About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Tutorial
Securely manage AWS S3 encryption keys with IBM Cloud Hyper Protect Crypto Services with Unified Key Orchestrator
Strengthen your company’s security posture by enhancing controls and accesses and simplifying key management operations
On this page
IBM Cloud Hyper Protect Crypto Services with Unified Key Orchestrator is a multi-cloud key management solution that is easy to operate, compliant, and highly secure. It allows you to manage keys across various cloud environments, and it is pluggable with other key management solutions. This tutorial shows you how to manage your AWS S3 encryption keys and unify key management in the cloud.
Note: In this tutorial, "Unified Key Orchestrator" refers to Hyper Protect Crypto Services with the Unified Key Orchestrator service.
The following diagram illustrates the architecture:
Prerequisites
Before you complete this tutorial, you need to:
- Provision and initialize an instance of Hyper Protect Crypto Services with Unified Key Orchestrator.
- Create credentials in AWS to be used for the UKO connection.
- Create a vault to assign keystores and keys.
Estimated time
Completing this tutorial should take about 30 minutes.
Steps
Step 1. Create your access credentials in your AWS account
- Log into your AWS console.
- Click IAM from the navigation.
- Click My security credentials to manage your access keys and other credentials.
- Click Create access key to confirm.
- Click Download .csv file.
Important: You need to make a note of the access key ID and the secret access key.
Step 2. Use the AWS credentials to create an AWS keystore in Unified Key Orchestrator
- Log into the Hyper Protect Crypto Services instance.
- In the navigation, click Target keystores to view all the available keystores.
- To connect to an external keystore, click Add keystore.
- Under Vault, select a vault for the keystore for access control and click Next.
- Under Keystore type, select AWS keystore, and click Next.
- Enter a name in Keystore name. For example, you can name the keystore "zCAT-AWS-Demo-KeyStore." Optionally, you can add an extended description to your Keystore description section.
- Under Connection Properties, select the Region on AWS and use the AWS credentials you created in the previous step. Then click Next.
- Check the Terms and Conditions and click Add keystore.
You have now successfully created an AWS keystore and can view the information for the keystore.
Step 3. Create a key in your AWS keystore
- Click Managed keys from the navigation to view all the available keys.
- To create a managed key, click Create key.
- Under Vault, select a vault for the key for access control and click Next.
- Under General, select AWS Key Management Service. The click Next.
- Under Key properties, specify the key name (for example, "zCAT-AWS-Demo-Key-002"), select Active for the state, and click Next.
- Select the keystore that you just created and choose Next.
- Under Summary, view the summary of your key and then click Create key to confirm.
Step 4. Verify that the key has been created in the AWS console
In your AWS console, you can search for Key Management Service (KMS) by using the search bar and clicking Customer managed keys. Then you can view the Unified Key Orchestrator encryption key that you just created.
Step 5. Create an S3 Bucket on AWS
- On your AWS console, search for S3 by using the search bar and then click Buckets.
- Click Create bucket.
- Enter a name in Bucket name -- for example, "zcat-aws-uko-bucket-002." Note that upper-case characters are not allowed.
- Under Default encryption, select Enable for server-side encryption and SSE-KMS for encryption key type.
- Select Choose from your AWS KMS keys and then select the key you created in Hyper Protect Crypto Services.
- Click Create bucket.
- Click the bucket that you created and select Properties to view the bucket information.
Step 6. Upload an object (file) to your AWS S3 Bucket
- Select the bucket you just created and click Upload.
- Click Add files or drag-and-drop a file into the bucket.
- Click Upload.
You should now be able to download the uploaded object (file) by selecting it.
Step 7. Manage access to objects in your AWS S3 bucket from Unified Key Orchestrator
- Log into the Hyper Protect Crypto Services instance.
- Click Managed keys from the navigation to view all available keys.
- Select the key and click the menu flow button to change state to Deactivate.
- Tick the checkboxes to confirm the deactivation and click Deactivate key.
You have now successfully deactivated the encryption key in IBM Cloud, and the object in your AWS S3 is now unusable. The key status in Customer managed keys should now be Pending import.
Summary
You can now manage access to objects in your AWS S3 Bucket and have exclusive control over your AWS S3 encryption keys.
By using the IBM Cloud Hyper Protect Crypto Services with Unified Key Orchestrator, you can orchestrate these keys across multiple cloud environments. This strengthens your company’s security posture by enhancing controls and accesses while simplifying key management operations.
Next steps
Learn more about Hyper Protect Crypto Services with Unified Key Orchestrator:
