Setting up the AWS KMS
If you want to use Amazon encryption with Cloud Volumes ONTAP, then you need to set up the AWS Key Management Service (KMS).
-
Ensure that an active Customer Master Key (CMK) exists.
The CMK can be an AWS-managed CMK or a customer-managed CMK. It can be in the same AWS account as BlueXP and Cloud Volumes ONTAP or in a different AWS account.
-
Modify the key policy for each CMK by adding the IAM role that provides permissions to BlueXP as a key user.
Adding the IAM role as a key user gives BlueXP permissions to use the CMK with Cloud Volumes ONTAP.
-
If the CMK is in a different AWS account, complete the following steps:
-
Go to the KMS console from the account where the CMK resides.
-
Select the key.
-
In the General configuration pane, copy the ARN of the key.
You'll need to provide the ARN to BlueXP when you create the Cloud Volumes ONTAP system.
-
In the Other AWS accounts pane, add the AWS account that provides BlueXP with permissions.
In most cases, this is the account where BlueXP resides. If BlueXP wasn't installed in AWS, it would be the account for which you provided AWS access keys to BlueXP.
-
Now switch to the AWS account that provides BlueXP with permissions and open the IAM console.
-
Create an IAM policy that includes the permissions listed below.
-
Attach the policy to the IAM role or IAM user that provides permissions to BlueXP.
The following policy provides the permissions that BlueXP needs to use the CMK from the external AWS account. Be sure to modify the region and account ID in the "Resource" sections.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowUseOfTheKey", "Effect": "Allow", "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": [ "arn:aws:kms:us-east-1:externalaccountid:key/externalkeyid" ] }, { "Sid": "AllowAttachmentOfPersistentResources", "Effect": "Allow", "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": [ "arn:aws:kms:us-east-1:externalaccountid:key/externalaccountid" ], "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }
For additional details about this process, refer to the AWS Documentation: Allowing users in other accounts to use a KMS key.
-
-
If you are using a customer-managed CMK, modify the key policy for the CMK by adding the Cloud Volumes ONTAP IAM role as a key user.
This step is required if you enabled data tiering on Cloud Volumes ONTAP and want to encrypt the data stored in the S3 bucket.
You'll need to perform this step after you deploy Cloud Volumes ONTAP because the IAM role is created when you create a working environment. (Of course, you do have the option to use an existing Cloud Volumes ONTAP IAM role, so it's possible to perform this step before.)