The KMS key you create has no key material because the KMES is ultimately the source of the key material.
Select Customer managed keys in the left-side menu, then select the orange Create Keybutton in the upper-right corner of the page.
Configure the key by selecting the following choices:
| Option | Required configuration |
|---|---|
| Key Type | Symmetric. |
| Key material origin | External. |
The KMS option also works, but it generates a key so that the KMES does not have the key material for this initial key. The External option creates a placeholder key without key material, enabling the KMES to provide key material in later steps.
| Regionality | Single-Region key. |
|---|
Add the following labels:
| Option | Required configuration |
|---|---|
| Alias | Choose a nickname. |
| Description | Optional. |
| Tags | Optional. |
Define the following key administrative permissions:
| Option | Required configuration |
|---|---|
| Key administrators | Select your user account. |
| Key deletion | Select the Allow key administrators to delete this key checkbox. |
Define the following key usage permissions:
| Option | Required configuration |
|---|---|
| This account | Select your user account. |
| Other AWS accounts | Optional. |
Review your configuration. Ensure the top three fields (Key Configuration, Alias and description, and Tags) are correct.
Copy and paste the contents of Key Policy into a file and save it with the JSONextension. You must copy this file or move it to the storage medium configured on your KMES Series 3 device.
When prompted to download a wrapping key and import token, select** [ Cancel ]**to skip that step.