner - ReadKey and UseKey permissions on the existing key |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| List keys | ReadKeyCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Read a key | ReadKeyCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Download public key | ReadKeyCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| List sync job | SyncStatusKeysCCKM | |
| Read a sync job | SyncStatusKeysCCKM | |
| List policy templates | ReadKeyCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Read a policy template | ReadKeyCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| List KMS accounts | ReadKMSCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Read a KMS account | ReadKMSCCKM | viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| List all reports | ReportStatusCCKM | |
| Read a report | ReportStatusCCKM | |
| View contents of a report | ReportStatusCCKM | |
| Download a report | ReportStatusCCKM | |
| List virtual keys | ReadVirtualKey | |
| Read a virtual key | ReadVirtualKey | |
| List versions of a virtual key | ReadVirtualKey |
Update Operations (patch)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Update Custom Key Store | ReadKMSCCKM ReadAWSCKS UpdateAWSCKS |
viewkeystore keystoreupdate |
| Update a policy template | ReadKeyCCKM UpdateKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keyupdate |
| Update KMS account | ReadKMSCCKM UpdateKmsCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey |
| Update a virtual key | ReadVirtualKey UpdateVirtualKey |
Delete Operations (delete)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Delete Custom Key Store | ReadKMSCCKM ReadAWSCKS ReadKeyCCKM DeleteAWSCKS |
viewkeystore keystoredelete viewhyokkey / viewcloudhsmkey |
| Delete credential of a Custom Key Store | ReadKMSCCKM ReadAWSCKS DeleteAWSCKS |
viewkeystore keystoredelete |
| Delete a key | ReadKeyCCKM DeleteKeyCCKM • If "key_material_origin" == "HYOK-CCKM": DeleteHyokUnlinkedKey • If "key_material_origin" == "CloudHSM": DeleteCloudHSMKey • else: ReadAuthConfigCCKM and CreateAuthConfigCCKM |
• For Native key: viewnative • For BYOK key: viewbyok • For HYOK CCKM key: viewhyokkey and hyokkeydelete • For HYOK Cloud HSM key: viewcloudhsmkey and cloudhsmkeydelete |
| Delete a policy template | ReadKeyCCKM DeleteKeyCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey keydelete / hyokkeydelete / cloudhsmkeydelete |
| Delete a KMS account | ReadKMSCCKM ReadAWSCKS DeleteKMSCCKM |
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey viewkeystore |
| Delete a report | ReportStatusCCKM DeleteReportsCCKM |
|
| Delete a virtual key | ReadVirtualKey DeleteVirtualKey |