Use an Existing CMK | Teradata Vantage on AWS - 2.2 - Using an Existing CMK - Teradata Vantage on AWS

Teradata Vantageā„¢ on AWS Getting Started Guide

Product
Teradata Vantage on AWS
Release Number
2.2
Published
May 2021
Language
English (United States)
Last Update
2021-05-07
dita:mapPath
fej1604950716310.ditamap
dita:ditavalPath
knr1605632684962.ditaval

To use an existing key as a custom master key using AWS KMS, you must modify the key policy of that key so the IAM role is able to use the key to perform encryption.

  1. Set up the key policy to allow the Vantage account to use the key by setting the following permissions:
    "kms:Encrypt",
    
    "kms:Decrypt"
    
    "kms:ReEncrypt*"
    
    "kms:GenerateDataKey*"
    
    "kms:DescribeKey"
    
    "kms:CreateGrant",
    
    "kms:ListGrants",
    
    "kms:RevokeGrant"
  2. Share the Alias ARN for the key with the account team and cloud operation contact.
    This is not the same as the key ARN.
    The Alias ARN must remain the same throughout the life cycle of the site. When a KMS key is rotated, the Alias ARN must be remapped to the newly created KMS key.