After you create an application access point (AAP) for a dedicated KMS instance, you can view Dedicated KMS in the Scope field of AAP policies. You can update an AAP, delete an AAP, or delete a client key based on your business requirements.

Create an AAP

If a dedicated KMS instance is in the Enabled state, you can create an AAP and a client key for the instance. This way, applications can access the dedicated KMS instance. The client key is used as an application identity credential.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where your dedicated KMS instance resides.
  3. In the left-side navigation pane, click Dedicated KMS.
  4. On the Dedicated KMS page, find the dedicated KMS instance for which you want to create an AAP and click Details in the Actions column.
  5. In the Applications access Dedicated KMS section, click Create an application access point.
  6. In the Configure Application Access Credential and Permissions panel, configure the parameters.
    1. Enter a name in Name of Application Access Point.
    2. Configure parameters below Access Control Policies.
      • Accessible Resources: Retain the default value Key/*. This value specifies that applications can access all keys of the Dedicated KMS instance.
      • Allowed IP Addresses: Enter the network types and IP addresses that are allowed for access to the dedicated KMS instance. You can enter private IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,).
    3. Click Create.
  7. In the Application Access Credential dialog box, copy the password and client key from Password and Credential.
    • Password: Click Copy to obtain the password.
    • Credential: Click Download to save the client key.

      The client key consists of keyID and PrivateKeyData. Example:

      {
        "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
        "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="
      }
      Note Dedicated KMS does not save PrivateKeyData of the client key. You can obtain the encrypted PKCS 12 file indicated by PrivateKeyData only when you create the client key. You must keep the file confidential.
  8. Click Close.
    After the AAP is created, you can click Applications in the left-side navigation pane to view the information about the AAP. The information includes the authentication method, permission policies, network access rule, and client key.
  9. In the Applications access Dedicated KMS section, click Download below Configure CA Certificate for Dedicated KMS Instance to download the certificate authority (CA) certificate file in the PEM format.

Update an AAP

To change the permissions on the dedicated KMS instance for an AAP, you can update the policies of the AAP. This way, different applications can access the required instances.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create an AAP.
  3. In the left-side navigation pane, click Applications.
  4. Click the name of an AAP. On the page that appears, click Update in the upper-right corner.
  5. In the Update Application Access Point dialog box, update the policies.
    1. Click the Plus icon to the right of Policies.
    2. In the RBAC Policy dialog box, configure the following parameters and click Create.
      ParameterDescription
      Policy NameThe name of the policy.
      ScopeThe scope of the policy.

      Select the service ID of the dedicated KMS instance.

      RBAC PermissionsThe permission management template. The template specifies an operation that can be performed on specific resources.

      Select CryptoServiceKeyUser.

      Accessible ResourcesThe resources on which the policy takes effect. You can use one of the following methods to configure resources:
      • Method 1: In the Key: Resources section, select existing resources and click the Left icon.
      • Method 2: In the Key: Selected Resources section, click the Plus icon. In the dialog box that appears, specify resources and click Add.
        Note You can use the wildcard characters asterisk (*) as a suffix.
      Network Access RulesThe network type and IP address that are allowed for access to the instance.

      In the Rules section, select existing rules or perform the following steps to create a rule:

      1. Click the Plus icon.
      2. In the Create Network Access Rule dialog box, configure the following parameters:
        • Name: Enter the name of the network access rule.
        • Network Type: Select the type of the network that is allowed for access to the instance.

          If your application accesses the instance over a virtual private cloud (VPC), select Private.

        • Description: Enter a description about the network access rule.
        • Allowed Private IP Address: Enter the IP addresses that are allowed to access the instance.

          You can enter private IP addresses or CIDR blocks. You must separate multiple IP addresses or CIDR blocks with commas (,).

      3. Click Create.
      4. Select the new rule and click the Left icon.
    3. Select the new policy and click the Left icon.
  6. Enter a description and click Update.

Delete an AAP

After an AAP is deleted, all the client keys that are bound to the AAP are deleted.

Warning Before you delete an AAP, make sure that the AAP is no longer in use. If you delete an AAP that is in use, your services may become unavailable.
  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create an AAP.
  3. In the left-side navigation pane, click Applications.
  4. Find the AAP that you want to delete and click Delete in the Actions column.
  5. In the Delete Application Access Point message, click OK.

Delete a client key

Client keys are used to authenticate applications. When you create a client key, you must save the PKCS 12 file of the client key. If the PKCS 12 file is lost, you must delete the client key and create a different client key.

Warning Before you delete a client key, make sure that the client key is no longer in use. If you delete a client key that is in use, your services may become unavailable.
  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create an AAP.
  3. In the left-side navigation pane, click Applications.
  4. Click the name of the AAP.
  5. In the Client Key section, find the client key and click Delete in the Actions column.
  6. In the Delete Client Key message, click OK.