Skip to content

AWS Key Management Service

AQtive Guard can ingest AWS Key Management Service (KMS) data for enhanced key management and security monitoring.

AWS KMS requirements

You’ll need the following from AWS before setting up the integration:

  • AWS Credentials:
    • Access Key ID
    • Secret Access Key
  • The following Read permissions for the AWS KMS credentials:
    • ListKeys
    • DescribeKey
    • GetPublicKey

There are two ways to obtain the requirements:

  1. Create an IAM user in your AWS account, generate credentials, then complete one of the following:
    • Attach a policy or individual permissions to the user.
    • Assign the user to a group and attach the policy to the group.
  2. Use a federated user (for example, managed by Microsoft or Google) and assume a role to obtain temporary credentials.

Tip

Since temporary credentials need to be re-entered regularly, we recommend avoiding this method if your organization allows it.

You’ll also need to generate an AWS access key (both methods).

The following sections provide step-by-step instructions for configuring the integration by creating an IAM user.

Configure the AWS KMS integration

Perform the following steps to configure the AWS KMS integration in AWS and AQtive Guard.

AWS configuration

Complete the following steps in AWS to create a policy, create an IAM user, and generate credentials.

Create a policy

To create a policy that will be attached to the IAM user:

  1. Log into the AWS console.
  2. From the AWS dashboard, search for IAM and select Identity and Access Management (IAM).
  3. Under the Access management menu on the left, select Policies.

  4. Select Create policy.

    Depending on your organization’s policies, you may alternately use a predefined power user role that grants all read and write KMS-related permissions.

    To do this, enter AWSKeyManagementServicePower in the search bar and select the role, then skip to Create a user.

  5. In the Service dropdown, enter KMS.

  6. Select the following permissions required for the integration:
    • ListKeys
    • DescribeKey
    • GetPublicKey
  7. Select Next.

  8. Enter a Policy name, an optional Policy description and then select Create policy.

    You’ll see a notification confirming the policy was created. Select it to confirm the permissions are configured correctly.

Create a user

To create an IAM user:

  1. Log into the AWS console.
  2. Under the Access management menu on the left, select Users.
  3. Select Create user.
  4. Enter a User name and select Next.
  5. Select the Attach policies directly tile.
  6. Search for the policy you created earlier and select Next.

  7. Select Create user.

    You’ll see a notification confirming the user was created successfully.

  8. Select the user to open the user details page and select Create access key.

  9. Select Third-party service, then Next.
  10. Enter a description, then select Create access key.

Tip

Make sure to copy the credentials and save them in a secure place. Once you close the Retrieve access keys screen, they can’t be shown again. If you do lose access to the credentials, you can create a new access key.

AQtive Guard configuration

Complete the following steps to configure the AWS KMS integration in AQtive Guard.

  1. Log in to AQtive Guard and select Data sources from the main menu.
  2. Select Configure in the AWS KMS panel.
  3. Paste the required credentials you copied from AWS into the designated fields:
    • Your Access key.
    • Your Secret access key.
  4. Select your Region from the dropdown.
  5. If you’re using temporary credentials, enter your session token.
  6. (Optional) Select Test Connection to check the connection to the AWS KMS API.

  7. Select Submit to update the settings.

    You’ll see a notification confirming that the configuration has succeeded.

Use

Once the integration is configured, you can trigger an AWS KMS data ingestion.

Note

If the AWS KMS settings aren’t configured, the ingestion option will be disabled.

To ingest key data from AWS KMS:

  1. Select Data sources from the main menu, then select Details in the AWS KMS panel.

  2. Select: Start keys ingestion to trigger ingestion of data into AQtive Guard.

    You’ll see a notification confirming that the data ingestion has started.

Unlink the AWS KMS integration only if your organization needs to reconfigure or stop data sharing with AWS.

To unlink the AWS KMS configuration:

  1. Select Data sources from the main menu, then select Details in the AWS KMS panel.
  2. Select Unlink.
  3. Select Confirm and unlink AWS KMS.