Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
This article explains how the Amazon KMS connector in Qlik Application Automation and the Encryption API of Qlik Cloud can be used together to manage operations such as key rotations.
This article makes use of the Qlik Cloud connector, however the same actions can be performed with the Qlik Platform Ops connector for OEM use cases.
Table of Contents:
- Authentication
- AWS Setup
- Qlik Cloud
- Available blocks
- Building an automation to encrypt a tenant with a customer-managed key
Authentication
AWS Setup
Authentication to Amazon KMS happens through an IAM user. The steps below outline how to create the IAM user, have the correct policy assigned and make a connection in Automations.
- Open the AWS console
- Navigate to Identity and Access Management (IAM)
- Click Create Policy
- In the Policy editor, switch to JSON view
-
Copy in the following JSON document:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "kms:EnableKey", "kms:UntagResource", "kms:PutKeyPolicy", "kms:GetKeyPolicy", "kms:CancelKeyDeletion", "kms:ListResourceTags", "kms:DisableKey", "kms:UpdateAlias", "kms:ListKeys", "kms:TagResource", "kms:ListAliases", "kms:CreateAlias", "kms:DescribeKey", "kms:CreateKey", "kms:DeleteAlias", "kms:scheduleKeyDeletion" ], "Resource": "*" } ] }
Example: - On the review policy page, add a name and a description for the policy. In the example, the name is set to qlik-byok:
- After creating the policy, navigate to the Users page in IAM
- Click Add Users
- Specify a name for the user.
There is no need to provide the user access to the AWS console.
- Assign the previously generated permission policy to the user on the Set Permissions Page:
- Review your user settings in the Review and Create page
- Click Create user
- Back on the Users page, click on the user that you just created
- Navigate to the Security Credentials tab
- Click Create Access Key and then navigate to the Security Credentials tab and click Create Access Key:
- For Use Case click Third-party service and follow the recommendations. A description tag is optional.
- Click Create Access Key
- Copy the Access Key and Secret Access Key values.
Store them safely. The Secret Access Key will only be shown once. See Access key best practices onscreen.
Qlik Cloud
- Open Qlik Cloud
- Navigate to My Automations
- Switch to the Connections tab
- Click Add new connection
- Search for Amazon KMS and click Add
- Provide the access key and secret access key and specify the AWS region in which your KMS is located
Available blocks
The Amazon KMS connector has the following blocks available:
- Add Tag to Key
- Cancel Key Deletion
- Create Alias
- Create Key
- Delete Alias
- Delete Tag from Key
- Describe Key
- Disable Key
- Enable Key
- List Aliases
- List Keys
- List Tags from Keys
- Put Key Policy
- Schedule Key Deletion
- Update Alias
The Qlik Cloud and Qlik Platform Ops connector have the following blocks to make use of the Encryption API:
- List Key Providers
- Validate Key Provider
- Create Key Provider
- Get Key Provider by Fingerprint
- Trigger Migration to Key Provider
- Get Ongoing Key Provider Migration Details
- Reset a Migration to Qlik Provider
Building an automation to encrypt a tenant with a customer-managed key
Now that there's a connection to Amazon KMS, we can configure an automation which generates a new key and sets this key to be the key provider in Qlik Cloud for the entire tenant. Then re-encrypt the whole tenant with the new provided key. Instructions below on how to build this with an Automation:
- First, validate which key is currently being used.
Navigate to https://{tenant_name}.{region}.qlikcloud.com/console/settings/KMS-providers.
If this is your first time adding a Customer Managed Key, you should see that the tenant is making use of a Qlik-provided key: - Change to the Automations console using the icon in the top right and click on My Automations
- Click on Create Automation in the top right
- Choose the Blank Automation template
- Provide a name for the automation and an optional description
- Click Save
- In the Automation editor, use the left panel to search for the Amazon KMS connector
- Locate the Create Key block and drag it into the canvas on the right
- Do the same for the Put Key Policy block and drag this underneath the Create Key block.
- Click on the Put Key Policy block and provide a key ID in the inputs panel.
You can make use of the example values from the Create Key block.
To do so:
- click on the Key ID input
- Choose Output from Create Key
- Find the KeyId field
- For the Key Policy input field, use the toggle for Raw Input and provide the following JSON document. Modify the values for {account_id} to your AWS account ID and the {tenant_id} to your Qlik Cloud tenant Id. You can use Automations to obtain your tenant ID through the Get Tenant Info block of the Qlik Cloud connector.
{ "Version": "2012-10-17", "Id": "key-consolepolicy-3", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{acoount_id}:root" }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Enable KMS Key policy for proxy account", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::338144066592:role/byok-encryption-proxy-role", "arn:aws:iam::338144066592:role/byok-automations-proxy-role", "arn:aws:iam::634246602378:role/byok-encryption-proxy-role", "arn:aws:iam::634246602378:role/byok-automations-proxy-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:TenantId": "{tenant_id}" } } } ] }
- Use the blocks panel to open the Qlik Cloud connector and drag the Create Key Provider block on the canvas. Configure this block with the ARN obtained from the Create Key block, provide a name and set the type to AWS-KMS.
- From the Qlik Cloud connector, drag both the Validate Key Provider and Trigger Migration to Key Provider blocks on the canvas. Configure the inputs for Key ID just like for the earlier blocks. You should have the following automation:
Upon running this automation, the tenant will be re-encrypted using a Customer Managed Key.
