How to configure KMS From AWS Portal?

The following section elaborates the process to configure KMS from AWS Portal.

1. The first step is to create a key (Customer managed key) on https://console.aws.amazon.com/kms/ under the Key Management service (KMS) service.
   

   1. Go to https://console.aws.amazon.com/and search for KMS service.
      

      

   2. Under the Key management service (KMS) create customer managed key (CMK) from top right option create key.
      

      

   3. Create Symmetric key by select symmetric key type and select KMS in advanced options as in below image.
      

      

   4. Give alias of a key which is required and rest are the optional.
      

      

   5. Select key Administrator: Choose the IAM users and roles who can administer this key through the KMS API.
      

      

   6. Select the IAM users and roles that can use the CMK in cryptographic operations.
      

      

   7. Review the key configurations and press finish button to create a key.
      

      

      
      

      

   8. Once key is successfully created, it will show in list of keys.
      

      

   9. Click on key and go to details page of key and look for key ARN. This key ARN is required for further configuration.
      
      

      

Configure AWS KMS for HDFSAgent and LocalFilesAgent

2. The second step is to Setup AWS credentials for KMS and Secret Manager. There are 3 options available to you. Choose any option from the choices below:

   1. If we have EC2 instance then we can setup the AWS CLI.

   2. If we have EC2 instance then we can assign role to EC2 instance.

   3. On the machine which has the agent, create a property file called AWS credentials.properties. Inside the file update following properties:
      aws_access_key_id = aws_secret_access_key =

3. The third step is to restart the agent using stop.sh and start.sh scripts in Agent installation dir.

Configure KMS from Admin and PK Protect

4. The fourth step is to configure KMS from Admin and PK Protect portal. On Admin portal, Under the Manage Keystores option from left menu. Add new key store with required details.
   
   You will get KEY-ARN from AWS KMS console that you have created in above step 1-> i.
   

   

   
   Once keystore are successfully created, it will show in the list of key stores.
   

   

5. While adding a domain on PK Protect, will get the AWS-KMS store (which you have created in the step 2) in the list of key store option. Enter the required information and save your domain.