- Newest
- Most votes
- Most comments
Just a family sharing, some reports that they are success by manually adjusting IAM permissions instead of creating a support case.
Thanks for your responses and sorry it took me so long to respond.
I think I have a slightly better understanding of this now. Having a "Customer managed" KMS key is important when allowing external applications (like Salesforce or 3rd party API's) to work with customer profiles. Since we aren't doing that, the default AWS owned key should suffice, which should also have the needed permissions. I won't be worrying about this anymore at the present time.
If I were going to set this up, I would create a customer managed key under AWS -> KMS (charges may apply). Then I would create and attach a key policy to it that can perform at least the following:
- kms:Decrypt
- kms:GenerateDataKey
- kms:CreateGrant (Optional, if you have a different Administrator)
Finally, I'd go into AWS Connect -> Customer Profiles -> Domain details and edit the Encryption settings to use the new key.
Reference:
https://docs.aws.amazon.com/connect/latest/adminguide/enable-customer-profiles.html https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 2 years ago
I think you should contact AWS support team to request for this
I started with basic support and they couldn't help me without paid tier. They sent me here to re:Post. That was one of my gripes about this change is that it required a higher level of support.