AWS Requirements for BYOK

To use AWS with BYOK, you must create a new unique service account user in your AWS account.

• Do not use an existing user account or existing access key. Create the service account with the permissions in AWS BYOK Service Account Requirements.

• Create an access key by logging in to AWS using the service account.

• Do not use the access key more than one time.

• Do not delete any access keys from the service account.

• Do not attach the same AWS account to multiple Cryptographic Security Platform Vault clusters.

• Do not share the AWS BYOK service account.

You must also be aware of the following endpoint requirements: 

• If your organization restricts outbound access to the public internet, the following endpoints must be whitelisted for AWS BYOK to function correctly:

  • https://iam.amazonaws.com

  • https://kms.<region>.amazonaws.com

    Note: This endpoint must be individually whitelisted for each region that you want to use.

  • https://ssm.<region>.amazonaws.com

    Note: This endpoint must be individually whitelisted for each region that you want to use.

  • https://ec2.<region>.amazonaws.com

    Note: This endpoint must be individually whitelisted for each region that you want to use.

• If a proxy is in use in the network, these endpoints can be tested in the Cryptographic Security Platform Vault Appliance Management application on the Settings > Proxy Settings page.