AWS Permissions
This section provides the complete list of permissions required by a CipherTrust Manager user to perform operations on AWS resources using CCKM.
Create Operations (post)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Create Custom Key Store | PermissionCCKMReadKMS PermissionCCKMAddAWSCKS PermissionCCKMReadAWSCKS PermissionCCKMUpdateAWSCKS PermissionCCKMDeleteAWSCKS PermissionCCKMReadKey | VIEWKEYSTORE ADDKEYSTORE DELETEKEYSTORE VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Create AWS Key in Custom Key Store | PermissionCCKMCreateKey PermissionCCKMReadAWSCKS PermissionCCKMReadKMS PermissionCCKMReadKey | VIEWKEYSTORE CREATECLOUDHSMKEY VIEWCLOUDHSMKEY |
| Block Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMBlockAWSCKS PermissionCCKMReadKMS | VIEWKEYSTORE BLOCKKEYSTORE |
| Unblock Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMUnBlockAWSCKS PermissionCCKMReadKMS | VIEWKEYSTORE UNBLOCKKEYSTORE |
| Connect Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMConnectAWSCKS PermissionCCKMReadKMS PermissionCCKMUpdateAWSCKS | VIEWKEYSTORE CONNECTKEYSTORE EDITKEYSTORE |
| Disconnect Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMDisconnectAWSCKS PermissionCCKMReadKMS PermissionCCKMUpdateAWSCKS | VIEWKEYSTORE DISCONNECTKEYSTORE |
| Link Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMLinkAWSCKS PermissionCCKMReadKMS PermissionCCKMUpdateAWSCKS | VIEWKEYSTORE LINKKEYSTORE |
| Create sync job for Custom Key Store | PermissionCCKMSyncStatus PermissionCCKMSync PermissionCCKMReadKey PermissionCCKMReadKMS PermissionCCKMReadAWSCKS | KEYSYNC VIEWKEYSTORE VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Cancel Custom Key Stores sync job | PermissionCCKMSyncStatus | KEYSYNC |
| Rotate credentail of a Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMReadKMS PermissionCCKMUpdateAWSCKS PermissionCCKMDeleteAWSCKS | VIEWKEYSTORE EDITKEYSTORE DELETEKEYSTORE |
| Get unused cloud HSM clusters | PermissionCCKMReadKMS | VIEWKEYSTORE |
| Create HYOK Key | PermissionCCKMCreateKey PermissionCCKMReadAWSCKS PermissionCCKMReadKMS PermissionCCKMReadVirtualKeys PermissionCCKMReadKey PermissionCCKMDeleteKey PermissionCCKMAuthConfigRead PermissionCCKMAuthConfigCreate PermissionCCKMDeleteUnlinkedHYOKKey PermissionCCKMDeleteCloudHSMHYOKKey | VIEWKEYSTORE CREATEHYOKKEY VIEWHYOKKEY / VIEWCLOUDHSMKEY HYOKKEYDELETE / DELETECLOUDHSMKEY |
| Block a Key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY BLOCKUNBLOCKHYOKKEY |
| Unblock a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY BLOCKUNBLOCKHYOKKEY |
| Link a key | PermissionCCKMReadKey PermissionCCKMLinkHYOKKey PermissionCCKMReadAWSCKS PermissionCCKMReadKMS PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY LINKHYOKKEY VIEWKEYSTORE KEYUPDATE |
| Get IAM Users | PermissionCCKMReadKey | VIEWNATIVE / VIEWBYOK / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Get IAM Roles | PermissionCCKMReadKey | VIEWNATIVE / VIEWBYOK / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Create a key | PermissionCCKMCreateKey PermissionCCKMReadKey | • To create BYOK Key: VIEWBYOK and KEYUPLOAD • To create Native Key: VIEWNATIVE and KEYCREATE |
| Create sync job | PermissionCCKMSyncStatus PermissionCCKMSync PermissionCCKMReadKey PermissionCCKMReadKMS PermissionCCKMReadAWSCKS | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYSYNC |
| Cancel a sync job | PermissionCCKMSyncStatus | KEYSYNC |
| Enable key rotation job | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Disable key rotation job | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Import key material | PermissionCCKMReadKey PermissionCCKMImportKeyMaterial If importing CM key material, then user should be part of Key Users / Key Admins group | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYIMPORTMATERIAL |
| Delete key material | PermissionCCKMReadKey PermissionCCKMDeleteKeyMaterial | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYDELETEMATERIAL |
| Rotate a key | PermissionCCKMReadKey PermissionCCKMReadVirtualKeys PermissionCCKMUpdateVirtualKey PermissionCCKMUpdateKey PermissionCCKMCreateKey PermissionCCKMReadAWSCKS PermissionCCKMReadKMS PermissionCCKMRotateKey If rotating via CM key, then user should be part of Key Users / Key Admins group | KEYROTATE • For native key rotation: VIEWNATIVE and KEYCREATE • For BYOK key rotation: VIEWBYOK, KEYUPLOAD, and KEYIMPORTMATERIAL • For HYOK key rotation: VIEWHYOKKEY • For Cloud HSM key rotation: VIEWCLOUDHSMKEY and CREATECLOUDHSMKEY |
| Schedule deletion of a key | PermissionCCKMReadKey PermissionCCKMDeleteKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYDELETE / HYOKKEYDELETE / DELETECLOUDHSMKEY |
| Create policy in a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Update decription of a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Enable a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Disable a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Add tags in a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Remove tags from a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Add alias in a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Delete alias from a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Cancel deletion of a key | PermissionCCKMReadKey PermissionCCKMDeleteKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYCANCELDELETE |
| Enable auto rotation of a key | PermissionCCKMReadKey PermissionCCKMKeyRotation | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Disable auto rotation of a key | PermissionCCKMReadKey PermissionCCKMKeyRotation | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Upload a key | PermissionCCKMUploadKey PermissionCCKMReadKey PermissionCCKMCreateKey If uploading CM key, then user should be part of Key Users / Key Admins group | VIEWBYOK KEYUPLOAD KEYIMPORTMATERIAL |
| Verify alias | PermissionCCKMReadKey | |
| Create policy template | PermissionCCKMCreateKey | KEYCREATE / KEYUPLOAD / CREATEHYOKKEY / CREATECLOUDHSMKEY |
| Replicate a key | PermissionCCKMReadKey PermissionCCKMCreateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYCREATE |
| Update primary region of a key | PermissionCCKMReadKey PermissionCCKMUpdateKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE |
| Add KMS account | PermissionCCKMAddKMS | |
| Update ACLs in a KMS account | PermissionCCKMReadKMS PermissionCCKMApplyACLs | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Get AWS accounts | PermissionCCKMGetAwsAccount | |
| Create a report | PermissionCCKMReadKMS PermissionCCKMReport PermissionCCKMReportStatus | GETREPORTS |
| Get Log Groups | PermissionCCKMGetAwsAccount | |
| Create a virtual key | PermissionCCKMReadKey PermissionCCKMAddVirtualKey |
Read Operations (get)
| Operation | Required Permissions | ACLs |
|---|---|---|
| List Custom Key Stores | PermissionCCKMReadAWSCKS | VIEWKEYSTORE |
| Read Custom Key Store | PermissionCCKMReadKMS PermissionCCKMReadAWSCKS | VIEWKEYSTORE |
| List Custom Key Stores sync jobs | PermissionCCKMSyncStatus | |
| Read Custom Key Stores sync job | PermissionCCKMSyncStatus | |
| List credentials of a Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMReadKMS | VIEWKEYSTORE |
| Read credential of a Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMReadKMS | VIEWKEYSTORE |
| List key versions | PermissionCCKMReadKey PermissionCCKMReadAWSHyokKeyVersions If CM key, then user should be part of Key Users / Key Admins group | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| List keys | PermissionCCKMReadKey | Either one or combination of them (VIEWNATIVE, VIEWBYOK, VIEWHYOKKEY, VIEWCLOUDHSMKEY) |
| Read a key | PermissionCCKMReadKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Download public key | PermissionCCKMReadKey | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| List sync job | PermissionCCKMSyncStatus | |
| Read a sync job | PermissionCCKMSyncStatus | |
| List policy templates | PermissionCCKMReadKey | VIEWNATIVE / VIEWBYOK / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Read a policy template | PermissionCCKMReadKey | VIEWNATIVE / VIEWBYOK / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| List KMS accounts | PermissionCCKMReadKMS | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Read a KMS account | PermissionCCKMReadKMS | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| List all reports | PermissionCCKMReportStatus | |
| Read a report | PermissionCCKMReportStatus | |
| View contents of a report | PermissionCCKMReportStatus | |
| Download a report | PermissionCCKMReportStatus | |
| List virtual keys | PermissionCCKMReadVirtualKeys | |
| Read a virtual key | PermissionCCKMReadVirtualKeys | |
| List versions of a virtual key |
Update Operations (patch)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Update Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMUpdateAWSCKS PermissionCCKMReadKMS | VIEWKEYSTORE EDITKEYSTORE |
| Update a policy template | PermissionCCKMUpdateKey PermissionCCKMSyncStatus PermissionCCKMSync PermissionCCKMReadKey PermissionCCKMReadKMS PermissionCCKMReadAWSCKS | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYUPDATE KEYSYNC VIEWKEYSTORE |
| Update KMS account | PermissionCCKMReadKMS PermissionCCKMUpdateKMS | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Update a virtual key | PermissionCCKMReadVirtualKeys PermissionCCKMUpdateVirtualKey |
Delete Operations (delete)
| Operation | Required Permissions | ACLs |
|---|---|---|
| Delete Custom Key Store | PermissionCCKMReadAWSCKS PermissionCCKMReadKMS PermissionCCKMDeleteAWSCKS PermissionCCKMReadKey | VIEWKEYSTORE DELETEKEYSTORE VIEWHYOKKEY / VIEWCLOUDHSMKEY |
| Delete credential of a Custom Key Store | PermissionCCKMDeleteAWSCKS PermissionCCKMReadAWSCKS PermissionCCKMReadKMS | VIEWKEYSTORE DELETEKEYSTORE |
| Delete a key | PermissionCCKMDeleteKey PermissionCCKMReadKey PermissionCCKMDeleteUnlinkedHYOKKey PermissionCCKMDeleteCloudHSMHYOKKey PermissionCCKMAuthConfigRead PermissionCCKMAuthConfigCreate | • For Native key: VIEWNATIVE • For BYOK key: VIEWBYOK • For HYOK CCKM key: VIEWHYOKKEY / HYOKKEYDELETE • For HYOK Cloud HSM key: VIEWCLOUDHSMKEY / DELETECLOUDHSMKEY |
| Delete a policy template | PermissionCCKMReadKey PermissionCCKMDeleteKey | VIEWNATIVE / VIEWBYOK / VIEWHYOKKEY / VIEWCLOUDHSMKEY KEYDELETE HYOKKEYDELETE DELETECLOUDHSMKEY |
| Delete a KMS account | PermissionCCKMReadKMS PermissionCCKMReadAWSCKS PermissionCCKMDeleteKMS | VIEWBYOK / VIEWNATIVE / VIEWHYOKKEY / VIEWCLOUDHSMKEY VIEWKEYSTORE |
| Delete a report | PermissionCCKMReportStatus PermissionCCKMDeleteReports | |
| Delete a virtual key | PermissionCCKMReadVirtualKeys PermissionCCKMDeleteVirtualKey |