Amazon Key Management Service (KMS) is a managed service that enables you to easily create, control, and manage cryptographic keys used to encrypt data across AWS services. It integrates with AWS Identity and Access Management (IAM) to provide secure access and key management capabilities.
Integrating your application with Amazon Key Management Service (KMS) enhances security by using managed encryption keys for your data. Here are the steps you need to follow to ensure a smooth integration:
Authentication
Before you begin, make sure you have the following information:
Connection Name: Select a descriptive name for your connection, like "MyAppAmazonKMSIntegration". This helps in easily identifying the connection within your application or integration settings.Authentication Type: Select the type of authentication for connecting to your Amazon Kms account:IAM Role
Access Key
Access key-based Authentication
For Access Key-based authentication, you'll need to perform the following steps to generate access credentials:
Login to the AWS Management Console
Go to AWS Console.
Create a new user
Search for Users in the top search bar of the AWS Console homepage.
Click Create User at the top right corner.
Assign necessary permissions
Attach the AWSKeyManagementServicePowerUser policy directly to the user. This ensures the user can query Kms.
Create Access Key
Once the user is created, click the username, navigate to the Security credentials section, and click the Create access key.
Use "Command Line Interface" as the use case for the access key.
Provide a description tag for the key and click Create access key.
Store Access Credentials Securely
Store the Access Key and Secret Access Key securely, as they will allow access to your Kms account.
IAM Role-Based Authentication
For IAM Role-based authentication, follow these steps to set up an IAM role and grant the necessary permissions for Kms:
Login to AWS Management Console
Go to AWS Console.
Create an IAM Role
Navigate to the IAM dashboard by searching IAM in the search bar.
Select Roles from the left-hand menu, and click on Create role.
Trusted Entity
Under the Trusted entity type, choose AWS account.
Select Another AWS account and input the UnifyApps AWS account ID (contact UnifyApps support to obtain this).
Check the Require external ID box and enter the External ID provided by UnifyApps.
Assign Permissions to the Role
Attach the AWSKeyManagementServicePowerUser policy to the role.
Configure the Role
Provide a role name and description, and then click Create role.
Create an IAM permissions policy
Go to the AWS Console and open the IAM console- https://console.aws.amazon.com/iam
Navigate to Access Management and select Policies.
Choose Create Policy.
Locate and choose the AWS service that UnifyApps will access.
Select the required permissions under the Actions field.
Define the resources that the role will have access to.
Continue clicking Next until you reach the Review policy page.
Provide a Name for the policy.
Click Create policy once done.
Retrieve IAM Role ARN
To retrieve the IAM Role ARN for connecting Athena:
Go to the AWS Console
Open the IAM console: IAM Console.
Locate Role
Navigate to Roles and search for the IAM role you created for Athena.
Copy the ARN
Select the role and copy the Role ARN. This ARN will be used to configure the connection in UnifyApps.
Actions
Actions | Description |
| Creates an alias to identify key in Amazon KMS |
| Creates a key in Amazon KMS |
| Decrypts ciphertext back into plaintext using a specified key in Amazon KMS |
| Deletes a specific alias from Amazon KMS |
| Retrieves metadata about a specified key in Amazon KMS |
| Encrypts plaintext into ciphertext using a specified key in Amazon KMS |
| Lists all aliases in the caller's AWS account and region associated with Amazon KMS |
| Lists all customer master keys (CMKs) in the caller's AWS account and region in Amazon KMS |
| Schedules the deletion of a specified customer master key (CMK) in Amazon KMS |