Controlling access to your Amazon CloudHSM key store - Amazon Key Management Service
Authorizing Amazon CloudHSM key store managers and usersAuthorizing Amazon KMS to manage Amazon CloudHSM and Amazon EC2 resources
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Controlling access to your Amazon CloudHSM key store

You use IAM policies to control access to your Amazon CloudHSM key store and your Amazon CloudHSM cluster. You can use key policies, IAM policies, and grants to control access to the Amazon KMS keys in your Amazon CloudHSM key store. We recommend that you provide users, groups, and roles only the permissions that they require for the tasks that they are likely to perform.

Authorizing Amazon CloudHSM key store managers and users

When designing your Amazon CloudHSM key store, be sure that the principals who use and manage it have only the permissions that they require. The following list describes the minimum permissions required for Amazon CloudHSM key store managers and users.

  • Principals who create and manage your Amazon CloudHSM key store require the following permission to use the Amazon CloudHSM key store API operations.

    • cloudhsm:DescribeClusters

    • kms:CreateCustomKeyStore

    • kms:ConnectCustomKeyStore

    • kms:DeleteCustomKeyStore

    • kms:DescribeCustomKeyStores

    • kms:DisconnectCustomKeyStore

    • kms:UpdateCustomKeyStore

    • iam:CreateServiceLinkedRole

  • Principals who create and manage the Amazon CloudHSM cluster that is associated with your Amazon CloudHSM key store need permission to create and initialize an Amazon CloudHSM cluster. This includes permission to create or use an Amazon Virtual Private Cloud (VPC), create subnets, and create an Amazon EC2 instance. They might also need to create and delete HSMs, and manage backups. For lists of the required permissions, see Identity and access management for Amazon CloudHSM in the Amazon CloudHSM User Guide.

  • Principals who create and manage Amazon KMS keys in your Amazon CloudHSM key store require the same permissions as those who create and manage any KMS key in Amazon KMS. The default key policy for a KMS key in an Amazon CloudHSM key store is identical to the default key policy for KMS keys in Amazon KMS. Attribute-based access control (ABAC), which uses tags and aliases to control access to KMS keys, is also effective on KMS keys in Amazon CloudHSM key stores.

  • Principals who use the KMS keys in your Amazon CloudHSM key store for cryptographic operations need permission to perform the cryptographic operation with the KMS key, such as kms:Decrypt. You can provide these permissions in a key policy, IAM policy. But, they do not need any additional permissions to use a KMS key in an Amazon CloudHSM key store.

Authorizing Amazon KMS to manage Amazon CloudHSM and Amazon EC2 resources

To support your Amazon CloudHSM key stores, Amazon KMS needs permission to get information about your Amazon CloudHSM clusters. It also needs permission to create the network infrastructure that connects your Amazon CloudHSM key store to its Amazon CloudHSM cluster. To get these permissions, Amazon KMS creates the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role in your Amazon Web Services account. Users who create Amazon CloudHSM key stores must have the iam:CreateServiceLinkedRole permission that allows them to create service-linked roles.

About the Amazon KMS service-linked role

A service-linked role is an IAM role that gives one Amazon service permission to call other Amazon services on your behalf. It's designed to make it easier for you to use the features of multiple integrated Amazon services without having to create and maintain complex IAM policies. For more information, see Using service-linked roles for Amazon KMS.

For Amazon CloudHSM key stores, Amazon KMS creates the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role with the AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy policy. This policy grants the role the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudhsm:Describe*",
        "ec2:CreateNetworkInterface",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateSecurityGroup",
        "ec2:DescribeSecurityGroups",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:DeleteSecurityGroup",
        "ec2:DescribeVpcs",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeNetworkInterfaces"
      ],
      "Resource": "*"
    }
  ]
}

Because the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role trusts only cks.kms.amazonaws.com, only Amazon KMS can assume this service-linked role. This role is limited to the operations that Amazon KMS needs to view your Amazon CloudHSM clusters and to connect an Amazon CloudHSM key store to its associated Amazon CloudHSM cluster. It does not give Amazon KMS any additional permissions. For example, Amazon KMS does not have permission to create, manage, or delete your Amazon CloudHSM clusters, HSMs, or backups.

Regions

Like the Amazon CloudHSM key stores feature, the AWSServiceRoleForKeyManagementServiceCustomKeyStores role is supported in all Amazon Web Services Regions where Amazon KMS and Amazon CloudHSM are available. For a list of Amazon Web Services Regions that each service supports, see Amazon Key Management Service Endpoints and Quotas and Amazon CloudHSM endpoints and quotas in the Amazon Web Services General Reference.

For more information about how Amazon services use service-linked roles, see Using service-linked roles in the IAM User Guide.

Create the service-linked role

Amazon KMS automatically creates the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role in your Amazon Web Services account when you create an Amazon CloudHSM key store, if the role does not already exist. You cannot create or re-create this service-linked role directly.

Edit the service-linked role description

You cannot edit the role name or the policy statements in the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role, but you can edit role description. For instructions, see Editing a service-linked role in the IAM User Guide.

Delete the service-linked role

Amazon KMS does not delete the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role from your Amazon Web Services account even if you have deleted all of your Amazon CloudHSM key stores. Although there is currently no procedure for deleting the AWSServiceRoleForKeyManagementServiceCustomKeyStores service-linked role, Amazon KMS does not assume this role or use its permissions unless you have active Amazon CloudHSM key stores.