AWS Key Management Services

Task 1: Setting up the Encryption Key and IAM User in AWS

  1. Log into the AWS Console website.

  2. Under Services, search for IAM (Identity and Access Management). This is where you will configure both your encryption key and an IAM user that Secret Server uses to access the encryption key.

  3. Click the Users button on the left menu.

  4. Click the Add User button.

  5. Type a name (such as SecretServerCloud) in the User Name text box.

  6. Click to select the Programmatic Access checkbox in the Access Type section.

  7. Click the Next: Permissions button, the Permissions page appears. On the Permissions page, no special permissions are needed.

  8. Select the Next: Tags button. The Tags page appears.

  9. Click the Next: Review button, the Review page appears.

  10. Select the Create User button. A Success page appears confirming the user was created.

  11. Both the access key ID and the secret access key appear (click the Show link).

  12. Click the Download .csv button to save the credentials.

    Be sure to save both the access key ID and the secret access key! If you lose them, you can never view the secret access key again. Even after you enter them in SSC, you cannot retrieve the secret access key.

  13. Once the download completes, click the Close button.

  14. Under Services, search for Key Management Service.

  15. Select the Customer managed keys link in the left-hand menu.

  16. Click the Create Key button. The Configure Key page, the first page of the Create Key wizard, appears:

  17. Ensure the Key type selection button is set to Symmetric.

  18. Ensure the Key usage selection button is set to Encrypt and decrypt.

  19. Click the Next button. The Add Labels page appears:

  20. Type SecretServerCloud in the Alias text box.

  21. (Optional) Type a description in the Description text box.

  22. (Optional) Click the Add tag button to add KMS tags.

  23. (Optional) Click the Learn More link for any of the settings to access more information.

  24. Select the Next button. The Define Key Administrative Permissions page appears:

    Leave the page as is.

  25. Click the Next button. The Define Key Usage Permissions page appears:

  26. Select the checkbox next to the SecretServerCloud-Key name in the table to give that user access to the key.

    Do not give access to the user you created earlier for SSC. It is unnecessary for Secret Server to have administrative access to the key.

  27. Click the Next button. The Review page appears:

  28. Ensure the settings are as desired.

  29. Click the Finish button. The new key appears in your Encryption Keys list.

  30. Select the new key in the list. The Summary section on the key’s page appears.

  31. Copy and save the contents of the read-only ARN text box. You will need it later.

AWS supports automatically rotating this key every year. You can change that setting on this page in the Key Rotation section (select the Rotate this Key every year checkbox). Once rotated, the key management settings in Secret Server do not require further changes, and your existing secrets can still be accessed by the old encryption settings.

Only new secrets, however, will be created under the new version of the encryption key, and you must perform a secret key rotation inside SSC if you want to update all secrets to use the new version of the AWS key. Navigate to Settings > Configuration Search > Security > Secret Key Rotation and click the Rotate Secret Keys button to perform the operation.

As a security best practice, we recommend performing a secret key rotation inside of SSC on a regular basis to refresh the encryption keys on your secrets.

Task 2: Adding Encryption Key and User Details in Secret Server

  1. Log into SSC.

  2. Search for Key Management. The Key Management page appears on the Configuration tab.

  3. Click the Edit button. The page becomes editable.

  4. From the Key Management Type dropdown list, select Amazon KMS. New fields appear.

  5. Type the AWS key details that you saved earlier in the remaining three text boxes.

  6. Select the checkbox signaling that Maintenance Mode will be enabled and a Secret Key Rotation will be triggered.

  7. Click the Save button.

Task 3: Secret Key Rotation

Once you save your changes, your new settings are validated and a secret key rotation is triggered. You can now view the progress of the rotation:

  1. Navigate to Settings > Configuration Search > Security > Secret Key Rotation.

  2. Click the Rotate Secret Keys button to perform the operation.

Later, you can repeat the process to change the AWS encryption key or you can select None for the Key Management Type in task 2 to disable it completely.