Help Center/ Data Encryption Workshop/ User Guide (ME-Abu Dhabi Region)/ Management/ Permissions Management/ Creating a User and Authorizing the User the Permission to Access KMS
Updated on 2022-02-22 GMT+08:00

Creating a User and Authorizing the User the Permission to Access KMS

This section describes how to use IAM to implement fine-grained permissions control for your DEW resources. With IAM, you can:

  • Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has its own security credentials to access DEW resources.
  • Grant users only the permissions required to perform a task.
  • Delegate a trusted account or cloud service to perform professional, efficient O&M on your KMS resources.

If your account does not require individual IAM users, skip this chapter.

This section describes the procedure for granting permissions (see Figure 1).

Prerequisites

Before authorizing permissions to a user group, you need to know which KMS permissions can be added to the user group. Table 1 lists the KMS system policies. For the permissions of other services, see Permission Description.

Table 1 System-defined roles and policies supported by KMS

Role/Policy Name

Description

Type

Dependency

KMS Administrator

Users with this set of permissions can perform administrator operations on DEW.

System role

None

KMS CMKFullAccess

Users with this set of permissions have full permissions for encryption keys in DEW.

System policy

None

Authorization Process

Figure 1 Authorizing the KMS access permission to a user
  1. Create a user group and assign permissions.

    Create a user group on the IAM console and grant the user group the KMS CMKFullAccess permission (indicating full permissions for keys) for DEW.

  2. Create a user and add it to a user group.

    Create a user on the IAM console and add the user to the user group created in 1.

  3. Log in and verify permissions.

    Log in to the CGS console by using the newly created user, and verify that the user only has read permissions for CGS.

    • Choose Service List > Key Management Service. In the navigation pane, choose Key Pair Service. If a message appears indicating lack of permissions, the KMS CMKFullAccess policy has taken effect.
    • Click Service List and select a service other than DEW. If a message is displayed indicating that you do not have permission to access the service, the KMS CMKFullAccess policy has taken effect.