Control access to your AWS CloudHSM key store
You use IAM policies to control access to your AWS CloudHSM key store and your AWS CloudHSM cluster. You can use key policies, IAM policies, and grants to control access to the AWS KMS keys in your AWS CloudHSM key store. We recommend that you provide users, groups, and roles only the permissions that they require for the tasks that they are likely to perform.
Topics
Authorizing AWS CloudHSM key store managers and users
When designing your AWS CloudHSM key store, be sure that the principals who use and manage it have only the permissions that they require. The following list describes the minimum permissions required for AWS CloudHSM key store managers and users.
-
Principals who create and manage your AWS CloudHSM key store require the following permission to use the AWS CloudHSM key store API operations.
-
cloudhsm:DescribeClusters -
kms:CreateCustomKeyStore -
kms:ConnectCustomKeyStore -
kms:DeleteCustomKeyStore -
kms:DescribeCustomKeyStores -
kms:DisconnectCustomKeyStore -
kms:UpdateCustomKeyStore -
iam:CreateServiceLinkedRole
-
-
Principals who create and manage the AWS CloudHSM cluster that is associated with your AWS CloudHSM key store need permission to create and initialize an AWS CloudHSM cluster. This includes permission to create or use an Amazon Virtual Private Cloud (VPC), create subnets, and create an Amazon EC2 instance. They might also need to create and delete HSMs, and manage backups. For lists of the required permissions, see Identity and access management for AWS CloudHSM in the AWS CloudHSM User Guide.
-
Principals who create and manage AWS KMS keys in your AWS CloudHSM key store require the same permissions as those who create and manage any KMS key in AWS KMS. The default key policy for a KMS key in an AWS CloudHSM key store is identical to the default key policy for KMS keys in AWS KMS. Attribute-based access control (ABAC), which uses tags and aliases to control access to KMS keys, is also effective on KMS keys in AWS CloudHSM key stores.
-
Principals who use the KMS keys in your AWS CloudHSM key store for cryptographic operations need permission to perform the cryptographic operation with the KMS key, such as kms:Decrypt. You can provide these permissions in a key policy, IAM policy. But, they do not need any additional permissions to use a KMS key in an AWS CloudHSM key store.
Authorizing AWS KMS to manage AWS CloudHSM and Amazon EC2 resources
To support your AWS CloudHSM key stores, AWS KMS needs permission to get information about your
AWS CloudHSM clusters. It also needs permission to create the network infrastructure that connects
your AWS CloudHSM key store to its AWS CloudHSM cluster. To get these permissions, AWS KMS creates the
AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role in your AWS account. Users who create AWS CloudHSM key stores
must have the iam:CreateServiceLinkedRole permission that allows them to create
service-linked roles.
Topics
About the AWS KMS service-linked role
A service-linked role is an IAM role that gives one AWS service permission to call other AWS services on your behalf. It's designed to make it easier for you to use the features of multiple integrated AWS services without having to create and maintain complex IAM policies. For more information, see Using service-linked roles for AWS KMS.
For AWS CloudHSM key stores, AWS KMS creates the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role with the AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy policy. This policy grants the role the following permissions:
-
cloudhsm:Describe* – detects changes in the AWS CloudHSM cluster that is attached to your custom key store.
-
ec2:CreateSecurityGroup – used when you connect an AWS CloudHSM key store to create the security group that enables network traffic flow between AWS KMS and your AWS CloudHSM cluster.
-
ec2:AuthorizeSecurityGroupIngress – used when you connect an AWS CloudHSM key store to allow network access from AWS KMS into the VPC that contains your AWS CloudHSM cluster.
-
ec2:CreateNetworkInterface – used when you connect an AWS CloudHSM key store to create the network interface used for communication between AWS KMS and the AWS CloudHSM cluster.
-
ec2:RevokeSecurityGroupEgress – used when you connect an AWS CloudHSM key store to remove all outbound rules from the security group that AWS KMS created.
-
ec2:DeleteSecurityGroup – used when you disconnect an AWS CloudHSM key store to delete security groups that were created when you connected the AWS CloudHSM key store.
-
ec2:DescribeSecurityGroups – used to monitor changes in the security group that AWS KMS created in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
-
ec2:DescribeVpcs – used to monitor changes in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
-
ec2:DescribeNetworkAcls – used to monitor changes in the network ACLs for the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
-
ec2:DescribeNetworkInterfaces – used to monitor changes in the network interfaces that AWS KMS created in the VPC that contains your AWS CloudHSM cluster so that AWS KMS can provide clear error messages in case of failures.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudhsm:Describe*", "ec2:CreateNetworkInterface", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup", "ec2:DescribeVpcs", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces" ], "Resource": "*" } ] }
Because the AWSServiceRoleForKeyManagementServiceCustomKeyStores
service-linked role trusts only cks.kms.amazonaws.com, only AWS KMS can assume
this service-linked role. This role is limited to the operations that AWS KMS needs to view
your AWS CloudHSM clusters and to connect an AWS CloudHSM key store to its associated AWS CloudHSM cluster. It
does not give AWS KMS any additional permissions. For example, AWS KMS does not have permission
to create, manage, or delete your AWS CloudHSM clusters, HSMs, or backups.
Regions
Like the AWS CloudHSM key stores feature, the AWSServiceRoleForKeyManagementServiceCustomKeyStores role is supported in all AWS Regions where AWS KMS and AWS CloudHSM are available. For a list of AWS Regions that each service supports, see AWS Key Management Service Endpoints and Quotas and AWS CloudHSM endpoints and quotas in the Amazon Web Services General Reference.
For more information about how AWS services use service-linked roles, see Using service-linked roles in the IAM User Guide.
Create the service-linked role
AWS KMS automatically creates the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role in your AWS account when you create an AWS CloudHSM key store, if the role does not already exist. You cannot create or re-create this service-linked role directly.
Edit the service-linked role description
You cannot edit the role name or the policy statements in the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role, but you can edit role description. For instructions, see Editing a service-linked role in the IAM User Guide.
Delete the service-linked role
AWS KMS does not delete the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role from your AWS account even if you have deleted all of your AWS CloudHSM key stores. Although there is currently no procedure for deleting the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role, AWS KMS does not assume this role or use its permissions unless you have active AWS CloudHSM key stores.
