Configuring an Amazon Key Management Service (KMS) keystore

To configure a keystore, you can reference the encryption key that is stored in the Amazon Web Services Key Management Service (AWS KMS).

1. Open a keystore from the navigation panel by clicking Records > Security > Keystore and selecting a KMS keystore from the instance list.
2. If you have not yet defined your keys in Amazon, log in to your Amazon Web Services account, and under Identity and Access Management (IAM), create a Customer Master Key (CMK) and access key.
   • For information about how to create a Customer Master Key, see the AWS Developer Guide that describes the AWS Key Management Service.
   • The access key provides the access key ID and secret access key that you need to enter in the keystore form. For more information, see the Amazon guide Managing Access Keys for IAM Users.
   • When you create the encryption key, select the same geographic region for your key that your application is deployed in. Selecting the same geographic region gives your application the best network performance.
3. In the Access key ID field, enter the access key ID that you created in AWS KMS.
4. In the Secret access key field, enter the secret access key that you created in AWS KMS.
5. In the Customer master key ID field, enter the Amazon Resource Name (ARN) of the customer master key created in AWS KMS.
6. In the Customer data key rotation in days field, enter the number of days after which the customer data key (CDK) should rotate.
   Note: The recommended (default) value is 90 days. You can set the minimum number of days to 30 and the maximum number of days to 365.
7. Click Test connectivity to verify that all fields are filled out correctly and that Pega Platform is able to connect to AWS KMS.
8. Click Save.