|
|
From today you can use your own AWS Key Management (AWS KMS) keys to encrypt identity data such as user and groups attributes stored in the instances of AWS IAM Identity Center.
Many organizations operating in regulated industries need complete control over encryption management. While the identity center already encrypts data at rest using the AWS keys, some customers require the ability to manage their own encryption keys for audit and compliance.
With this launch, you can now use KMS managed customers (CMKS) to encrypt identity identification data. CMKS gives you full control of a key life cycle, including creation, rotation and deletion. You can configure the controls of the granular access to the key principles and policy of the IAM AWS Key Service (AWS KMS) to ensure that only justified principles have access to your encrypted data. At the time of starting, CMK must live in the same AS account and AWS region as your instance IAM Identity Center. The integration between the Identity and KMS Center provides detailed AWS Cloudtrail protocols to use the key audit and helps meet the requirements for compliance.
The identity of the Center supports both individual regions and more regional keys to meet your needs. While Identity Center instances can currently be deployed in only one region, we recommend using KMS KMS with multiple regions if your company’s principles do not limit you to one region. More regions keys provide consistent key material across regions while maintaining independent key infrastructure in each area. This gives you more flexibility in your encryption strategy and helps your commitment.
Let’s start
Imagine that I want to use CMK to encrypt data on the identity of my identity Center Organization Instance. My organization uses the identity of the Center to allow employees to access AWS applications such as Amazon Q Business or Amazon Athena.
To date, some AWS applications cannot be used with an identity center configured with a KMS managed customer. Check out the AWS Managed Applications that you can use with Identity Center to inform you of the constantly developing list of compatible applications.
The high -level process requires first to create a symmetrical customer managed key (CMK) in AWS KMS. The key must be configured for encryption and decryption operations. I also configure key principles to provide access to the Identity Center, AWS applications, administrators and other directors who need access to the Identity Center and IAM Identity Center API. Depending on your use of your identity center, you will need to define different principles for key and iam principles for iam principles. Documentation of services has more details to help you cover the most common cases of use.
This demo is in three parts. First, I created the key managed by the AWS KMS customer and configure it with permissions that will authorize the identities of the Center and AWS Managed Applications to use it. Second, I update the IAM policies for directors that will use the key from another AWS account, such as AWS Applications. Finally, I configure the identity center to use the key.
Part 1: Create a key and define permissions
First we create a new CMK in AWS KMS.
The key must be in the same AWS and AWS accounts as an instance of identity centers. You must create an instance of identity centers and the key in your organization management account in AWS.
I navigate the AWS Key Management Service (AWS KMS) in the same region as the instance of my identity center, then I choose Create a key. That triggers me into a key work guide.
Below Step 1 – the key for configurationI select the key type-Symmetrical (the only key used for encryption, so for decryption) or asymmetric (a pair of public and private encryption sector keys/decryption and signature). The identity center requires symmetrical keys to encrypt at rest. I will select Symmetrical.
I will select for key use Encrypt and decipher This allows you to use the key only for encryption and decrypting data.
Below Advanced optionsI will select KMS – Recommended for The key origin of the material, So AWS KMS creates and manages key material.
For RegionalI choose between one region or key for multiple regions. I will select The key of the more region Allow key administrators to replicate the key to other regions. As already explained, identity centers do not require it today, but helps your configuration to resist the future. Remember that after creating it, you cannot transform the key with one region to the multi-region (but you can change the key used in the identity center).
Then I choose Other Continuation with other configuration steps, such as adding labels, defining administrative permissions, setting up the use permissions, and reviewing the final configuration before creating the key.
Below Step 2 – Add labelsI will enter Alias Name for my key and select Other.
In this demo I edit key principles by adding policy commands using the templates listed in the documentation. I skip Step 3 and Step 4 and navigate Step 5 – Edit Key Policy.
The identity center requires at least permission to enable identity centers and its administrators to use the key. Therefore, I will add three policy statements, the first and second allows the service administrators, the third to authorize the service of identity centers.
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": (
{
"Sid": "Allow_IAMIdentityCenter_Admin_to_use_the_KMS_key_via_IdentityCenter_and_IdentityStore",
"Effect": "Allow",
"Principal": {
"AWS": "ARN_OF_YOUR_IDENTITY_CENTER_ADMIN_IAM_ROLE"
},
"Action": (
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
),
"Resource": "*",
"Condition": {
"StringLike": {
"kms:ViaService": (
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
)
}
}
},
{
"Sid": "Allow_IdentityCenter_admin_to_describe_the_KMS_key",
"Effect": "Allow",
"Principal": {
"AWS": "ARN_OF_YOUR_IDENTITY_CENTER_ADMIN_IAM_ROLE"
},
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "Allow_IdentityCenter_and_IdentityStore_to_use_the_KMS_key",
"Effect": "Allow",
"Principal": {
"Service": (
"sso.amazonaws.com",
"identitystore.amazonaws.com"
)
},
"Action": (
"kms:Decrypt",
"kms:ReEncryptTo",
"kms:ReEncryptFrom",
"kms:GenerateDataKeyWithoutPlaintext"
),
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": ""
}
}
},
{
"Sid": "Allow_IdentityCenter_and_IdentityStore_to_describe_the_KMS_key",
"Effect": "Allow",
"Principal": {
"Service": (
"sso.amazonaws.com",
"identitystore.amazonaws.com"
)
},
"Action": (
"kms:DescribeKey"
),
"Resource": "*"
}
)
} I also have to add another policy statement to allow my case to be used: using AWS applications. I will add these two statements on the policy to enable the AWS applications and their administrators to use the KMS key. The document reports other cases of use and their relevant policies.
{
"Sid": "Allow_AWS_app_admins_in_the_same_AWS_organization_to_use_the_KMS_key",
"Effect": "Allow",
"Principal": "*",
"Action": (
"kms:Decrypt"
),
"Resource": "*",
"Condition": {
"StringEquals" : {
"aws:PrincipalOrgID": "MY_ORG_ID (format: o-xxxxxxxx)"
},
"StringLike": {
"kms:ViaService": (
"sso.*.amazonaws.com", "identitystore.*.amazonaws.com"
)
}
}
},
{
"Sid": "Allow_managed_apps_to_use_the_KMS_Key",
"Effect": "Allow",
"Principal": "*",
"Action": (
"kms:Decrypt"
),
"Resource": "*",
"Condition": {
"Bool": { "aws:PrincipalIsAWSService": "true" },
"StringLike": {
"kms:ViaService": (
"sso.*.amazonaws.com", "identitystore.*.amazonaws.com"
)
},
"StringEquals": { "aws:SourceOrgID": "MY_ORG_ID (format: o-xxxxxxxx)" }
}
}You can further limit the key use to a specific instance of identity centers, a specific instance of the application, or specific application managers. Documentation contains examples of advanced key principles for your use cases.
If you want to help protect against changes in the name of the role of IAM when restoring SAD permits, use the approach described in the example of the principle of credibility.
Part 2: Update the IAM policies that allow the use of the KMS key from another AWS account
Any IAM Director, who uses the API Identity Center from another AWS account, such as delegated identity administrators and AWS administrators, needs a statement of IAM policy, which allows the use of KMS keys through these APIs.
I provide authorizations to access the key by creating a new policy and connecting policy to the role of IAM relevant to my case. You can also add these statements to existing Iam identity policies.
To do so, after creating the key I find his ARN and replace key_ARNIn the template below. Then I connect the policy to the IAM manager managed. Documentation also includes IAM principles, which grants the authorization of identity centers to access the key.
Here is an example for manager of managed applications:
{
"Sid": "Allow_app_admins_to_use_the_KMS_key_via_IdentityCenter_and_IdentityStore",
"Effect": "Allow",
"Action":
"kms:Decrypt",
"Resource": "",
"Condition": {
"StringLike": {
"kms:ViaService": (
"sso.*.amazonaws.com",
"identitystore.*.amazonaws.com"
)
}
}
} The documentation shares the IAM principles template for the most common cases of use.
Part 3: Configure Iam Identity Center to use the key
I can configure CMK either during an instance of the Identity Center or to an existing instance, and I can change the encryption configuration at any time by switching between CMK or returning to AWS keys.
Please note that incorrect configuration of key KMS permissions can interfere with identity center operations and access to AWS managed applications and accounts via Identity Center. Continue carefully to this last step and make sure you have read and understand the documentation.
After I created and configured my cmk, I can choose it under Advanced configuration When permitting the identity center.
To configure CMK on an existing instance of identity centers using the AWS management console, I will start navigation to a part of the AWS management centers. I will select from here Settings I then select from the navigation pane Management Card and select Encryption in Key for Iam Identity Center data encryption section.
Whenever I can select another CMK from the same AWS account or switch back to a key managed by AWS.
After selecting ImposeThe key change process takes several seconds. During the transition, all services are continuous. If for any reason the identity of the Center cannot access the new key, an error message will be returned and the centers will continue to use the current key, while the identity data maintains an encrypted mechanism with which it is already encrypted.
Things that need to be kept in mind
The encryption key you create becomes a key part of your identity center. If you decide to use your own managed key to encrypt your identity attributes at rest, you must verify the following points.
- Did you configure the necessary permissions for using the KMS keys? Without the right permissions, CMK permission can fail or disrupt IAM identity Center and AWS administered applications.
- Have you verified that your AWS -managed apps are compatible with CMK keys? You can find a list of compatible applications in managed AWS applications that you can use with IAM Identity Center. The CMK permission for the identity center used by the AWS applications, incompatible with CMK will lead to the operating disruption of these applications. If you have incompatible applications, do not continue.
- Does your organizations use AS managed applications that require further configuration of IAM role to use API identity centers and identity Store API? For each such AWS, which is already deployed, check the user manual managed in the updated key KMS for the use of IAM identity centers and update them according to the instructions to prevent the application from disruption.
- For KMS commands, KMS key policies in this post omit the context of encryption that allows you to limit the use of the KMS key to the identity center, including a specific instance. For your production scenarios, you can add such a condition for identity centers:
"Condition": { "StringLike": { "kms:EncryptionContext:aws:sso:instance-arn": "${identity_center_arn}", "kms:ViaService": "sso.*.amazonaws.com" } }or it for an identity storage:
"Condition": { "StringLike": { "kms:EncryptionContext:aws:identitystore:identitystore-arn": "${identity_store_arn}", "kms:ViaService": "identitystore.*.amazonaws.com" } }
Prices and availability
Standard fees for AWS KMS pay for key API storage and use. The identity center remains available without additional costs.
This ability is now available in all AWS, AWS Govcloud (USA) and AWS China Regionis. If you want to know more, visit the IAM Identity Center.
We look forward to learning how you use this new ability to meet your safety and compliance requirements.
– seb