Setting up the AWS KMS

Contributors netapp-bcammett Download PDF of this page

If you want to use Amazon encryption with Cloud Volumes ONTAP, then you need to set up the AWS Key Management Service (KMS).

  1. Ensure that an active Customer Master Key (CMK) exists.

    The CMK can be an AWS-managed CMK or a customer-managed CMK. It can be in the same AWS account as Cloud Manager and Cloud Volumes ONTAP or in a different AWS account.

  2. Modify the key policy for each CMK by adding the IAM role that provides permissions to Cloud Manager as a key user.

    Adding the IAM role as a key user gives Cloud Manager permissions to use the CMK with Cloud Volumes ONTAP.

  3. If the CMK is in a different AWS account, complete the following steps:

    1. Go to the KMS console from the account where the CMK resides.

    2. Select the key.

    3. In the General configuration pane, copy the ARN of the key.

      You’ll need to provide the ARN to Cloud Manager when you create the Cloud Volumes ONTAP system.

    4. In the Other AWS accounts pane, add the AWS account that provides Cloud Manager with permissions.

      In most cases, this is the account where Cloud Manager resides. If Cloud Manager wasn’t installed in AWS, it would be the account for which you provided AWS access keys to Cloud Manager.

      This screenshot shows the "Add other AWS accounts" button from the AWS KMS console.

      This screenshot shows the "Other AWS accounts" dialog box from the AWS KMS console.

    5. Now switch to the AWS account that provides Cloud Manager with permissions and open the IAM console.

    6. Create an IAM policy that includes the permissions listed below.

    7. Attach the policy to the IAM role or IAM user that provides permissions to Cloud Manager.

      The following policy provides the permissions that Cloud Manager needs to use the CMK from the external AWS account. Be sure to modify the region and account ID in the "Resource" sections.

          "Version": "2012-10-17",
          "Statement": [
                  "Sid": "AllowUseOfTheKey",
                  "Effect": "Allow",
                  "Action": [
                  "Resource": [
                  "Sid": "AllowAttachmentOfPersistentResources",
                  "Effect": "Allow",
                  "Action": [
                  "Resource": [
                  "Condition": {
                      "Bool": {
                          "kms:GrantIsForAWSResource": true

      For additional details about this process, see AWS Documentation: Allowing External AWS Accounts to Access a CMK.

  4. If you are using a customer-managed CMK, modify the key policy for the CMK by adding the Cloud Volumes ONTAP IAM role as a key user.

    This step is required if you enabled data tiering on Cloud Volumes ONTAP and want to encrypt the data stored in the S3 bucket.

    You’ll need to perform this step after you deploy Cloud Volumes ONTAP because the IAM role is created when you create a working environment. (Of course, you do have the option to use an existing Cloud Volumes ONTAP IAM role, so it’s possible to perform this step before.)