After you create an application access point (AAP) for a dedicated KMS instance, you can view Dedicated KMS in Scope of the AAP policies. You can update an AAP, delete an AAP, or delete a client key based on your business requirements.

Update an AAP

To change the permissions on the dedicated KMS instance for an AAP, you can update the policies of the AAP. This enables different applications to access the required instances.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region for the application access point that you want to create.
  3. In the left-side navigation pane, click Applications.
  4. Click the name of an AAP. On the page that appears, click Update in the upper-right corner.
  5. In the Update Application Access Point dialog box, update the policies.
    1. Click the Plus icon to the right of Policies.
    2. In the RBAC Policy dialog box, configure the following parameters and click Create.
      Parameter Description
      Policy Name The name of the policy.
      Scope The scope of the policy.

      Select the service ID of the dedicated KMS instance.

      RBAC Permissions The permission management template. The template specifies an operation that can be performed on specific resources.

      Select CryptoServiceKeyUser.

      Accessible Resources The object on which the policy takes effect. You can configure objects in one of the following methods:
      • Method 1: In the Resources section, select existing resources and click the Left icon.
      • Method 2: In the Selected Resources section, click the Plus icon, specify resources, and then click Add.
        Note You can use the asterisk (*) wildcard as a suffix.
      Network Access Rules The network type and IP address that are allowed to access KMS.

      In the Rules section, select existing rules or perform the following steps to create a rule.

      1. Click the Plus icon.
      2. In the Create Network Access Rule dialog box, configure the following parameters:
        • Name: Enter the name of the network access rule.
        • Network Type: Select the type of the network that is used for access to KMS.

          If your application accesses Dedicated KMS over a virtual private cloud (VPC), select Private.

        • Description: Enter a description about the network access rule.
        • Supported Public IP Addresses: Enter the IP addresses that are allowed to access KMS.

          You can enter private IP addresses or CIDR blocks. You must separate multiple IP addresses or CIDR blocks with commas (,).

      3. Click Create.
      4. Select the new rule and click the Left icon.
    3. Select the new policy and click the Left icon.
    4. Click Next.
  6. Enter a description and click Update.

Delete an AAP

An AAP is the credential that is required to use a dedicated KMS instance. If you delete an AAP, you can no longer use the dedicated KMS instance. Exercise caution when you delete an AAP. After an AAP is deleted, all the client keys that are bound to the AAP are deleted.

  1. In the left-side navigation pane, click Applications.
  2. Find the AAP that you want to delete and click Delete in the Actions column.
  3. In the Delete Application Access Point message, click OK.

Delete a client key

A client key is used to authenticate applications. When you create the client key, you must save the PKCS 12 file of the client key. If the PKCS 12 file is lost, you must delete the client key and create a different client key. For more information about how to create a client key, see Create an AAP.

To delete a client key, perform the following steps:

  1. In the left-side navigation pane, click Applications.
  2. Click the name of the AAP to which the client key belongs.
  3. In the Client Key section, find the client key and click Delete in the Actions column.
  4. In the Delete Client Key message, click OK.