 |
Beginning immediately, you should utilize your individual AWS Key Administration Service (AWS KMS) keys to encrypt id information, reminiscent of consumer and group attributes, saved in AWS IAM Identification Middle group cases.
Many organizations working in regulated industries want full management over encryption key administration. Whereas Identification Middle already encrypts information at relaxation utilizing AWS-owned keys, some clients require the flexibility to handle their very own encryption keys for audit and compliance functions.
With this launch, now you can use customer-managed KMS keys (CMKs) to encrypt Identification Middle id information at relaxation. CMKs offer you full management over the important thing lifecycle, together with creation, rotation, and deletion. You may configure granular entry controls to keys with AWS Key Administration Service (AWS KMS) key insurance policies and IAM insurance policies, serving to to make sure that solely licensed principals can entry your encrypted information. At launch time, the CMK should reside in the identical AWS account and Area as your IAM Identification Middle occasion. The combination between Identification Middle and KMS offers detailed AWS CloudTrail logs for auditing key utilization and helps meet regulatory compliance necessities.
Identification Middle helps each single-Area and multi-Area keys to match your deployment wants. Whereas Identification Middle cases can at present solely be deployed in a single Area, we advocate utilizing multi-Area AWS KMS keys except your organization insurance policies limit you to single-Area keys. Multi-Area keys present constant key materials throughout Areas whereas sustaining unbiased key infrastructure in every Area. This offers you extra flexibility in your encryption technique and helps future-proof your deployment.
Let’s get began
Let’s think about I wish to use a CMK to encrypt the id information of my Identification Middle group occasion. My group makes use of Identification Middle to present workers entry to AWS managed purposes, reminiscent of Amazon Q Enterprise or Amazon Athena.
As of immediately, some AWS managed purposes can’t be used with Identification Middle configured with a buyer managed KMS key. See AWS managed purposes that you should utilize with Identification Middle to maintain you up to date with the ever evolving record of appropriate purposes.
The high-level course of requires first to create a symmetric buyer managed key (CMK) in AWS KMS. The important thing should be configured for encrypt and decrypt operations. Subsequent, I configure the important thing insurance policies to grant entry to Identification Middle, AWS managed purposes, directors, and different principals who want entry the Identification Middle and IAM Identification Middle service APIs. Relying in your utilization of Identification Middle, you’ll should outline totally different insurance policies for the important thing and IAM insurance policies for IAM principals. The service documentation has extra particulars that will help you cowl the commonest use circumstances.
This demo is in three components. I first create a buyer managed key in AWS KMS and configure it with permissions that can authorize Identification Middle and AWS managed purposes to make use of it. Second, I replace the IAM insurance policies for the principals that can use the important thing from one other AWS account, reminiscent of AWS purposes directors. Lastly, I configure Identification Middle to make use of the important thing.
Half 1: Create the important thing and outline permissions
First, let’s create a brand new CMK in AWS KMS.
The important thing should be in the identical AWS Area and AWS account because the Identification Middle occasion. You need to create the Identification Middle occasion and the important thing within the administration account of your group inside AWS Group.
I navigate to the AWS Key Administration Service (AWS KMS) console in the identical Area as my Identification Middle occasion, then I select Create a key. This launches me into the important thing creation wizard.
Beneath Step 1–Configure key, I choose the important thing sort–both Symmetric (a single key used for each encryption and decryption) or Uneven (a public-private key pair for encryption/decryption and signing/verification). Identification Middle requires symmetric keys for encryption at relaxation. I choose Symmetric.
For key utilization, I choose Encrypt and decrypt which permits the important thing for use just for encrypting and decrypting information.
Beneath Superior choices, I choose KMS – beneficial for Key materials origin, so AWS KMS creates and manages the important thing materials.
For Regionality, I select between Single-Area or Multi-Area key. I choose Multi-Area key to permit key directors to duplicate the important thing to different Areas. As defined already, Identification Middle doesn’t require this immediately nevertheless it helps to future-proof your configuration. Keep in mind which you could not rework a single-Area key to a multi-Area one after its creation (however you’ll be able to change the important thing utilized by Identification Middle).
Then, I select Subsequent to proceed with further configuration steps, reminiscent of including labels, defining administrative permissions, setting utilization permissions, and reviewing the ultimate configuration earlier than creating the important thing.
Beneath Step 2–Add Labels, I enter an Alias identify for my key and choose Subsequent.
On this demo, I’m enhancing the important thing coverage by including coverage statements utilizing templates supplied within the documentation. I skip Step 3 and Step 4 and navigate to Step 5–Edit key coverage.
Identification Middle requires, on the minimal, permissions permitting Identification Middle and its directors to make use of the important thing. Subsequently, I add three coverage statements, the primary and second authorize the directors of the service, the third one to authorize the Identification Middle service itself.
{ "Model": "2012-10-17", "Id": "key-consolepolicy-3", "Assertion": [ { "Sid": "Allow_IAMIdentityCenter_Admin_to_use_the_KMS_key_via_IdentityCenter_and_IdentityStore", "Effect": "Allow", "Principal": { "AWS": "ARN_OF_YOUR_IDENTITY_CENTER_ADMIN_IAM_ROLE" }, "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Useful resource": "*", "Situation": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }, { "Sid": "Allow_IdentityCenter_admin_to_describe_the_KMS_key", "Impact": "Permit", "Principal": { "AWS": "ARN_OF_YOUR_IDENTITY_CENTER_ADMIN_IAM_ROLE" }, "Motion": "kms:DescribeKey", "Useful resource": "*" }, { "Sid": "Allow_IdentityCenter_and_IdentityStore_to_use_the_KMS_key", "Impact": "Permit", "Principal": { "Service": [ "sso.amazonaws.com", "identitystore.amazonaws.com" ] }, "Motion": [ "kms:Decrypt", "kms:ReEncryptTo", "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ], "Useful resource": "*", "Situation": { "StringEquals": { "aws:SourceAccount": "" } } }, { "Sid": "Allow_IdentityCenter_and_IdentityStore_to_describe_the_KMS_key", "Impact": "Permit", "Principal": { "Service": [ "sso.amazonaws.com", "identitystore.amazonaws.com" ] }, "Motion": [ "kms:DescribeKey" ], "Useful resource": "*" } ] } I even have so as to add further coverage statements to permit my use case: the usage of AWS managed purposes. I add these two coverage statements to authorize AWS managed purposes and their directors to make use of the KMS key. The doc lists further use circumstances and their respective insurance policies.
{ "Sid": "Allow_AWS_app_admins_in_the_same_AWS_organization_to_use_the_KMS_key", "Impact": "Permit", "Principal": "*", "Motion": [ "kms:Decrypt" ], "Useful resource": "*", "Situation": { "StringEquals" : { "aws:PrincipalOrgID": "MY_ORG_ID (format: o-xxxxxxxx)" }, "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } }, { "Sid": "Allow_managed_apps_to_use_the_KMS_Key", "Impact": "Permit", "Principal": "*", "Motion": [ "kms:Decrypt" ], "Useful resource": "*", "Situation": { "Bool": { "aws:PrincipalIsAWSService": "true" }, "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] }, "StringEquals": { "aws:SourceOrgID": "MY_ORG_ID (format: o-xxxxxxxx)" } } }You may additional limit the important thing utilization to a selected Identification Middle occasion, particular software cases, or particular software directors. The documentation incorporates examples of superior key insurance policies in your use circumstances.
To assist shield in opposition to IAM position identify adjustments when permission units are recreated, use the strategy described within the Customized belief coverage instance.
Half 2: Replace IAM insurance policies to permit use of the KMS key from one other AWS account
Any IAM principal that makes use of the Identification Middle service APIs from one other AWS account, reminiscent of Identification Middle delegated directors and AWS software directors, want an IAM coverage assertion that enables use of the KMS key through these APIs.
I grant permissions to entry the important thing by creating a brand new coverage and attaching the coverage to the IAM position related for my use case. You may as well add these statements to the present identity-based insurance policies of the IAM position.
To take action, after the secret’s created, I find its ARN and exchange the key_ARNwithin the template beneath. Then, I connect the coverage to the managed software administrator IAM principal. The documentation additionally covers IAM insurance policies that grants Identification Middle delegated directors permissions to entry the important thing.
Right here is an instance for managed software directors:
{ "Sid": "Allow_app_admins_to_use_the_KMS_key_via_IdentityCenter_and_IdentityStore", "Impact": "Permit", "Motion": "kms:Decrypt", "Useful resource": "", "Situation": { "StringLike": { "kms:ViaService": [ "sso.*.amazonaws.com", "identitystore.*.amazonaws.com" ] } } } The documentation shares IAM insurance policies template for the commonest use circumstances.
Half 3: Configure IAM Identification Middle to make use of the important thing
I can configure a CMK both in the course of the enablement of an Identification Middle group occasion or on an current occasion, and I can change the encryption configuration at any time by switching between CMKs or reverting to AWS-owned keys.
Please word that an incorrect configuration of KMS key permissions can disrupt Identification Middle operations and entry to AWS managed purposes and accounts via Identification Middle. Proceed fastidiously to this last step and guarantee you may have learn and understood the documentation.
After I’ve created and configured my CMK, I can choose it below Superior configuration when enabling Identification Middle.
To configure a CMK on an current Identification Middle occasion utilizing the AWS Administration Console, I begin by navigating to the Identification Middle part of the AWS Administration Console. From there, I choose Settings from the navigation pane, then I choose the Administration tab, and choose Handle encryption within the Key for encrypting IAM Identification Middle information at relaxation part.
At any time, I can choose one other CMK from the identical AWS Account, or swap again to an AWS-managed key.
After selecting Save, the important thing change course of takes a number of seconds to finish. All service functionalities proceed uninterrupted in the course of the transition. If, for no matter causes, Identification Middle cannot entry the brand new key, an error message will likely be returned and Identification Middle will proceed to make use of the present key, retaining your id information encrypted with the mechanism it’s already encrypted with.
Issues to bear in mind
The encryption key you create turns into an important part of your Identification Middle. While you select to make use of your individual managed key to encrypt id attributes at relaxation, you must confirm the next factors.
- Have you ever configured the required permissions to make use of the KMS key? With out correct permissions, enabling the CMK might fail or disrupt IAM Identification Middle administration and AWS managed purposes.
- Have you ever verified that your AWS managed purposes are appropriate with CMK keys? For an inventory of appropriate purposes, see AWS managed purposes that you should utilize with IAM Identification Middle. Enabling CMK for Identification Middle that’s utilized by AWS managed purposes incompatible with CMK will lead to operational disruption for these purposes. In case you have incompatible purposes, don’t proceed.
- Is your group utilizing AWS managed purposes that require further IAM position configuration to make use of the Identification Middle and Identification Retailer APIs? For every such AWS managed software that’s already deployed, verify the managed software’s Consumer Information for up to date KMS key permissions for IAM Identification Centre utilization and replace them as instructed to forestall software disruption.
- For brevity, the KMS key coverage statements on this publish omit the encryption context, which permits you to limit the usage of the KMS key to Identification Middle together with a selected occasion. In your manufacturing eventualities, you’ll be able to add a situation like this for Identification Middle:
"Situation": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}", "kms:ViaService": "sso.*.amazonaws.com" } }or this for Identification Retailer:
"Situation": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}", "kms:ViaService": "identitystore.*.amazonaws.com" } }
Pricing and availability
Customary AWS KMS fees apply for key storage and API utilization. Identification Middle stays obtainable at no further value.
This functionality is now obtainable in all AWS industrial Areas, AWS GovCloud (US), and AWS China Areas. To be taught extra, go to the IAM Identification Middle Consumer Information.
We stay up for studying how you employ this new functionality to satisfy your safety and compliance necessities.
