Exercise: AWS Key Management Service

Natasha Ong
This is some text inside of a div block.
4 min read

Exercise Overview:

This exercise will walk you through the basic steps to get started with Key Management Service (KMS). You will:

  • Create an encryption key.
  • Set up an S3 bucket with CloudTrail logging capabilities.
  • Apply encryption to data in an S3 bucket using the created encryption key.
  • Use CloudTrail to track the usage of the encryption key.
  • Administer encryption keys for different users and roles.

Key concepts:

AWS Key Management Service (KMS) is a managed service that provides secure creation, control, and management of encryption keys used to encrypt data. These keys are known as customer master keys (CMKs) and can be used to encrypt/decrypt data across AWS services and apps.
Encryption is the process of converting plain text or data into a coded format (called ciphertext) to prevent unauthorised access.
Decryption is the reverse process, where the ciphertext is converted back into the original plain text, making it readable again.
AWS CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service in AWS account. It enables governance, compliance, operational auditing, and risk auditing of your AWS account. It also provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.

Task 0: Accessing the AWS Management Console

  1. Sign in to your IAM user and access your AWS Management Console.
  2. Select your preferred region for doing this exercise. We recommend picking the region that's closest to you.

Task 1: Create your KMS master key

In this task you will create a KMS master key. A KMS master key enables you to easily encrypt your data across AWS services and within your own applications.

  1. Visit the Key Management Service portal in your console.
  2. Choose Create a key then configure:
  3. On the Configure key page, select Symmetric.
Symmetric means that the same key will be used for encrypting and decrypting data. Asymmetric means one key is dedicated to locking, while another is dedicated to unlocking.

4. Key usage: Ensure you select the Encrypt and decrypt.

5. Choose Next.

6. On the Add labels page configure the following:

7. Alias: myFirstKey

8. Description: KMS Key for S3 data

It is a good practice to describe what services the encryption key will be associated with in the description.

9. Choose Next.

10. On the Define key administrative permissions, select the IAM user or role you’re signed into the Console with.

Key Administrators are users or roles that will manage access to the encryption key. The user you're signed into is displayed at the top of the Console, look to the right of the region. If you cannot find your username in the list, try to look on the second page.

11. Choose Next.

12. On the Define key usage permissions page, select the user or role you’re signed into the Console with.

Key Users are the users or roles that will use the key to encrypt and decrypt data.

13. Choose Next.

14. On the Review and edit key policy page:

15. Review the policy.

16. Choose Finish.

17. Copy the Key ID for myFirstKey to a text editor. It should look similar to this: 9ba35b43-09ff-4ff2-8ae0-c7c2eaeb2a6a

  • You will use the Key ID later when looking at the log activity for this KMS key.

Task 2: Configure CloudTrail to store logs in an S3 bucket

In this task, you will configure CloudTrail to store log files in a new S3 bucket.

  1. Visit the CloudTrail portal in the Console.
  2. On the left-hand navigation panel, select Trails.
  3. Choose Create trail, then configure:

a) Trail name: myCustomTrail

b) Trail log bucket and folder: mycloudtrailbucketNUMBER

c) Replace NUMBER with a random number.

d) De-select Enabled for Log file SSE-KMS encryption.

4. Choose Next.

5. On the Choose log events page, configure:

Select the following:

a) Management events: These show what administrators do in your AWS account.

b) Data events: They track data-related actions, like viewing or changing S3 files.

c) Insights events: They automatically detect and fix security problems for you.

Selecting these three event types lets you comprehensively monitor and audit your AWS environment:

6. In Data events, select Switch to basic event selectors and choose Continue. We won't be needing fine-grained control over data events.

7. In Insights events, select the following:

a) API call rate: This tells you how often certain tasks are done and if it suddenly goes up (compared to the usual seven-day pattern), it might mean something's wrong or unauthorised.

b) API error rate: This shows if those tasks are going wrong often. High errors can mean security problems or things set up the wrong way.

8. Choose Next.

9. Choose Create trail.

Task 3: Upload an image to the S3 bucket and apply encryption

In this task, you will upload an image file to your S3 bucket and you'll apply an encryption to it using the encryption key you've created in Task 1. You’ll use the S3 bucket you created in the previous task.

  1. Visit the S3 console.
  2. Choose the bucket that you've created in the previous task.
  3. From the Objects tab, choose Upload.
  4. Choose Add files.
  5. Browse to and select an image file on your computer (any image file works).
  6. At the bottom of the screen, expand Properties.
  7. Under the Server-side encryption section, select Specify an encryption key.
  8. For Encryption settings, select Override bucket settings for default encryption.
  9. For Encryption key type, select AWS Key Management Service key (SSE-KMS).
  10. For AWS KMS key, select Choose from your AWS KMS keys.
  11. From the Available AWS KMS keys drop down menu, select myFirstKey (your KMS alias name).
  12. Scroll to the bottom of the screen, then choose Upload.
  13. Choose Close from the right corner of the Upload: status page.

Task 4: Access the encrypted image

In this task, you will try to access the encrypted image through both the AWS Management Console and the S3 link.

  1. In the Objects tab, click into your image then choose Open. The image opens in a new tab/window. That was easy!

Amazon S3 and AWS KMS do the following actions when you click Open:

Amazon S3 sends the encrypted data key to AWS KMS.
AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3.
Amazon S3 decrypts the ciphertext and removes the plaintext data key from memory as soon as possible.

2. Close the window/tab that shows your image.

  • Copy the image's Object URL to your text editor. There are two ways to copy the S3 Object URL:

a) Find the Object URL in the image's details page.

b) Select the image in your bucket's detail page, and choose Copy URL. Paste the URL to a new browser tab, and hit enter.

3. Paste it to the new browser tab, and hit enter. The S3 Object URL should look similar to https://mycloudtrailbucket10619.s3-us-west-2.amazonaws.com/Eiffel.jpg

4. It should show Access Denied. Ooo, but how did that happen? If you remember our first S3 bucket exercise, this is because public access is not allowed by default.

5. Challenge: do you think you can enable public access on your own?

No worries if you're stuck, here are the steps:

  1. In your bucket's details page, choose the Permissions tab
  2. For Block public access (bucket settings), choose Edit
  3. De-select Block all public access
  4. Choose Save changes then:
  5. Type confirm, and choose Confirm
  6. Scroll to Object Ownership, choose Edit
  7. Select ACLs enabled.
  8. For Enabling ACLs turns off the bucket owner enforced setting for Object Ownership, select I acknowledge that ACLs will be restored.
  9. Choose Save changes.
  10. In the Object tab, select your image
  11. Choose Actions > Make public via ACL
  12. Choose Make public
  13. Choose Close from the right corner of the Make public: status page.
  14. Refresh the screen for the new tab/window where you opened the S3 Object URL earlier. What do you see?
  • Because the image is encrypted, you're still unable to view it using the public link. You should see a message saying <Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message>
This error message means that when you make a request to use Server Side Encryption with KMS-managed keys, you need to use AWS Signature Version 4 for authentication and security.

Task 5: Monitor KMS activity using CloudTrail Logs

In this task, you will access your CloudTrail log files and view logs related your encryption operations.

  1. Choose the Objects tab in your S3 bucket's details page.
  2. In your object, choose the AWSLogs/ folder and keep clicking down the web of folders.
  • Your path should look similar to: Amazon S3 > Buckets > mycloudtrailbucket12345 > AWSLogs/ > 197167081626/ > CloudTrail/ >  Region > 2023/ > 11/ > 07/
  • In the above example, replace Region with the name of the region that your bucket was created in.

3. If you don’t see any log files, click the refresh button every few seconds till you see a log file.

4. The log files will have an extension of *.json.gz.

5. Log for a log file with a Last modified date that's after you uploaded the image file.

6. If there isn’t a log file who’s Last modified data is later than the time stamp for the uploaded imaged file, refresh the page every few seconds.

7. It can more than 5 minutes to see a log file that has a Last modified time stamp that is after the time  you uploaded the image file.

  • Tip: You can click the Last modified column to sort logs by ascending/descending order.

8. Choose the latest log file in the list.

9. Choose Open.

10. If you see a pop-up security warning, confirm that you want to open the file. If not, continue to the next step.

  • If a pop-up doesn't appear when you click something, your browser's settings might be blocking it. To fix this, go to your browser's settings and allow pop-ups.
  • If you're not using Google Chrome or Firefox, you'll need to download and unzip the compressed (.gz) file on your computer. After that, open it with a text editor.
  • The log file is in JSON format and has records of every API call logged by CloudTrail. The way it looks can vary a bit depending on the browser you use.

11. Search for the following in your log file:

a) Your encryption Key ID that you copied to your text editor in Task 1. Tip: Try to use CTRL+F (or command + F on Macs) to find the Key ID in the logs.

b) The name of the image you upload. (You should see the name of the file in the same log file that contains your encryption Key ID)

c) It can take up to 10 minutes before the right log comes through! We recommend being patient and checking every single log - not every log will include the KeyID.

Task 6: Manage encryption keys

In this task you will manage encryption keys for users and roles.

1. Go back to the AWS KMS console, and then choose myFirstkey (your KMS alias name).

  • On this page, you can alter the keys description, Add or Remove Key Administrators and Key Users, allow external users to access the key and place the key into annual rotation.

2. In the Key users section, select the user or role that you are signed in with. In this exercise, you must select the IAM user that you're using.

3. Choose Remove.

4. You have removed the user’s permission to use this key.

5. Next, still in the Key users section, choose Add, and then:

6. Add again the user that you are signed in with

7. Choose Add

This shows how you can control which IAM users or roles can use KMS Keys that you create. Super easy!

Task 7: Disable and delete the KMS key

In this task, you will delete the customer-managed key that you've created.

Important: Be careful! Deleting an AWS KMS key is serious. It erases the key and all its info, making it impossible to decrypt data that was encrypted with it.
You should only delete it if you're sure you won't need it.
If you're unsure, you can disable it instead. You can't get a deleted key back, but you can recover a disabled one

To delete:

  1. To delete the KMS key, you'll have to schedule its deletion. Select the key, and then under Key actions, choose Schedule key deletion.
  2. Decide how many days to wait before it's deleted (between 7 and 30 days).
  3. Check the box under the Confirmation section, and then choose Schedule deletion.
  4. You should see the status change to Pending deletion.

If you're curious, this is how we'd disable it instead:

  1. In the KMS console, choose Customer managed keys on the left-hand panel.
  2. Select the key you've created, and then under the Key action drop-down, choose Disable.
  3. Check the box to confirm you want to disable the key, and then choose Disable key.

Nice work! To finish off, now try to delete your CloudTrail trail and the S3 bucket you've set up in this exercise.

  • You can visit the page Deleting a trail to learn how to delete a CloudTrail trail

Congratulations! You've completed the hands-on exercise! You have successfully:

  • Created an encryption key
  • Established an S3 bucket configured with CloudTrail logging capabilities
  • Applied encryption to the data in the S3 bucket using the created encryption key.
  • Enabled CloudTrail to monitor the usage of the encryption key.
  • Managed encryption keys for various users and roles.