AWS BYOK Service Account Requirements
KeyControl BYOK requires a service account in the form of an IAM user to integrate with AWS. This service account is used to connect to the CSP Account created in KeyControl.
To create an AWS service account:
- Create a customer-managed policy.
-
Ensure the following permissions are added:
-
KMSFullAccess
-
IAM GetUser
-
IAM ListUsers
-
IAM ListAccessKeys
-
IAM CreateAccessKey
-
IAM DeleteAccessKey
-
IAM UpdateAccessKey
-
EC2 DescribeRegions
-
SSM GetParameter
Note: If you log in with this service account and attempt to view keys through the AWS KMS console, you will see error messages because these permissions are not sufficient for viewing. You will need to add additional privileges such as tag:GetResources.
-
Sample Policy in JSON format
1 {
2 "Version": "2012-10-17",
3 "Statement": [
4 {
5 "Sid": "VisualEditor0",
6 "Effect": "Allow",
7 "Action": [
8 "iam:DeleteAccessKey",
9 "kms:*",
10 "ec2:DescribeRegions",
11 "iam:UpdateAccessKey",
12 "iam:ListUsers",
13 "iam:GetUser",
14 "ssm:GetParameter",
15 "iam:CreateAccessKey",
16 "iam:ListAccessKeys"
17 ],
18 "Resource": "*"
19 }
20 ]
21 }
