Amazon KMS
Least Privileged User
Navigate to the AWS console and create an IAM user with programmatic access. The user will need the following permissions. You can create a policy specifically for these permissions and apply the permissions to the user.
For more information, see: High Level AWS Source Configuration
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:ListKeyPolicies",
"kms:GenerateRandom",
"cloudwatch:GetMetricData",
"kms:ListRetirableGrants",
"kms:GetKeyPolicy",
"kms:ListResourceTags",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"kms:ReEncryptFrom",
"kms:ListGrants",
"kms:GetParametersForImport",
"kms:ListKeys",
"cloudwatch:DescribeAlarmHistory",
"kms:GetKeyRotationStatus",
"cloudwatch:DescribeAlarmsForMetric",
"kms:ListAliases",
"cloudwatch:DescribeAlarms",
"kms:ReEncryptTo",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}
Connection Parameters
| Name | Required? | Description |
|---|---|---|
| Region | ||
| Access Key ID | Required | |
| Secret Access Key | Required | |
| Additional Threads | The number of additional threads allowed to be utilized during collection. | |
| Request Timeout (seconds) | The number of seconds to allow for the API to return a response. | |
| Collect CloudWatch Metrics | ||
| CloudWatch Historic Mode | If enabled, retrieves a history of data points from CloudWatch. Otherwise, collects only the most recent data point for each metric. |
Metrics
Key
| Name | Description |
|---|---|
| Account ID | The twelve-digit account ID of the AWS account that owns the CMK. |
| Alias | The alias of the CMK |
| ARN | The Amazon Resource Name (ARN) of the CMK |
| Description | The description of the CMK. |
| Enabled | Specifies whether the CMK is enabled. |
| Expiration Time | The time at which the imported key material expires. |
| ID | The globally unique identifier for the CMK. |
| Key Material Expiration Date (Seconds) | This metric tracks the amount of time remaining until imported key material expires. |
| Manager | The CMK's manager. |
| Origin | The source of the CMK's key material. |
| Policies | The names of the key policies that are attached to a customer master key (CMK). |
| Region | The AWS Region this object belongs to. |
| State | The state of the CMK. |
| Usage | The cryptographic operations for which you can use the CMK. |
Updated over 4 years ago