Initial Organization Setup & Account Provisioning
Establish a secured foundation for your key management environment. This guide walks through the critical path from zero to a fully provisioned KMS organization with enforced governance controls.
Step 1: Create Your Organization Profile
The organizational unit acts as the root container for all cryptographic assets. During this phase, you will define the global region and licensing tier that determines the maximum number of key partitions available.
kms-cli organization create
--name "Global-Finance-HQ"
--region "us-east-1"
--tier "enterprise"Organization Creation Dashboard UI
Step 2: Initialize Root Administrator
The Root Administrator has unrestricted access. We strongly recommend hardware-backed MFA for this role. Use a team-managed mailbox for this identity to avoid continuity gaps during personnel transitions.
After entering the primary administrator details, the system prompts for security key registration. This is a non-bypassable control for enterprise tenants.
MFA Setup Screen
check_circle Best Practices
- check Use FIDO2 compliant security keys for all admins.
- check Establish a break-glass recovery procedure.
- check Enforce 90-day key rotation on API credentials.
cancel Avoid These
- close SMS-based MFA for privileged accounts.
- close Sharing generic administrator credentials.
- close Using root account access for routine tasks.
Step 3: Define Global Security Policies
Security policies are JSON-based documents that govern how keys are created, accessed, and destroyed. Enterprise organizations should require quorum approval for sensitive operations.
{
"Version": "2023-10-24",
"Statement": {
"Effect": "Allow",
"Action": "kms:CreateKey",
"Condition": {
"Bool": { "kms:MultiFactorAuthPresent": "true" }
}
}
}