Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About AWS Key Management Service (KMS)

The AWS Key Management Service connector gathers key metadata, aliases, policies, grants, tags, and rotation status so controls can prove how keys are governed. Iru uses sts:AssumeRole with an external ID. The recommended inline policy below avoids kms:Decrypt and other cryptographic data operations (metadata only).

How it works

Skip AWSKeyManagementServicePowerUser for this use case - it bundles write-style capabilities. Use the explicit inline JSON from the wizard path or the template below.
DetailValue
CategorySecurity / cryptography
AuthenticationCross-account IAM role
References: KMS developer guide, IAM policies for KMS.

Prerequisites

  • IAM admin rights to publish roles.
  • Live connector strings (principal, external ID).

Connect AWS KMS to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on AWS KMS

Find AWS KMS (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (unless your wizard lists another ID). Enable Require external ID and paste the external ID from Iru.
3

Skip broad managed policies

Advance without attaching AWSKeyManagementServicePowerUser or other broad KMS write-capable policies.
4

Attach the metadata-only inline policy

Add this inline policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "kms:ListKeys",
        "kms:ListAliases",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:ListGrants",
        "kms:ListKeyPolicies",
        "kms:ListResourceTags"
      ],
      "Resource": "*"
    }
  ]
}
No kms:Decrypt, kms:Encrypt, or GenerateDataKey. Iru cannot use your keys to process ciphertext.
5

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until AWS KMS reads Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Fix external ID drift.
Resource policies on individual keys may deny DescribeKey - adjust key policies if auditors require full visibility.
Always listed but sometimes less introspectable than customer-managed keys - expected per AWS behavior.

Considerations

Keys are Regional: inventory spans enabled Regions.

Keys are Regional; inventory spans enabled Regions.

Works purely off API metadata: no key material…

Works purely off API metadata - no key material leaves KMS through decrypt calls from this connector.

See also