1663 - How to switch your company KMS to AWS KMS

Modified on Tue, 19 May at 11:04 AM

This article shows you how to switch your company from CyberSentriq-managed encryption to encryption using AWS Key Management Service (KMS), enabling you to hold the master key that protects your backup encryption keys.

To switch to AWS KMS, you will need four values to paste into RedApp. These can be obtained in one of two ways: using our provided script to automate the setup (recommended) or using the manual fallback option.

PAGE CONTENTS

What your IT / AWS admin needs to prepare
- Option 1: Automated setup (recommended)
- Manual setup (fallback)
  - Step 1: Create the KMS key in AWS
  - Step 2: Create the IAM role and trust policy
What you need in RedApp
How to switch to AWS KMS
Verifying your tenants
Common issues
What to do next
Script

What your IT / AWS admin needs to prepare

An AWS account where your admin can create IAM roles and KMS keys.
An AWS user or role with iam:*, kms:*, and sts:* permissions (an AWS account administrator is simplest).
The CyberSentriq platform principal ARN: arn:aws:iam::156214480941:user/cybersentriq-kms-connector

You will not need to grant consent as part of the setup, as this is covered by the admin having a cross-account IAM role.

The admin needs to provide you with the following values to paste into RedApp:

Role ARN: e.g. arn:aws:iam::123456789012:role/CyberSentriqKmsRole
External ID: a UUID generated during setup
AWS region: the region where the KMS key resides (e.g. us-east-1)
Key ARN: e.g. arn:aws:kms:us-east-1:123456789012:key/abc-def-123

These can be obtained in one of two ways:

Option 1: Automated setup (recommended)

At the bottom of this page, you will find a a CloudShell script named cybersentriq-byok-setup.sh, which will complete the setup end-to-end. The script:

Creates a symmetric ENCRYPT_DECRYPT KMS key with annual rotation enabled (or reuses an existing one).
Creates the alias alias/cybersentriq-byok.
Creates an IAM role (CyberSentriqKmsRole) with a trust policy scoped to the CyberSentriq platform principal and an auto-generated External ID.
Attaches the minimum KMS permissions the role needs.
Verifies everything end-to-end by assuming the role and performing a test encrypt.
Prints the four values discussed above to paste into RedApp.

To proceed with automated setup using this script, follow the steps below.

Step 1: Open AWS CloudShell

In the AWS Console, pick the region where you want the key to live (top-right region selector).
Click the CloudShell icon (>_) in the top bar, or visit https://console.aws.amazon.com/cloudshell.
Wait approximately 30 seconds for the shell to initialise.

Step 2: Upload the script

In CloudShell, click Actions > Upload file and select cybersentriq-byok-setup.sh. Then make it executable:

chmod +x cybersentriq-byok-setup.sh

Step 3: Run the script

Copy the CyberSentriq platform principal ARN from the AWS KMS setup screen in RedApp, then paste it into the command below. To create a new key (the default):

./cybersentriq-byok-setup.sh \
    --platform-principal-arn arn:aws:iam::156214480941:user/cybersentriq-kms-connector \
    --region us-east-1

To reuse an existing KMS key instead:

./cybersentriq-byok-setup.sh \
    --platform-principal-arn arn:aws:iam::156214480941:user/cybersentriq-kms-connector \
    --key-id alias/my-existing-key \
    --region us-east-1

Optional flags:

Flag	Default	Purpose
`--key-alias <alias>`	`alias/cybersentriq-byok`	Alias for the new key. Ignored with `--key-id`.
`--key-description <text>`	"CyberSentriq BYOK customer-managed key"	Key description. Ignored with `--key-id`.
`--no-rotation`	rotation enabled	Disable annual key rotation. Ignored with `--key-id`.
`--role-name <name>`	`CyberSentriqKmsRole`	IAM role name to create or update.
`--external-id <uuid>`	auto-generated UUID	External ID for the trust-policy condition.
`--region <region>`	`$AWS_REGION` / extracted from ARN	AWS region.

Step 4: Read the output

On success, the script prints the four values you need:

================================================================
 SUCCESS — role configured and verified end-to-end.
================================================================

A new KMS key was created under alias 'alias/cybersentriq-byok'.

Paste these four values into the CyberSentriq console:

  Role ARN:    arn:aws:iam::555555555555:role/CyberSentriqKmsRole
  External ID: 8f1e4c2b-7a3d-4e9f-b8c1-2d5e6f7a8b9c
  Key ARN:     arn:aws:kms:us-east-1:555555555555:key/abcd1234-...
  Region:      us-east-1

Paste these into the AWS KMS form in RedApp (see How to switch to AWS KMS below).

It is safe to re-run the script if needed. If the role already exists, its trust policy and inline policy will be updated in place. If the alias already resolves to a key, that key will be reused. No new key will be created.

Script troubleshooting

Symptom	Cause / fix
`AccessDenied` on `CreateKey` or `CreateRole`	The CloudShell user lacks `iam:` / `kms:`. Run as an AWS admin or attach the required permissions.
"WARNING — role created but verification failed"	Role is present but the end-to-end encrypt test failed. Most common: a pre-existing key whose key policy does not delegate to IAM. Confirm the key policy has the default root `Allow kms:*` statement.
Region mismatch	If you pass a full key ARN, the region comes from the ARN and overrides `--region`. Otherwise `--region` / `AWS_REGION` is used.

Manual setup (fallback)

If the automated script cannot be used (due to a restrictive environment, manual key provisioning having already been done, or some other reason) the same outcome can be achieved by hand. AWS's documentation covers the necessary steps:

Step 1: Create the KMS key in AWS

Create a symmetric KMS key: Creating symmetric encryption KMS keys (AWS Console, CLI, and API variants).
Overview of KMS key types: AWS KMS keys (covers the difference between symmetric and asymmetric keys).

Compatibility requirements:

The key must be a symmetric encryption key (AES-256). Asymmetric (RSA / ECC) keys and HMAC keys are not supported for this flow.
The key must be in a single region (multi-region keys are allowed, but CyberSentriq will only use the region you configure in RedApp).
Take note of the Key ARN and region once the key is created (you will need both in RedApp).

Step 2: Create the IAM role and trust policy

CyberSentriq accesses your KMS key by assuming an IAM role in your AWS account.

Create an IAM role for cross-account access: Granting access to AWS accounts owned by third parties (explains the External ID pattern CyberSentriq uses).
Reference for IAM policies on KMS keys: Key policies in AWS KMS.

Role requirements:

A trust policy that allows the CyberSentriq platform principal (the ARN is displayed in RedApp on the AWS KMS setup screen) to assume it, with a chosen External ID (UUID recommended) as a condition.
A permissions policy allowing the minimum KMS actions (Encrypt, Decrypt, GenerateDataKey, DescribeKey, CreateGrant, RetireGrant, ListGrants) on the specific KMS key only — no wider permissions are needed.

Once the role is created, capture the Role ARN, the External ID, the AWS region, and the Key ARN. These are the four values you need to paste into RedApp.

What you need in RedApp

You are signed in as a Partner Admin or Company Admin.
Your company has an active encryption provider (CyberSentriq-Managed, Azure Key Vault, or another customer-managed vault). You can switch directly to AWS KMS from any provider.

How to switch to AWS KMS

In RedApp, open Key Management and choose Manage KMS. Confirm the current provider shows as CyberSentriq-Managed.
Select AWS KMS from the provider dropdown.
Enter the Role ARN, External ID, AWS Region, and Key ARN your AWS admin gave you.
Click Test connection. Wait for the green success confirmation. This proves CyberSentriq can use your role and your key.
Click Save. RedApp shows the list of Microsoft 365 and Google Workspace tenants found in your backup sets — each one must be verified before the switch can finish.
Verify each discovered tenant (see the next section).
When every tenant is verified, RedApp automatically finishes the switch: your backup encryption keys are re-protected with your AWS KMS key, and the KMS status flips to AWS KMS.

If you need to stop part-way through, use Cancel pending setup. Your current encryption stays unchanged.

Verifying your tenants

Before RedApp can switch your encryption, it needs to confirm you actually own every Microsoft 365 or Google Workspace tenant that appears in your backup sets. This protects your data from being re-keyed by an unauthorised party.

Microsoft 365 tenants are verified by having a Global Administrator or Privileged Role Administrator grant admin consent. To check a user's role: sign into the Microsoft Entra admin center, go to Users > All users, select the user, and look under Assigned roles.
Google Workspace tenants are verified by having a Super Admin authorize CyberSentriq. Delegated admins will not work. To check a user's role: sign into the Google admin center and go to Account > Admin roles > Super Admin.

If a new backup set is added during the KMS setup, its tenant will show up as unverified on the list of tenants. You will need to also verify this tenant before the switch can complete.

Common issues

What you see	Why it happens	How to fix
"Access denied" when testing the connection	The role's trust policy doesn't allow CyberSentriq to assume the role, or the External ID doesn't match what you pasted into RedApp.	Ask your AWS admin to confirm the principal in the trust policy is the CyberSentriq platform account, and that the External ID matches character-for-character.
"KMS key not found"	The Key ARN is wrong, or the key is in a different region from what you entered.	Open the key in the AWS Console — the Region and Key ID shown must match the ARN and Region you enter in RedApp.
"The KMS key is disabled"	The key has been disabled in AWS.	Ask your AWS admin to re-enable the key, then retry.
Test passes but Save fails	Usually the role has permission to encrypt but not decrypt (or vice versa).	Ask your AWS admin to grant both encrypt and decrypt on the key.
"Asymmetric KMS key is not supported"	The key you chose is asymmetric (RSA or ECC) rather than symmetric.	Ask your AWS admin to create a symmetric encryption key in AWS KMS and use its ARN instead.
Connection test error mentions "platform credentials"	This is a CyberSentriq-side configuration issue, not something you can fix in AWS.	Contact CyberSentriq support.
The switch won't complete — tenants keep showing as unverified	A new backup set was added during setup, or a tenant was verified by someone without the required admin role.	Refresh the tenant list and complete consent for any new tenants using a qualified admin account.

What to do next

Once the switch completes, you will have one opportunity to export a copy of your company encryption key without having to re-verify your tenants. If you'd like an off-platform copy for safe-keeping, export the encryption key now by following the steps in Article 1655.

Script

Attachments (1)

cybersentriq-byok-setup.sh
11.3 KB