AWS Cloud Key Management integration and key operations

8min
This section explains how to create a new HSM Protected key group on the KMES and how the different key operations work for pushing keys to AWS KMS.
If you have a firewall in your environment, ensure that it allows the *.amazonaws.com:443 endpoint to pass from the KMES to the internet. If you need a more specific endpoint, refer to the following documentation: https://docs.aws.amazon.com/general/latest/gr/kms.html 
Create a new HSM Protected key group
Key groups act as both a container for keys and a template for creating keys within the key group, enabling you to define various key HSM Protected attributes, such as the type of key, the key rotation schedule, and the service to use (such as Amazon Web Services).
Perform the following steps to create an HSM Protected key group:
1
Log in to the KMES Series 3 application interface by using the default admin identities.
2
Go to Key Management > Keys.
3
Right-click the Key Group background, select Add > Key Group, and select the following options:
Option
Required configuration
﻿
Key Type
Symmetric.
﻿
Storage Location
HSM Protected.
﻿
 The AWS KMS integration does not support asymmetric keys.
4
Select [ OK ] to continue.
5
In the next window, set up the parameters for the key group. On the Group tab, make the following changes:
Option
Required configuration
﻿
Name
Choose a descriptive name.
﻿
Service
Amazon Web Services.
﻿
Credential
Select [ Select ] and choose the credential you created from the CSV.
﻿
Key Type
AES.
﻿
Key Length
AES-256.
﻿
Key Usage
Encrypt + Decrypt.
﻿
Rotate Key
Leave box checked if you want the key group to rotate keys on a schedule.
﻿
Rotate Every
Set the desired rotation interval.
﻿
Keep key valid for
Set the length of time that keys created in the key group should remain valid.
﻿
6
Do not change the Info tab default settings.
7
In the AWS Properties tab, make the following changes:
Option
Required configuration
﻿
Alias
Choose a nickname.
﻿
Description
Optional.
﻿
Region
Select the AWS region where you created the KMS key.
﻿
Active Key ID
Enter the Key ID formatted as xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
﻿
Policy
Select [ Import Policy ] and then select the policy that you saved as a JSON file. The policy specifies the permissions for accessing the customer master key in AWS. 
﻿
Disable key after rotating
Optional.
﻿
8
Select [ OK ] to finish creating the HSM Protected Key Group.
Push keys to AWS KMS
You can perform the following operations on keys that are part of an AWS HSM Protected key group:
Operation
Description
﻿
Rotate an HSM Protected Key Group
This forces you to generate a new key on the KMES and then upload it to AWS with the alias configured under the AWS Properties tab assigned to the key. On the Customer managed keys page in AWS KMS, you can see that the old key ID loses the alias when rotated, and the most recently created key receives the alias.
﻿
Synchronize an HSM Protected key
This updates the given key ID in AWS with the selected key. For example, you can delete the key material from AWS for a key. Then, you can right-click that same key in the KMES, synchronize it, and re-add the key material. You can also delete key material from AWS by checking the appropriate check box when synchronizing in the KMES.
﻿
For this integration, the only way that you should keys inside an AWS HSM Protected Key Group is by force rotating the key group or simply waiting for a key rotation to occur based on the configured rotation schedule.
Rotate the HSM Protected key group
The following process demonstrates how to force rotate the HSM Protected key group to generate and push the first key to AWS KMS:
1
Make sure to set the KMES as the designated device for rotating key material (under Administration > Configuration > HSM Protected Key Options).
2
Go to Key Management > Keys.
3
Right-click on the HSM Protected key group that you created in the previous section, and select Cloud > Force Rotate.
4
A job runs to rotate and synchronize this key to the AWS KMS account specified for the key group. To monitor job progress, go to Logging and Reporting > Jobs and double-click on the Rotate HSM protected keys job that just began. 
If the synchronization succeeds, a message similar to the following displays:
Text
2021-12-10 21:45:32 Rotating 1 HSM Protected keys...
2021-12-10 21:45:33 Rotated HSM protected key group ig-demo
2021-12-10 21:45:32 Rotating 1 HSM Protected keys...
2021-12-10 21:45:33 Rotated HSM protected key group ig-demo
﻿
5
After the job finishes, go to Key Management > Keys and select the key group of the key you just synchronized. Notice that the key now displays under the key group.
You can also see the key in AWS KMS under Customer managed keys, with the alias that you configured on the AWS Properties tab for the key group.
6
Right-click the AWS HSM Protected key group again and select Cloud > Force Rotate. The newly generated key displays along with the first key generated in the key group.
In AWS, this new key is assigned the alias configured for the HSM Protected key group, and the previously active KEY ID loses the alias.
Synchronize an HSM Protected key
Synchronizing a key means synchronizing or deleting key material for any of the previously active Key IDs. The following process demonstrates how to synchronize an HSM Protected key:
1
Select the AWS HSM Protected key group.
2
Right-click one of the previously active key IDs and select Cloud > Synchronize. 
3
Select one of the following actions:
Delete Key Material
Update Policy (selected by default)
Import Key Material (selected by default)
You should import key material only if the key material had been deleted for the associated Key ID previously, either in AWS KMS or through the Delete Key Material option. 
A new job executes and displays on the Logging and Reporting > Jobs page, where you can track the progress of the operation.
﻿
Updated 26 Jan 2024
Did this page help you?
Create a customer-managed key in AWS KMS
Job status and log management with the AWS Cloud Key Management integration