AWS Cloud Key Management integration and key operations

this section explains how to create a new hsm protected key group on the {{ch}} and how the different key operations work for pushing keys to aws kms if you have a firewall in your environment, ensure that it allows the amazonaws com 443 endpoint to pass from the {{ch}} to the internet if you need a more specific endpoint, refer to the following documentation https //docs aws amazon com/general/latest/gr/kms html create a new hsm protected key group key groups act as both a container for keys and a template for creating keys within the key group, enabling you to define various key hsm protected attributes, such as the type of key, the key rotation schedule, and the service to use, such as amazon web services perform the following steps to create an hsm protected key group log in to the {{ch}} application interface by using dual administrator users go to administrative services > key management > key database right click the key group background, select add > key group , and select the following options option required configuration key type symmetric storage location hsm protected the aws kms integration does not support asymmetric keys select \[ ok ] to continue in the next window, set up the parameters for the key group on the group tab, make the following changes option required configuration name choose a descriptive name service amazon web services credential select \[ select ] and choose the credential you created from the csv key type aes key length aes 256 key usage encrypt + decrypt rotate key leave this checkbox checked if you want the key group to rotate keys on a schedule rotate every set the desired rotation interval keep key valid for set the length of time that keys created in the key group should remain valid do not change the info tab default settings on the aws properties tab, make the following changes option required configuration alias choose a nickname description optional region select the aws region where you created the kms key active key id enter the key id formatted as xxxxxxxx xxxx xxxx xxxx xxxxxxxxxxxx policy select \[ import policy ] and then select the policy that you saved as a json file the policy specifies the permissions for accessing the customer master key in aws disable key after rotating optional select \[ ok ] to finish creating the hsm protected key group push keys to aws kms you can perform the following operations on keys that are part of an aws hsm protected key group operation description rotate an hsm protected key group this forces you to generate a new key on the {{ch}} and then upload it to aws with the alias configured on the aws properties tab assigned to the key on the customer managed keys page in aws kms, you can see that the old key id loses the alias when rotated, and the most recently created key receives the alias synchronize an hsm protected key this updates the given key id in aws with the selected key for example, you can delete the key material from aws for a key then, you can right click that same key in the {{ch}} , synchronize it, and re add the key material you can also delete key material from aws by checking the appropriate check box when synchronizing in the {{ch}} for this integration, you should add keys to an aws hsm protected key group only by force rotating the key group or waiting for a key rotation to occur based on the configured rotation schedule rotate the hsm protected key group the following process demonstrates how to force rotate the hsm protected key group to generate and push the first key to aws kms make sure to set the {{ch}} as the designated device for rotating key material (under administrative services > administration > configuration tasks > hsm protected key options ) go to administrative services > key management > key database right click the hsm protected key group that you created in the previous section, and select cloud > force rotate a job runs to rotate and synchronize this key to the aws kms account specified for the key group to monitor job progress, go to administrative services > logging and reporting > jobs and double click on the rotate hsm protected keys job that just began if the synchronization succeeds, a message similar to the following displays 2021 12 10 21 45 32 rotating 1 hsm protected keys 2021 12 10 21 45 33 rotated hsm protected key group ig demo after the job finishes, go to administrative services > key management > key database and select the key group of the key you just synchronized the key now displays under the key group you can also see the key in aws kms (under customer managed keys) with the alias that you configured on the aws properties tab for the key group right click the aws hsm protected key group again and select cloud > force rotate the newly generated key displays along with the first key generated in the key group in aws, the system assigns this new key to the alias configured for the hsm protected key group, and the previously active key id loses the alias synchronize an hsm protected key synchronizing a key means synchronizing or deleting key material for any of the previously active key ids the following process demonstrates how to synchronize an hsm protected key select the aws hsm protected key group right click one of the previously active key ids and select cloud > synchronize select one of the following actions delete key material update policy (selected by default) import key material (selected by default) you should import key material only if the key material was deleted for the associated key id previously, either in aws kms or through the delete key material option a new job executes and displays on the administrative services > logging and reporting > jobs page, where you can track the progress of the operation