Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
This article explains how the Amazon KMS connector in Qlik Application Automation and the Encryption API of Qlik Cloud can be used together to manage operations such as key rotations.
This article makes use of the Qlik Cloud connector, however the same actions can be performed with the Qlik Platform Ops connector for OEM use cases.
Table of Contents:
Authentication to Amazon KMS happens through an IAM user. The steps below outline how to create the IAM user, have the correct policy assigned and make a connection in Automations.
Copy in the following JSON document:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"kms:EnableKey",
"kms:UntagResource",
"kms:PutKeyPolicy",
"kms:GetKeyPolicy",
"kms:CancelKeyDeletion",
"kms:ListResourceTags",
"kms:DisableKey",
"kms:UpdateAlias",
"kms:ListKeys",
"kms:TagResource",
"kms:ListAliases",
"kms:CreateAlias",
"kms:DescribeKey",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:scheduleKeyDeletion"
],
"Resource": "*"
}
]
}
Example:
The Amazon KMS connector has the following blocks available:
The Qlik Cloud and Qlik Platform Ops connector have the following blocks to make use of the Encryption API:
Now that there's a connection to Amazon KMS, we can configure an automation which generates a new key and sets this key to be the key provider in Qlik Cloud for the entire tenant. Then re-encrypt the whole tenant with the new provided key. Instructions below on how to build this with an Automation:
{
"Version": "2012-10-17",
"Id": "key-consolepolicy-3",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{acoount_id}:root"
},
"Action": "kms:*",
"Resource": "*"
},
{
"Sid": "Enable KMS Key policy for proxy account",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::338144066592:role/byok-encryption-proxy-role",
"arn:aws:iam::338144066592:role/byok-automations-proxy-role",
"arn:aws:iam::634246602378:role/byok-encryption-proxy-role",
"arn:aws:iam::634246602378:role/byok-automations-proxy-role"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"kms:EncryptionContext:TenantId": "{tenant_id}"
}
}
}
]
}
Upon running this automation, the tenant will be re-encrypted using a Customer Managed Key.