AWS Key Management Service Integration for Exadata Database Service on Oracle Database@AWS

OCI Identity domain is automatically configured during the Oracle Database@AWS onboarding process, and no action is required. Complete the following steps only for accounts that were linked before the general availability of AWS KMS integration (November 18, 2025).

Configure an OCI identity domain to enable AWS integration for your Exadata VM Clusters. It allows you to associate an AWS Identity and Access Management (IAM) service role with AWS integrations.

1. From the AWS console, select Oracle Database@AWS, and then select Settings.
2. Select the Configure button to configure your OCI identity domain.
3. Once it is complete, you can review the Status, OCI identity domain ID and OCI identity domain URL information from the Settings page.

1. If you do not have an existing ODB Network, you can provision one by following the ODB Network step-by-step instructions. If you have an existing ODB Network, you can modify it by selecting the Modify button, follow Modify an ODB Network for step-by-step instructions.
2. From the Configure service integrations section,
   1. Select the Security Token Service (STS) option to setup the networking for AWS KMS and AWS STS access from the database.
   2. Select the AWS KMS checkbox to enable AWS KMS to use KMS keys in your authentication polices.

Allow any-user to read oracle-db-aws-keys in compartment id <your-compartment-OCID> 
where all { request.principal.type = 'cloudvmcluster'}

This policy allows Oracle-managed Cloud VM Clusters to read the oracle-db-aws-keys resource in your compartment. It grants the necessary permissions for the VM cluster (the principal of type cloudvmcluster) to access the AWS key metadata required for integrating with external key management or performing cross-cloud operations. Without this policy, the VM cluster would not be able to retrieve the keys needed to complete the configuration.

Exadata VM Cluster creation is only available through the AWS Console and AWS CLI. For more information, see Exadata VM Cluster.

Create a stack for each cluster. Use the following steps to create a CloudFormation stack. This needs to be performed for each Exadata VM cluster.

When your CloudFormation stack creates an OIDC (OpenID Connect) Provider, it establishes a trust relationship so that an external identity source (like OCI) can authenticate to AWS. The associated IAM Role defines what that trusted identity is allowed to do.

1. Select your existing Exadata VM Cluster from the list to open its details page in the AWS Management Console.
   Note
   
   

   If you do not have an existing Exadata VM Cluster, you can provision one by following the Exadata VM Cluster step-by-step instructions.

2. Select the IAM service roles tab and then click the CloudFormation link.
3. From the Quick create stack page, review the pre-filled information.
   1. Under the Parameters section, parameters are defined in your template and allow you to enter custom values when you create or update a stack.
      1. Review your pre-filled OCIIdentityDomainUrl information.
      2. The OIDCProviderArn field is optional. When you create the CloudFormation stack for the first time, it creates an OIDC Provider and an associated IAM Role. If you are executing the stack for the first time, you do not need to provide a value for the OIDCProviderArn field.
      3. For any additional execution time, you must provide the ARN of the existing OIDC Provider and specify it in the OIDCProviderArn field. To obtain your OIDCProviderArn information, complete the following steps:
         1. From the AWS console, navigate to IAM, and then select Identity providers.
         2. From the Identity providers list, you can filter your provider selecting Type as OpenID Connect.
         3. Select the Provider link that was created when the CloudFormation stack was initially created.
         4. From the Summary page, copy the ARN information.
         5. Paste the ARN information into the OIDCProviderArn field.
   2. From the Permissions section, select IAM role name from the drop-down list, and then select the IAM role for CloudFormation to use for all operations performed on the stack.
   3. Select the Create stack button to apply the changes.
4. After the CloudFormation stack deployment is complete, navigate to the Resources section of the stack and verify the created IdP and IAM Role resources. Copy the IAM Role ARN for future use.

You must attach an IAM role that you created previously to the Exadata VM Cluster to assign an identity connector that enables access to AWS resources.

1. From the AWS console, select Oracle Database@AWS.
2. From the left menu, select Exadata VM clusters, and then select your Exadata VM Cluster from the list.
3. Select the IAM roles tab, and then select the Associate button.
   1. The AWS integration field is read-only.
   2. Enter the Amazon Resource Name (ARN) of the IAM role you want to associate with the VM cluster in the Role ARN field. You can obtain the ARN information from the Summary section of the role that you previously created.
   3. Select the Associate button to attach the role.
      Note
      
      

      Once you associate an IAM role to your VM cluster, an identity connector gets attached to your Exadata VM Cluster.

Once you complete the prerequisites section, continue with the following actions:

1. From the AWS Console, create a customer-managed key in AWS KMS.
2. From the OCI Console, enable Exadata VM Cluster(s) and databases to utilize the AWS KMS key created in the step 1.

1. From the AWS console, select Key Management Service (KMS).
2. From the left menu, select Customer managed keys, and then select the Create key button.
3. In the Configure key section, enter the following information.
   1. Choose the Symmetric option as the Key type.
   2. Choose the Encrypt and decrypt option as the Key usage.
   3. Expand the Advanced options section. Both AWS KMS and AWS CloudHSM are supported.
      1. If you want to use KMS standard key store, choose the KMS - recommended option as Key material origin, and then choose either the Single-Region key option or the Multi-Region key option from the Regionality section.
         Note
         
         

         Cross-region Data Guard and restoring databases to a different region are currently not supported for databases that use AWS customer-managed keys for key management.

      2. If you want to use AWS CloudHSM , choose the AWS CloudHSM key store option as Key material origin.
   4. Select the Next button to continue the creation process.
4. In the Add labels section, enter the following information.
   1. Enter a descriptive display name in the Alias field. Maximum 256 characters. Use alphanumeric and '_-/' characters.
      Note
      
      

      • The alias name cannot begin with aws/. The aws/ prefix is reserved by AWS to represent AWS managed keys in your account.
      • An alias is a display name that you can use to identify the KMS key. We recommend that you choose an alias that indicates the type of data you plan to protect or the application you plan to use with the KMS key
      • Aliases are required when you create a KMS key in the AWS console.
   2. The Description field is optional.
   3. The Tags section is optional. You can use tags to categorize and identify your KMS keys and help you track your AWS costs.
   4. Select the Next button to continue the creation process or the Previous button to return the previous page.
5. In the Define key administrative permissions section, complete the following substeps.
   1. Search the role that you previously created, and then select the checkbox. Select the IAM users and roles that can administer the KMS key.
      Note
      
      

      This key policy gives the AWS account full control of this KMS key. It allows account administrators to use IAM policies to give other principals permission to manage the KMS key.

   2. From the Key deletion section, the Allow key administrators to delete this key checkbox is selected by default. To prevent the selected IAM users and roles from deleting the KMS key, you can deselect the checkbox.
   3. Select the Next button to continue the creation process or the Previous button to return the previous page.
6. In the Define key usage permissions section, complete the following substeps.
   1. Search the role that you previously created, and then select the check box.
   2. Select the Next button to continue the creation process or the Previous button to return the previous page.
7. In the Edit key policy section, complete the following substeps.
   1. From the Preview section, you can review the key policy. If you want to make a change, select the Edit tab.

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "KMSKeyMetadata",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "<arn>"
                  },
                  "Action": [
                      "kms:DescribeKey"
                  ],
                  "Resource": "*"
              },
              {
                  "Sid": "KeyUsage",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "<arn>"
                  },
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt"
                  ],
                  "Resource": "*"
              }
          ]
      }

   2. Select the Next button to continue the creation process or the Previous button to return the previous page.
8. In the Review section, review your information and then select the Finish button.

For more information, see Create a symmetric encryption KMS key.

To enable AWS KMS for your Exadata VM Cluster(s), you must first register the AWS KMS key in OCI.

1. From the OCI console, select Oracle AI Database, and then select Database Multicloud Integrations.
2. From the left menu, select AWS Integration, and then select AWS Keys.
3. Select the Register AWS keys button, and then complete the following substeps.
   1. From the dropdown list, select the Compartment where your Exadata VM Cluster resides.
   2. Under the AWS keys section, select your identity connector from the dropdown list.
      Note
      
      

      Ensure that the role associated with the connector has the DescribeKey permission on the key. This permission is required to successfully perform discovery.

   3. The Key ARN field is optional.
   4. Click the Discover button.
4. Once the key is discovered, select the Register button to register the key in OCI.

When you enable AWS key management for your database, only AWS keys that are authorized for use with Exadata VM Cluster and registered with OCI can be used.

1. From the OCI console, select Oracle AI Database and then select Oracle Exadata Database Service on Dedicated Infrastructure.
2. From the left menu, select Exadata VM Clusters, and then select your Exadata VM Cluster.
3. Select the VM Cluster information tab, and select the Enable button next to AWS Customer Managed Encryption Key.

This topic describes only the steps for creating a database and using AWS KMS as the key management solution.

For the generic database creation procedure, see To create a database in an existing VM Cluster.

Prerequisites

Refer to Prerequisites.

Steps

If AWS KMS key management is enabled at the VM cluster level, you will have two key management options: Oracle Wallet and AWS key management.

1. In the Encryption section, choose AWS key management.
2. Select the encryption Key available in your compartment.
   Note
   
   

   • Only registered keys are listed.
   • If your desired key is not visible, it may not have been registered yet. Click Register AWS Keys to discover and register it.

     For detailed instructions, refer to Register AWS KMS Key.

   • You can select a key alias from the drop-down list. If no key alias is available, the drop-down list will display the key ID.

If you want to change the key management of your existing databases in the Exadata VM Cluster from Oracle Wallet to AWS KMS, complete the following steps.

1. From your Exadata VM Clusters, navigate to Databases tab, and then select the database that you are using.
2. From the Encryption section, confirm that Key management is set to Oracle Wallet, and then select the Change link.
3. From the Change key management page, enter the following information.
   1. Select your Key management as AWS key management from the dropdown list.
   2. Select the key compartment you are using, and then select the desired key from the dropdown list.
   3. Select the Save changes button.

To rotate the AWS KMS Key of a container database (CDB), use this procedure.

1. Open the navigation menu. Click Oracle AI Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Choose your Compartment.

   A list of VM Clusters is displayed for the chosen Compartment.

3. In the list of VM Clusters, click the name of the VM cluster that contains the database that you want to rotate encryption keys.
4. Click Databases.
5. Click the name of the database that you want to rotate encryption keys.

   The Database Details page displays information about the selected database.

6. In the Encryption section, verify that the Key Management is set to AWS key management, and then click the Rotate link.
7. On the resulting Rotate Key dialog, click Rotate to confirm the action.
   Note
   
   

   Rotating the AWS KMS key generates a new encryption context for the same key.

To rotate the AWS KMS Key of a pluggable database (PDB), use this procedure.

1. Open the navigation menu. Click Oracle AI Database, then click Oracle Exadata Database Service on Dedicated Infrastructure.
2. Choose your Compartment.

   A list of VM Clusters is displayed for the chosen Compartment.

3. In the list of VM clusters, click the name of the VM cluster that contains the PDB you want to start, and then click its name to display the details page.
4. Under Databases, find the database containing the PDB you want to rotate encryption keys.
5. Click the name of the database to view the Database Details page.
6. Click Pluggable Databases in the Resources section of the page.

   A list of existing PDBs in this database is displayed.

7. Click the name of the PDB that you want to rotate encryption keys.

   The pluggable details page is displayed.

8. In the Encryption section displays that the Key management is set as AWS key management.
9. Click the Rotate link.
10. On the resulting Rotate Key dialog, click Rotate to confirm the action.
    Note
    
    

    Rotating the AWS KMS key generates a new encryption context for the same key.

Optionally, complete the following steps to disable a specific CDB or PDB key.

1. Navigate to the AWS console, select Key Management Service (KMS).
2. From the left menu, select Customer managed keys, and then select the Key ID of the key that you want to edit.
3. Select the Edit policy button.
4. Run the following query to obtain the EncryptionContext MKID of the key.

   Use the following command to view the current master key IDs (MKIDs) for enabling or disabling operations:

   dbaascli tde getHSMKeys --dbname <DB-Name>

   You can also run the following SQL query to list all key versions:

   SELECT key_id, con_id, creation_time, key_use FROM v$encryption_keys;

5. Add a deny policy using the retrieved EncryptionContext MKID as shown below:

   {
     "Effect": "Deny",
     "Principal": "*",
     "Action": [
       "kms:Encrypt",
       "kms:Decrypt"
     ],
     "Resource": "arn:aws:kms:us-east-1:867344470629:key/7139075d-a006-4302-92d5-48ecca31d48e",
     "Condition": {
       "StringEquals": {
         "kms:EncryptionContext:MKID": "ORACLE.TDE.HSM.MK.06AE5EFB528D9D4F21BFEDA63C6C8738D9"
       }
     }
   }

6. Choose Save changes to apply the policy update.