To use an existing AWS KMS key to create a customer managed key, you must modify the key policy of that key so the IAM role is able to use the key to perform encryption.
- Set up the key policy to allow the Vantage account to use the key by setting the following permissions:
"kms:Encrypt", "kms:Decrypt" "kms:ReEncrypt*" "kms:GenerateDataKey*" "kms:DescribeKey" "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant"
- Share the Alias ARN for the key with Teradata and your cloud operations contact.
- This is not the same as the key ARN.
- The Alias ARN must remain the same throughout the life cycle of the site. When a KMS key is rotated, the Alias ARN must be remapped to the newly created KMS key.