If a dedicated Key Management Service (KMS) instance is in the Connected state, you can create an application access point (AAP) for the dedicated KMS instance to allow access from applications to the dedicated KMS instance. You can also obtain a CA certificate for the dedicated KMS instance to authenticate the users who access the dedicated KMS instance.

Create an AAP

You can create an AAP and a client key for the dedicated KMS instance to grant applications access to the dedicated KMS instance.

  1. Log on to the KMS Console.
  2. In the upper-left corner of the page, select the region where you want to purchase a dedicated KMS instance.
    For more information about the regions that support dedicated KMS, see Supported regions.
  3. In the left-side navigation pane, click Dedicated KMS.
  4. Click the name of the dedicated KMS instance for which you want to create an AAP.
  5. In the Application access Dedicated KMS section, click Create an application access point.
  6. In the Configure Application Access Credential and Permissions panel, configure the parameters.
    1. Configure Name of Application Access Point.
    2. Configure Access Control Policies.
      • Accessible Resources: The default value is Key/*. This value specifies that the policy allows access to all the keys of the dedicated KMS instance.
      • Allowed IP Addresses: the network types and IP addresses that can be used to access the dedicated KMS instance. You can enter private IP addresses or CIDR blocks. You must separate multiple IP addresses or CIDR blocks with commas (,).
    3. Click Create.
  7. In the Application Access Credential dialog box, obtain the values of Password and Credential.
    • Password: Click Copy to obtain the password.
    • Credential: Click Download to obtain the information about the client key. Then, save the information.

      The information about the client key consists of keyID and PrivateKeyData. Example:

      {
        "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
        "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="
      }
      Note KMS does not save PrivateKeyData of the client key. You can obtain the encrypted PKCS 12 file indicated by PrivateKeyData only when you create the client key. You must keep the file confidential.
  8. Click Close.
    After the AAP is created, you can click Applications in the left-side navigation pane to view the information about the AAP. The information includes authentication methods, permission policies, network access rules, and client keys. You can also update the AAP. For more information, see Manage AAPs.

Obtain a CA certificate of a dedicated KMS instance

A CA certificate of a dedicated KMS instance is a digital certificate that is used to ensure secure communications between the clients and server of the dedicated KMS instance. You can obtain a CA certificate of a dedicated KMS instance in the KMS console.

  1. In the left-side navigation pane, click Dedicated KMS.
  2. Click the name of the dedicated KMS instance for which you want to obtain the CA certificate.
  3. In the Applications access Dedicated KMS section, click Download below Configure CA Certificate for Dedicated KMS Instance to download the CA certificate file in the PEM format.

Use an AAP

You can use dedicated KMS SDKs and a client key to encrypt data, decrypt data, generate a digital signature, and verify a digital signature. For more information, see Dedicated KMS SDK for Java.