Introduction to AWS Key Management Service
This lab provides a basic understanding and hands-on experience of AWS Key Management Service. It will demonstrate the basic steps required to get started with Key Management Service, creating keys, assigning management and usage permissions for the keys, encrypting data and monitoring the access and usage of keys. For the lab to function as written, please DO NOT change the auto assigned region.
Introduction to AWS Key Management Service
© 2020 Amazon Web Services, Inc. and its affiliates. All rights reserved. This work may not be reproduced or redistributed, in whole or in part, without prior written permission from Amazon Web Services, Inc. Commercial copying, lending, or selling is prohibited.
Errors or corrections? Email us at firstname.lastname@example.org.
Other questions? Contact us at https://aws.amazon.com/contact-us/aws-training/
This lab introduces you to the Introduction to AWS Key Management Service self-paced lab. It will give you a basic understanding of the AWS Key Management Service. It will demonstrate the basic steps required to get started with Key Management Service, creating keys, assigning management and usage permissions for the keys, encrypting data and monitoring the access and usage of keys.
By the end of this lab you will be able to:
- Create an Encryption Key
- Create an S3 bucket with CloudTrail logging functions
- Encrypt data stored in a S3 bucket using an encryption key
- Monitor encryption key usage using CloudTrail
- Manage encryption keys for users and roles
Some familiarity with access control management.
It is strongly recommended to complete this lab using the Google Chrome web browser. If you cannot use Google Chrome then you will need to have a utility on your computer that can open gzip compressed files (*.gz).
AWS Key Management Service (KMS)
AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect the data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. CloudTrail provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services. This event history simplifies security analysis, resource change tracking, and troubleshooting.
Companies today need the ability to simply and securely collect, store, and analyze their data at a massive scale. Amazon S3 is object storage built to store and retrieve any amount of data from anywhere – web sites and mobile apps, corporate applications, and data from IoT sensors or devices. It is designed to deliver 99.999999999% durability, and stores data for millions of applications used by market leaders in every industry. S3 provides comprehensive security and compliance capabilities that meet even the most stringent regulatory requirements. It gives customers flexibility in the way they manage data for cost optimization, access control, and compliance. S3 is the only cloud storage solution with query-in-place functionality, allowing you to run powerful analytics directly on your data at rest in S3. And Amazon S3 is the most supported storage platform available, with the largest ecosystem of ISV solutions and systems integrator partners.
Task 1: Create Your KMS Master Key
In this task you will create a KMS master key. A KMS master key enables you to easily encrypt your data across AWS services and within your own applications.
In the AWS Management Console, on the Services menu, click Key Management Service.
Click Create a key then configure:
- On the Configure key page, select Symmetric
- Click Next
- On the Add labels page configure:
- Click Next
It is a good practice to describe what services the encryption key will be associated with in the description.
- On the Define key administrative permissions, select the user or role you're signed into the Console with.
This user is displayed at the top of the page, to the left of the region.
- Click Next
Key Administrators are users or roles that will manage access to the encryption key.
On the Define key usage permissions page, select the user or role you're signed into the Console with.
Key Users are the users or roles that will use the key to encrypt and decrypt data.
- On the Review and edit key policy page:
- Review the key policy
- Click Finish
- Copy the Key ID for myFirstKey to a text editor.
You will use the Key ID later when looking at the log activity for this KMS key.
Task 2: Configure CloudTrail to Store Logs In An S3 Bucket
In this task you will configure CloudTrail to store log files in a new S3 bucket.
On the Services menu, click CloudTrail.
If you see the Get Started Now button, click it. If not, continue to the next step.
In the navigation pane on the left, click Trails.
In the Trails section, click Create trail then configure:
- Trail name:
- Apply trail to all regions: No
- Create a new S3 bucket: Yes
- S3 bucket*:
- Replace NUMBER with a random number
- Click Create
Task 3: Upload an Image to Your S3 Bucket And Encrypt It
In this task, you will upload an image file to your S3 bucket and encrypt it using the encryption key you created earlier. You'll use the S3 bucket you created in the previous task to store the image file.
On the Services menu, click S3.
This will bring you to the Select files dialog box.
- At (1) Select files:
- Click Add files
- Browse to and select an image file on your computer
- Click Next
This will bring you to the (2) Set permissions dialog box.
- At (2) Set permissions, click Next
This will bring you to the (3) Set properties dialog box.
- At (3) Set properties, configure:
- Encryption: AWS KMS master-key
- Select a key: myFirstKey
- Click Next
This will bring you to the Review dialog box.
- At (4) Review, click Upload
The image file will be uploaded.
Click on name of the image file.
In the Overview tab for the file, record the Last modified time to your text editor.
Task 4: Access The Encrypted Image
In this task, you will try to access the encrypted image through both the AWS Management Console and the S3 link.
- In the Overview tab, click Open
The image opens in a new tab/window.
Amazon S3 and AWS KMS perform the following actions when you request that your data be decrypted.
- Amazon S3 sends the encrypted data key to AWS KMS
- AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3
- Amazon S3 decrypts the ciphertext and removes the plaintext data key from memory as soon as possible
Close the window/tab that shows your image.
Copy the S3 Object URL at the bottom of the page to your text editor.
Paste the S3 Object URL that you copied earlier into a new browser/window.
What does the page show?
It should show Access Denied. This is because, by default public access is not allowed.
In the S3 Management Console, on the Overview tab for your image, click Make public
Refresh the screen for the new tab/window that you opened earlier.
What do you see?
Because the image is encrypted, you are not able to view it using the public link. You should see a message saying Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
If you are uploading or accessing objects encrypted by SSE-KMS, you need to use AWS Signature Version 4 for added security. Signature Version 4 is the process to add authentication information to AWS requests. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself. For more information on this process read this blog post: blog post
- Close the new/tab window.
Task 5: Monitor KMS Activity Using CloudTrail Logs
In this task, you will access your CloudTrail log files and view logs related your encryption operations.
In the AWS Management Console, click the Amazon S3 link to return to the S3 root.
Click the mycloudtrailbucket*.
Drill-down through the AWSLogs folders till you get to a folder that contains log file(s).
The path should look similar to: Amazon S3 > AWSLogs > 197167081626 > CloudTrail > us-west-2 > 2019 > 07 > 10
If you don't see any log files, click the refresh button every few seconds till you see a log file.
The log files will have an extension of *.json.gz
Do you see a log file who's Last modified date is later than the time stamp for the image file you downloaded?________
If there isn't a log file who's Last modified data is later than the time stamp for the uploaded imaged file, continue to click the refresh button every few seconds till there is.
It can take up to 5 minutes to see a log file that has a Last modified time stamp that is greater than the time stamp of the image file that you uploaded.
Click the latest log file in the list.
In the Overview tab, click Open.
If you see a pop-up security warning, confirm that you want to open the file. If not, continue to the next step.
Your browser security settings may simply ignore the pop-up. If you do not see any file being opened and do not see a pop-up alert, you should enable pop-ups within in your browser's settings section.
If you are not using Google Chrome or Firefox, you may need to download and decompress the gz compressed file using a local utility on your own computer. Once the .gz file is decompressed you will then need to open it in a text editor.
The log file is in a JSON format and contains each API call that has been logged by CloudTrail. Depending upon the browser you are using the log file might look slightly different.
- Search for the following in your log file:
- Your encryption Key ID that you copied to your text editor
- The name of the file that you upload. (You should the name of the file in the same log file that contains your encryption Key ID)
If you cannot locate the items above, wait five more minutes for the next log file to appear and open that log file. The first log file may not contain the logs that you are looking for.
This is a log file that was opened in Firefox. By default, it shows the log file in JSON format which is a very nice format to view the log file in.
In this log file you can see the following:
- A request was invoked by S3
- The eventSource is KMS
- This event generated a data key
- Effile.jpg was the name of the file that was Encrypted
- The encryption KeyID is displayed
Task 6: Manage Encryption Keys
In this task you will manage encryption keys for users and roles.
On the Services menu, click Key Management Service.
On this page, you can alter the keys description, Add or Remove Key Administrators and Key Users, allow external users to access the key and place the key into annual rotation.
In the Key users section, select the user or role that you are signed in with.
Click the Remove
You have removed the user’s permission to use this key.
- In the Key users section, click the Add then:
- Select the user or role that you are signed in with
- Click Add
This shows how you can control which IAM users or roles can use KMS Keys that you create. The same add and remove steps are used to control which IAM users can manage KMS keys.
Follow these steps to close the console, end your lab, and evaluate the experience.
Return to the AWS Management Console.
On the navigation bar, click awsstudent@<AccountNumber>, and then click Sign Out.
Click End Lab
- Select the applicable number of stars
- Type a comment
- 1 star = Very dissatisfied
- 2 stars = Dissatisfied
- 3 stars = Neutral
- 4 stars = Satisfied
- 5 stars = Very satisfied
You may close the dialog if you don't want to provide feedback.
Congratulations! You now know how to:
- Created an Encryption Key
- Created an S3 bucket with CloudTrail logging functions
- Encrypted and image and stored it in your S3 bucket
- Viewed the encrypted image using the AWS Management Console
- Monitored encryption key usage using CloudTrail
- Managed encryption keys for users and roles
For feedback, suggestions, or corrections, please email us at email@example.com.