After you create an application access point (AAP) for a dedicated KMS instance, you can view Dedicated KMS in the Scope field of AAP policies. You can update an AAP, delete an AAP, or delete a client key based on your business requirements.

Create an AAP

If a dedicated KMS instance is in the Enabled state, you can create an AAP and a client key for the instance. This way, applications can access the dedicated KMS instance. The client key is used as an application identity credential.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region where your dedicated KMS instance resides.
  3. In the left-side navigation pane, click Dedicated KMS.
  4. On the Dedicated KMS page, find the dedicated KMS instance for which you want to create an AAP and click Details in the Actions column.
  5. In the Applications access Dedicated KMS section, click Create an application access point.
  6. In the Configure Application Access Credential and Permissions panel, configure the parameters.
    1. Enter a name in Name of Application Access Point.
    2. Configure parameters below Access Control Policies.
      • Accessible Resources: Retain the default value Key/*. This value specifies that applications can access all keys of the Dedicated KMS instance.
      • Allowed IP Addresses: Enter the network types and IP addresses that are allowed for access to the dedicated KMS instance. You can enter private IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,).
    3. Click Create.
  7. In the Application Access Credential dialog box, copy the password and client key from Password and Credential.
    • Password: Click Copy to obtain the password.
    • Credential: Click Download to save the client key.

      The client key consists of keyID and PrivateKeyData. Example:

      {
        "KeyId": "KAAP.71be72c8-73b9-44e0-bb75-81ee51b4****",
        "PrivateKeyData": "MIIJwwIBAz****ICNXX/pOw=="
      }
      Note Dedicated KMS does not save PrivateKeyData of the client key. You can obtain the encrypted PKCS 12 file indicated by PrivateKeyData only when you create the client key. You must keep the file confidential.
  8. Click Close.
    After the AAP is created, you can click Applications in the left-side navigation pane to view the information about the AAP. The information includes the authentication method, permission policies, network access rule, and client key.
  9. In the Applications access Dedicated KMS section, click Download below Configure CA Certificate for Dedicated KMS Instance to download the certificate authority (CA) certificate file in the PEM format.

Update an AAP

To change the permissions on the dedicated KMS instance for an AAP, you can update the policies of the AAP. This way, different applications can access the required instances.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create an AAP.
  3. In the left-side navigation pane, click Applications.
  4. Click the name of an AAP. On the page that appears, click Update in the upper-right corner.
  5. In the Update Application Access Point dialog box, update the policies.
    1. Click the Plus icon to the right of Policies.
    2. In the RBAC Policy dialog box, configure the following parameters and click Create.
      Parameter Description
      Policy Name The name of the policy.
      Scope The scope of the policy.

      Select the service ID of the dedicated KMS instance.

      RBAC Permissions The permission management template. The template specifies an operation that can be performed on specific resources.

      Select CryptoServiceKeyUser.

      Accessible Resources The resources on which the policy takes effect. You can use one of the following methods to configure resources:
      • Method 1: In the Key: Resources section, select existing resources and click the Left icon.
      • Method 2: In the Key: Selected Resources section, click the Plus icon. In the dialog box that appears, specify resources and click Add.
        Note You can use the wildcard characters asterisk (*) as a suffix.
      Network Access Rules The network type and IP address that are allowed for access to the instance.

      In the Rules section, select existing rules or perform the following steps to create a rule:

      1. Click the Plus icon.
      2. In the Create Network Access Rule dialog box, configure the following parameters:
        • Name: Enter the name of the network access rule.
        • Network Type: Select the type of the network that is allowed for access to the instance.

          If your application accesses the instance over a virtual private cloud (VPC), select Private.

        • Description: Enter a description about the network access rule.
        • Allowed Private IP Address: Enter the IP addresses that are allowed to access the instance.

          You can enter private IP addresses or CIDR blocks. You must separate multiple IP addresses or CIDR blocks with commas (,).

      3. Click Create.
      4. Select the new rule and click the Left icon.
    3. Select the new policy and click the Left icon.
  6. Enter a description and click Update.

Delete an AAP

An AAP is the credential that is required to use a dedicated KMS instance. If you delete an AAP, you can no longer use the dedicated KMS instance. Proceed with caution. After an AAP is deleted, all the client keys that are bound to the AAP are deleted.

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create an AAP.
  3. In the left-side navigation pane, click Applications.
  4. Find the AAP that you want to delete and click Delete in the Actions column.
  5. In the Delete Application Access Point message, click OK.

Delete a client key

Client keys are used to authenticate applications. When you create a client key, you must save the PKCS 12 file of the client key. If the PKCS 12 file is lost, you must delete the client key and create a different client key.

To delete a client key, perform the following steps:

  1. Log on to the KMS console.
  2. In the top navigation bar, select the region in which you want to create an AAP.
  3. In the left-side navigation pane, click Applications.
  4. Click the name of the AAP.
  5. In the Client Key section, find the client key and click Delete in the Actions column.
  6. In the Delete Client Key message, click OK.