Use an Existing KMS | Teradata Vantage on AWS - Using an Existing AWS KMS

Use an Existing KMS | Teradata Vantage on AWS - Using an Existing AWS KMS - Teradata Vantage on AWS

Teradata Vantage™ on AWS Getting Started Guide

Product

Teradata Vantage on AWS

Release Number

2.3

Published

March 2022

Language

English (United States)

Last Update

2022-03-02

dita:mapPath

nol1623083013042.ditamap

dita:ditavalPath

kfh1623083985300.ditaval

dita:id

B700-4015

Product Category

Cloud

To use an existing AWS KMS key to create a customer managed key, you must modify the key policy of that key so the IAM role is able to use the key to perform encryption.

Set up the key policy to allow the Vantage account to use the key by setting the following permissions:

"kms:Encrypt",

"kms:Decrypt"

"kms:ReEncrypt*"

"kms:GenerateDataKey*"

"kms:DescribeKey"

"kms:CreateGrant",

"kms:ListGrants",

"kms:RevokeGrant"

Share the Alias ARN for the key with Teradata and your cloud operations contact.
This is not the same as the key ARN.

The Alias ARN must remain the same throughout the life cycle of the site. When a KMS key is rotated, the Alias ARN must be remapped to the newly created KMS key.