Perform the following steps to create a customer-managed key in AWS KMS:
The KMS key you create has no key material because the KMES is ultimately the source of the key material.
Log in to the AWS Management Console.
Go to the Key Management Service.
Select Customer managed keys in the left-side menu, then select the orange Create Key button in the upper-right corner of the page.
Configure the key by selecting the following choices:| Option | Required configuration |
|---|
| Key Type | Symmetric. |
| Key material origin | External. |
The KMS option also works, but it generates a key so that the KMES does not have the key material for this initial key. The External option creates a placeholder key without key material, enabling the KMES to provide key material in later steps.
| Regionality | Single-Region key. |
|---|
Select [ Next ] to continue.
Add the following labels:| Option | Required configuration |
|---|
| Alias | Choose a nickname. |
| Description | Optional. |
| Tags | Optional. |
Select [ Next ] to continue.
Define the following key administrative permissions:| Option | Required configuration |
|---|
| Key administrators | Select your user account. |
| Key deletion | Select the Allow key administrators to delete this key checkbox. |
Select [ Next ] to continue.
Define the following key usage permissions:| Option | Required configuration |
|---|
| This account | Select your user account. |
| Other AWS accounts | Optional. |
Select [ Next ] to continue.
Review your configuration. Ensure the top three fields (Key Configuration, Alias and description, and Tags) are correct.
Copy and paste the contents of Key Policy into a file and save it with the JSON extension. You must copy this file or move it to the storage medium configured on your KMES Series 3 device.
When prompted to download a wrapping key and import token, select [ Cancel ] to skip that step.
On the main Key Management Service (KMS) page, make a copy of the generated key ID (formatted as xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). The AWS Properties tab requires this ID (and the policy) when creating an HSM Protected Key Group on the KMES in the next section.
