Create a customer-managed key in AWS KMS
Perform the following steps to create a customer-managed key in AWS KMS:
The KMS key you create has no key material because the KMES is ultimately the source of the key material.
Log in to the AWS Management Console.
Navigate to the Key Management Service.
Select Customer managed keys in the left menu, then select the orange Create Key button in the upper-right corner of the page.
Configure the key by selecting the following choices:
Option
Required configuration
Key Type
Symmetric.
Key material origin
External.
Note: The KMS option also works, but it generates a key, so the KMES does not have the key material for this initial key. The External option creates a placeholder key without key material, enabling the KMES to provide key material in later steps.
Regionality
Single-Region key.
Select [ Next ] to continue.
Add the following labels:
Option
Required configuration
Alias
Choose a nickname.
Description
Optional.
Tags
Optional.
Select [ Next ] to continue.
Define the following key administrative permissions:
Option
Required configuration
Key administrators
Select your user account.
Key deletion
Select the Allow key administrators to delete this key checkbox.
Select [ Next ] to continue.
Define the following key usage permissions:
Option
Required configuration
This account
Select your user account.
Other AWS accounts
Optional.
Select [ Next ] to continue.
Review your configuration. Ensure the top three fields (Key Configuration, Alias and description, and Tags) are correct.
Copy and paste the contents of Key Policy into a file and save it with the JSON extension. You must copy this file or move it to the storage medium configured on your KMES Series 3 device.
Select [ Finish ].
When prompted to download a wrapping key and import token, select [ Cancel ] to skip that step.
On the main Key Management Service (KMS) page, make a copy of the generated key ID (formatted as xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx). The AWS Properties tab requires this ID (and the policy) when creating an HSM Protected Key Group on the KMES in the next section.