Creating an instance
Note
Only the AWS Management Console administrator can create an instance. The AWS Management Console administrator who creates the AWS Supply Chain instance should have all permissions listed under Using the AWS Supply Chain console. This administrator should invite an IAM user as a AWS Supply Chain administrator to manage AWS Supply Chain.
To create an AWS Supply Chain instance, follow these steps.
Note
You can create up to 10 instances within an AWS account. The 10 instances include active and initializing instances. If you've already activated IAM Identity Center (successor to AWS Single Sign-On), you must create your AWS Supply Chain instance in the same AWS Region where you've activated IAM Identity Center. AWS Supply Chain doesn't support IAM Identity Center calls across Regions.
-
Open the AWS Supply Chain console at https://console.aws.amazon.com/scn/home
. -
If necessary, change the AWS Region. In the bar at the top of the console window, open the Select a Region list and choose a Region. For more information about Regions, see Regions and endpoints in the IAM User Guide. Also, see Regions and endpoints in the Amazon Web Services General Reference.
Note
AWS Supply Chain is only supported in US East (N. Virginia), US West (Oregon), Europe (Frankfurt) Asia Pacific (Sydney) Region, and Europe (Ireland) Region.
-
On the AWS Supply Chain dashboard, choose Create instance.
-
On the Instance properties page, enter the following information:
-
AWS Region – Choose the Region where you have activated IAM Identity Center. To change the Region, choose Select a Region from the dropdown menu at the top right. You can't change the Region after you create the instance.
-
Name – Enter the instance name.
-
(Optional) Description – Enter a description for the instance.
-
-
Note
AWS Owned key is the recommended default setting for AWS Supply Chain instances. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. AWS owned keys are completely free of charge (no monthly fees or usage fees), they do not count against the AWSAWS KMS quotas for your account, and they're easy to use. You don't need to create or maintain the key or its key policy."
(Optional) Under AWS KMS Key, you can either choose to use the default AWS KMS Key or provide your own AWS KMS Key. If you are using your own AWS KMS Key, choose Customize encryption settings and under Choose an AWS AWS KMS Key, enter your AWS Key and update your AWS KMS policy with the following.
Note
As an application administrator, when you add users to the AWS Supply Chain instance, they have access to the AWS KMS key. You can manage the user permissions to add or remove users. For more information on user permissions, see User permission roles.
Note
Replace
YourAccountNumber
,Region
,YourInstanceID
, andYourKmsKeyArn
with your AWS account, AWS Region, AWS Supply Chain Instance ID, and the AWS KMS Key.{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
YourAccountNumber
:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access through SecretManager for all principals in the account that are authorized to use SecretManager", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:CreateGrant", "kms:DescribeKey", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptFrom", "kms:ReEncryptTo" ], "Resource": "*", "Condition": { "StringEquals": { "kms:ViaService": "secretsmanager.Region
.amazonaws.com", "kms:CallerAccount": "YourAccountNumber
" } } } ] }If you don't have a KMS key, choose Create to go to the AWS KMS console, where you can create this key. Use the previous KMS key policy. For detailed information on how to create KMS keys, see Creating keys in the AWS Key Management Service Developer Guide.
If you plan to use an S/4 Hana data connection, make sure that the KMS key that you provided has the aws-supply-chain-access tag with an associated Value of true.
-
(Optional) Under Instance tags, choose Add new tag to assign a tag for your instance. You can use these tags to identify your instance. For information on tags, see Creating tags.
-
Choose Create instance.
It takes approximately 2 to 3 minutes for the AWS Supply Chain instance to be created. Once the instance is created, the Status field on the AWS Supply Chain dashboard shows as Active.
-
(Optional) Once your AWS Supply Chain instance is created and if you chose to use your own AWS KMS Key under AWS AWS KMS Key, update your KMS policy to allow AWS Supply Chain to access your AWS KMS key.
Note
Replace
YourInstanceID
with your AWS Supply Chain instance ID. You can find your instance ID on the AWS Supply Chain console dashboard.{ "Sid": "Allow AWS Supply Chain to access the AWS KMS Key", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
YourAccountNumber
:role/service-role/scn-instance-role-YourInstanceID
" }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "YourKmsKeyArn
" }, { "Sid": "Enable ASC to backfill KMS permissions", "Effect": "Allow", "Principal": { "Service": "scn.Region
.amazonaws.com" }, "Action": [ "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext", "kms:ReEncryptFrom", "kms:ReEncryptTo", "kms:Decrypt", "kms:GenerateDataKey", "kms:DescribeKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource":"YourKmsKeyArn
" }