AWS Key Management Service requirements

If you want to use Amazon EBS encryption with ONTAP Cloud, then you must set up the AWS Key Management Service (KMS).

Two requirements must be met to encrypt ONTAP Cloud data using the AWS KMS:
  • An active CMK must exist in your account. The CMK can be an AWS-managed CMK or a customer-managed CMK.
  • You must add IAM users or the IAM role associated with Cloud Manager to the list of key users for a CMK. This gives Cloud Manager permissions to use the CMK with ONTAP Cloud.

    AWS Documentation: Editing Keys