Help Center

Integrations

Cloud Services

AWS KMS - User Guide

In this article, you will understand step by step how to easily integrate with AWS KMS

AWS KMS integration monitors the cryptographic keys configured in the AWS KMS service to verify the company has an established key management process in place. The integration will check if the cryptographic keys are defined by strong algorithms and if a yearly rotation is enabled.

Permissions:

All the permissions required for the integration with AWS KMS are read-only and do not allow Scytale to perform any actions within your AWS account.

kms:ListAliases
kms:ListKeys
kms:DescribeKey
kms:GetKeyRotationStatus
ec2:DescribeRegions

How to connect AWS KMS integration?

💡The AWS KMS integration follows the same process as the other AWS services i.e. the screenshots follow the same process as the other AWS services. The only difference is the list of permissions.

Log in to the Scytale web app

Click on the "Integrations" menu screen to the left
Click on the "Connect" button under the AWS KMS icon

There are two methods to connect to AWS KMS:

💡The first method is recommended and as default, it will show up in the connection,
but if you prefer the second method, you can switch between them by clicking on the switch button.

Connect with IAM role - the main actions in AWS IAM:
Create a policy with permissions for the integration, and then create the assumed role.
Connect with Access keys - the main actions in AWS IAM:
Create a policy with permissions for the integration, and then create a user assigned to it. At the end of creating the user, you provide the access key and secret key.

💡In the connection screen, you can change the connection method by clicking on the switch button.

Connection Name (relevant for both methods) - is used to differentiate between your connections. For instance, if you manage multiple AWS accounts or would like to connect multiple times to the integration. It's automatically titled (Connection 1,2,3 etc), but you can change it to a custom name to make it easier to identify.
For example: scytale-production-env.

The First Method: Connect with IAM Role

Step 1: Create a policy in AWS IAM Console

Go to the AWS Console
In the top search, write IAM and select it in services

On the left sidebar, go to Access Management and select Policies

In the Create Policy screen follow the instructions:

- Service - select KMS
- Actions - search and enable the following permissions:
  - kms:ListAliases
  - kms:ListKeys
  - kms:DescribeKey
  - kms:GetKeyRotationStatus
- Resources - select the "All resources" option.
- Request conditions - Leave as is

Tags do not need to be added, click on the Next: Review button.

On the Review policy page please fill in the following fields:
- Name the policy: for example - scytale-aws-kms
- Description: you can write your description
- Click on "Create policy"

Step 2: Create an IAM role

On the left menu in the IAM service, select Roles.
In the top right corner, click on create role.
In the trusted entity type - select AWS account.
Then, enable "Another AWS account"
- The Account ID should be copied from the connection in Scytale.
Under options, enable "Require external ID (Best practice when a third party will assume this role)"
- The External ID should be copied from the connection in Scytale.
Please don't enable the require MFA.
Click on "Next"

In the Add permissions step, find the policy you created in the previous step.
Enable this policy.
Click on "Next"
Then, add the role name and review the policy and role details.
Click on "Create role" if all the details are correct.

Click "View role" in the success notification at the top of the screen.

Copy the ARN from Summary and paste it into Scytale's Role ARN field.

Click on Connect in Scytale after pasting the Role ARN.

The second Method: Connect with Access keys

Step 1: Create a policy in AWS IAM Console

Access the AWS Console.
In the search bar at the top, type in "IAM" and select it from the search results.

On the left sidebar, under the Access Management dropdown, select Policies

In the right corner, click on Create Policy

In the Create Policy screen follow the instructions:

Service - select KMS
Actions - search and enable the following permissions:
- kms:ListAliases
- kms:ListKeys
- kms:DescribeKey
- kms:GetKeyRotationStatus

Resources - select the "All resources" option.
Request conditions - Leave as is

Tags do not need to be added, click on the Next: Review button.

Name the policy: for example - scytale-aws-kms
Description: you can write your description
Click on "Create policy"

Step 2: Create a user and generate an Access key

On the left sidebar, go to Access Management and select Users
In the top right corner, click on Add users

In the user name field, please enter the following: scytale-kms
For the "Select AWS credential type" option - tick the "Access key - Programmatic access" box
Click on Next:Permissions button

In the Set permissions screen, select the option: Attach existing policies directly
Search and select the policy that you created - scytale-aws-kms
Click on Next:Tags

Tags do not need to be added, click on the Next: Review button.

Click on Create user button

Copy the Access key ID and the Secret access key (The values should be used to fill in the fields in AWS RDS integration in Scytale).

In Scytale, click Connect on to AWS KMS.
Click the button to switch to the Access keys method and then paste the keys.