Amazon KMS

Least Privileged User

Navigate to the AWS console and create an IAM user with programmatic access. The user will need the following permissions. You can create a policy specifically for these permissions and apply the permissions to the user.

For more information, see: High Level AWS Source Configuration

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "kms:ListKeyPolicies",
        "kms:GenerateRandom",
        "cloudwatch:GetMetricData",
        "kms:ListRetirableGrants",
        "kms:GetKeyPolicy",
        "kms:ListResourceTags",
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "kms:ReEncryptFrom",
        "kms:ListGrants",
        "kms:GetParametersForImport",
        "kms:ListKeys",
        "cloudwatch:DescribeAlarmHistory",
        "kms:GetKeyRotationStatus",
        "cloudwatch:DescribeAlarmsForMetric",
        "kms:ListAliases",
        "cloudwatch:DescribeAlarms",
        "kms:ReEncryptTo",
        "kms:DescribeKey"
      ],
      "Resource": "*"
    }
  ]
}

Connection Parameters

NameRequired?Description
Region
Access Key IDRequired
Secret Access KeyRequired
Additional ThreadsThe number of additional threads allowed to be utilized during collection.
Request Timeout (seconds)The number of seconds to allow for the API to return a response.
Collect CloudWatch Metrics
CloudWatch Historic ModeIf enabled, retrieves a history of data points from CloudWatch. Otherwise, collects only the most recent data point for each metric.

Metrics

Key

NameDescription
Account IDThe twelve-digit account ID of the AWS account that owns the CMK.
AliasThe alias of the CMK
ARNThe Amazon Resource Name (ARN) of the CMK
DescriptionThe description of the CMK.
EnabledSpecifies whether the CMK is enabled.
Expiration TimeThe time at which the imported key material expires.
IDThe globally unique identifier for the CMK.
Key Material Expiration Date (Seconds)This metric tracks the amount of time remaining until imported key material expires.
ManagerThe CMK's manager.
OriginThe source of the CMK's key material.
PoliciesThe names of the key policies that are attached to a customer master key (CMK).
RegionThe AWS Region this object belongs to.
StateThe state of the CMK.
UsageThe cryptographic operations for which you can use the CMK.