Configure key in AWS KMS
1. Log in to your AWS Console.
2. Use the search option to find IAM.
![](https://download-accl.zoho.in/webdownload?x-service=writer&event-id=gxogn25e01ec1fbbc4e7380f2300030eb63bb&x-cli-msg={"imgurl":"r-gxogn25e01ec1fbbc4e7380f2300030eb63bb-ba3caaf500db4af188fa01f4731e1237mf5sxiqxnc5d","rid":"gxogn25e01ec1fbbc4e7380f2300030eb63bb","module":"image"})
3. Click Users in the left menu.
4. Select the required user and click Create access key.
5. Select Application Running Outside AWS, then click Next.
6. Copy the Secret access key and click Download .csv file.
7. Go back to the AWS Console dashboard and click Key Management System.
8. Click Customer managed keys in the left menu, then click Create Key on the top-right corner.
9. Under Key type, select Symmetric and under Key usage, select Encrypt & decrypt.
10. Click Advanced options and select AWS CloudHSM key store if you want to store the AWS KMS Key in AWS Cloud HSM.
11. Under Alias, enter a key name and under Description, describe your key, then click Next.
12. Under Key administrators, select the checkbox to assign a user as the key administrator, then click Next.
13. Under Define key usage permissions, select a key user and click Next.
14. Under Edit key policy, ensure 'kms:Encrypt' and 'kms:Decrypt' are mentioned within "Action". Click Next.
15. Review the Key details and click Finish. Now, the created key will be visible in Customer Managed Keys section.
16. Click the key you created and copy its keyId.
By completing the above steps, you would have collected the below details to integrate AWS KMS with Zoho.
Key provider details required for BYOK integration in Zoho One:
- Domain
kms.<region>.amazonaws.com
eg. kms.ap-south-1.amazonaws.com - ClientId
The "Access key ID" from .csv file downloaded in step 6. - ClientSecret
The "Secret access key" from .csv file downloaded in step 6. - KeyId
The keyId you copied from step 17.
REST APIs used for Integration:
API Target: TrentService.Encrypt
API Target: TrentService.Decrypt