Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

AWS APIs

Required User Permissions

search

Please Note:

Required User Permissions

This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on AWS resources using CCKM.

Create Operations (post)

Operation Required Permissions ACLs
Create Custom Key Store ReadKMSCCKM
AddAWSCKS
ReadAWSCKS
UpdateAWSCKS		 viewkeystore
keystoreadd
keystoreupdate
Create AWS key in Custom Key Store ReadKMSCCKM
ReadAWSCKS
CreatKeyCCKM
ReadKeyCCKM		 viewkeystore
cloudhsmkeycreate
viewcloudhsmkey
Block Custom Key Store ReadKMSCCKM
ReadAWSCKS
BlockAWSCKS		 viewkeystore
keystoreblock
Unblock Custom Key Store ReadKMSCCKM
ReadAWSCKS
UnBlockAWSCKS		 viewkeystore
keystoreunblock
Connect Custom Key Store ReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS
ConnectAWSCKS		 viewkeystore
keystoreconnect
Disconnect Custom Key Store ReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS
DisconnectAWSCKS		 viewkeystore
keystoredisconnect
Link Custom Key Store ReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS
LinkAWSCKS		 viewkeystore
keystorelink
Create sync job for Custom Key Store ReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
SyncKeysCCKM
SyncStatusKeysCCKM		 viewkeystore
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keysynchronize
Cancel Custom Key Stores sync job SyncStatusKeysCCKM keysynchronize
Rotate credentials of a Custom Key Store ReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS		 viewkeystore
keystoreupdate
Get unused cloud HSM clusters ReadKMSCCKM viewkeystore
Create HYOK key ReadKMSCCKM
ReadAWSCKS
CreatKeyCCKM
ReadKeyCCKM
If "source_key_tier" == "hsm-luna":
    ReadVirtualKey
If "source_key_tier" == "local":
    The user should be or have any of the following
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey and UseKey permissions on the existing key
If "linked_state" == true:
    DeleteKeyCCKM
    DeleteHyokUnlinkedKey
    DeleteCloudHSMKey
    ReadAuthConfigCCKM
    CreateAuthConfigCCKM
 viewkeystore
hyokkeycreate
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
If "linked_state" == true:
    hyokkeydelete
    cloudhsmkeydelete
Block a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
hyokkeyblockunblock
Unblock a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
hyokkeyblockunblock
Link a key ReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
UpdateKeyCCKM
LinkHyokKey		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
viewkeystore
hyokkeylink
keyupdate
Get IAM users ReadKeyCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Get IAM roles ReadKeyCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Create a key CreatKeyCCKM
ReadKeyCCKM		 • To create BYOK Key: viewbyok and keyupload
• To create Native Key: viewnative and keycreate
Create sync job ReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
SyncKeysCCKM
SyncStatusKeysCCKM		 viewkeystore
viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keysynchronize
Cancel a sync job SyncStatusKeysCCKM keysynchronize
Enable key rotation job ReadKeyCCKM
UpdateKeyCCKM
ReadJob		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Disable key rotation job ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Import key material ReadKeyCCKM
ImportKeyMaterialCCKM
If "source_key_tier" == "local":
    The user should have any of the following:
    - Part of Key Admins group
    - Part of Key Users group and existing key owner
    - ReadKey, UseKey, and UploadKey permissions on the existing key
    - Part of Key Users group, CreateKey, and CreateKeyVersion permissions
 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keymaterialimport
Delete key material ReadKeyCCKM
DeleteKeyMaterialCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keymaterialdelete
Rotate a key ReadKeyCCKM
If "key_material_origin" == "HYOK-CCKM":
    If "source_key_tier" == "local", then any one of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey and UseKey permissions on the existing key
        - Part of Key Users group, CreateKey, and CreateKeyVersion permissions
    If "source_key_tier" == "hsm-luna":
        ReadKeyCCKM on CCKM Luna partition
        ReadVirtualKey
        UpdateVirtualKey
If "key_material_origin" == "CloudHSM":
    ReadKMSCCKM
    ReadAWSCKS
    CreatKeyCCKM
    UpdateKeyCCKM
else
    CreatKeyCCKM
    UpdateKeyCCKM
    RotateKeyCCKM
    If "source_key_tier" == "local":
    Any one of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey, UseKey, and UploadKey permissions on the existing key
        - Part of Key Users group, CreateKey, and CreateKeyVersion permissions
 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyrotate

For native key rotation:
viewnative
keycreate

For BYOK key rotation:
viewbyok
keyupload
keymaterialimport

For HYOK key rotation:
viewkeystore
viewhyokkey

For Cloud HSM key rotation:
viewkeystore
viewcloudhsmkey
cloudhsmkeycreate
If "source_key_tier" == "hsm-luna"
view (on Luna HSM Partition)
Schedule deletion of a key ReadKeyCCKM
DeleteKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keydelete / hyokkeydelete / cloudhsmkeydelete
Create policy in a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Update decription of a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Enable a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Disable a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Add tags in a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Remove tags from a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Add alias in a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Delete alias from a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Cancel deletion of a key ReadKeyCCKM
DeleteKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keycanceldelete
Enable auto rotation of a key ReadKeyCCKM
KeyRotationCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Disable auto rotation of a key ReadKeyCCKM
KeyRotationCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Upload a key ReadKeyCCKM
CreatKeyCCKM
UploadKeyCCKM
If "source_key_tier" == "dsm":
    ReadKeyCCKM on CCKM DSM domain

If "source_key_tier" == "hsm-luna":
    ReadKeyCCKM on CCKM Luna partition

If "source_key_tier" == "local":
    Any of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey, UseKey, and UploadKey permissions on the existing key
        - Part of Key Users group, and CreateKey and CreateKeyVersion permissions
 viewbyok
keyupload
keymaterialimport

If "source_key_tier" == "dsm":
view (on DSM domain container)

If "source_key_tier" == "hsm-luna":
view (on Luna HSM partition)
Verify alias ReadKeyCCKM
Create policy template CreatKeyCCKM keycreate / keyupload / hyokkeycreate / cloudhsmkeycreate
Replicate a key ReadKeyCCKM
CreatKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keycreate
Update primary region of a key ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Add KMS account AddKmsCCKM
Update ACLs in a KMS account ReadKMSCCKM
ApplyAclsCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Get AWS accounts GetAwsAccountCCKM
Create a report ReadKMSCCKM
CreateReportCCKM
ReportStatusCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
getreports
Get log groups GetAwsAccountCCKM
Create a virtual key ReadKeyCCKM
AddVirtualKey		 view (on Luna HSM partitions)

Read Operations (get)

Operation Required Permissions ACLs
List Custom Key Stores ReadKMSCCKM
ReadAWSCKS		 viewkeystore
Read Custom Key Store ReadKMSCCKM
ReadAWSCKS		 viewkeystore
List Custom Key Stores sync jobs SyncStatusKeysCCKM
Read Custom Key Stores sync job SyncStatusKeysCCKM
List credentials of a Custom Key Store ReadKMSCCKM
ReadAWSCKS		 viewkeystore
Read credential of a Custom Key Store ReadKMSCCKM
ReadAWSCKS		 viewkeystore
List key versions ReadKeyCCKM
If "source_key_tier" == "hsm-luna":
    ReadAWSHyokKeyVersions

If "source_key_tier" == "local":
    Any one of the following:
        - Part of Key Admins group
        - Part of Key Users group and existing key owner
        - ReadKey and UseKey permissions on the existing key
 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List keys ReadKeyCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Read a key ReadKeyCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Download public key ReadKeyCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List sync job SyncStatusKeysCCKM
Read a sync job SyncStatusKeysCCKM
List policy templates ReadKeyCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Read a policy template ReadKeyCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List KMS accounts ReadKMSCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Read a KMS account ReadKMSCCKM viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
List all reports ReportStatusCCKM
Read a report ReportStatusCCKM
View contents of a report ReportStatusCCKM
Download a report ReportStatusCCKM
List virtual keys ReadVirtualKey
Read a virtual key ReadVirtualKey
List versions of a virtual key ReadVirtualKey

Update Operations (patch)

Operation Required Permissions ACLs
Update Custom Key Store ReadKMSCCKM
ReadAWSCKS
UpdateAWSCKS		 viewkeystore
keystoreupdate
Update a policy template ReadKeyCCKM
UpdateKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keyupdate
Update KMS account ReadKMSCCKM
UpdateKmsCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
Update a virtual key ReadVirtualKey
UpdateVirtualKey

Delete Operations (delete)

Operation Required Permissions ACLs
Delete Custom Key Store ReadKMSCCKM
ReadAWSCKS
ReadKeyCCKM
DeleteAWSCKS		 viewkeystore
keystoredelete
viewhyokkey / viewcloudhsmkey
Delete credentials of a Custom Key Store ReadKMSCCKM
ReadAWSCKS
DeleteAWSCKS		 viewkeystore
keystoredelete
Delete a key ReadKeyCCKM
DeleteKeyCCKM
If "key_material_origin" == "HYOK-CCKM":
    DeleteHyokUnlinkedKey

If "key_material_origin" == "CloudHSM":
    DeleteCloudHSMKey
else:    ReadAuthConfigCCKM and CreateAuthConfigCCKM
 For Native key: viewnative

For BYOK key: viewbyok

For HYOK CCKM key: viewhyokkey and hyokkeydelete

For HYOK Cloud HSM key: viewcloudhsmkey and cloudhsmkeydelete
Delete a policy template ReadKeyCCKM
DeleteKeyCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
keydelete / hyokkeydelete / cloudhsmkeydelete
Delete a KMS account ReadKMSCCKM
ReadAWSCKS
DeleteKMSCCKM		 viewnative / viewbyok / viewhyokkey / viewcloudhsmkey
viewkeystore
Delete a report ReportStatusCCKM
DeleteReportsCCKM
Delete a virtual key ReadVirtualKey
DeleteVirtualKey