This exercise will walk you through the basic steps to get started with Key Management Service (KMS). You will:
AWS Key Management Service (KMS) is a managed service that provides secure creation, control, and management of encryption keys used to encrypt data. These keys are known as customer master keys (CMKs) and can be used to encrypt/decrypt data across AWS services and apps.
Encryption is the process of converting plain text or data into a coded format (called ciphertext) to prevent unauthorised access.
Decryption is the reverse process, where the ciphertext is converted back into the original plain text, making it readable again.
AWS CloudTrail is a service that provides a record of actions taken by a user, role, or an AWS service in AWS account. It enables governance, compliance, operational auditing, and risk auditing of your AWS account. It also provides event history of your AWS account activity, including actions taken through the AWS Management Console, AWS SDKs, command line tools, and other AWS services.
In this task you will create a KMS master key. A KMS master key enables you to easily encrypt your data across AWS services and within your own applications.
Symmetric means that the same key will be used for encrypting and decrypting data. Asymmetric means one key is dedicated to locking, while another is dedicated to unlocking.
4. Key usage: Ensure you select the Encrypt and decrypt.
5. Choose Next.
6. On the Add labels page configure the following:
7. Alias: myFirstKey
8. Description: KMS Key for S3 data
It is a good practice to describe what services the encryption key will be associated with in the description.
9. Choose Next.
10. On the Define key administrative permissions, select the IAM user or role you’re signed into the Console with.
Key Administrators are users or roles that will manage access to the encryption key. The user you're signed into is displayed at the top of the Console, look to the right of the region. If you cannot find your username in the list, try to look on the second page.
11. Choose Next.
12. On the Define key usage permissions page, select the user or role you’re signed into the Console with.
Key Users are the users or roles that will use the key to encrypt and decrypt data.
13. Choose Next.
14. On the Review and edit key policy page:
15. Review the policy.
16. Choose Finish.
17. Copy the Key ID for myFirstKey to a text editor. It should look similar to this: 9ba35b43-09ff-4ff2-8ae0-c7c2eaeb2a6a
In this task, you will configure CloudTrail to store log files in a new S3 bucket.
a) Trail name: myCustomTrail
b) Trail log bucket and folder: mycloudtrailbucketNUMBER
c) Replace NUMBER with a random number.
d) De-select Enabled for Log file SSE-KMS encryption.
4. Choose Next.
5. On the Choose log events page, configure:
Select the following:
a) Management events: These show what administrators do in your AWS account.
b) Data events: They track data-related actions, like viewing or changing S3 files.
c) Insights events: They automatically detect and fix security problems for you.
Selecting these three event types lets you comprehensively monitor and audit your AWS environment:
6. In Data events, select Switch to basic event selectors and choose Continue. We won't be needing fine-grained control over data events.
7. In Insights events, select the following:
a) API call rate: This tells you how often certain tasks are done and if it suddenly goes up (compared to the usual seven-day pattern), it might mean something's wrong or unauthorised.
b) API error rate: This shows if those tasks are going wrong often. High errors can mean security problems or things set up the wrong way.
8. Choose Next.
9. Choose Create trail.
In this task, you will upload an image file to your S3 bucket and you'll apply an encryption to it using the encryption key you've created in Task 1. You’ll use the S3 bucket you created in the previous task.
In this task, you will try to access the encrypted image through both the AWS Management Console and the S3 link.
Amazon S3 and AWS KMS do the following actions when you click Open:
Amazon S3 sends the encrypted data key to AWS KMS.
AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3.
Amazon S3 decrypts the ciphertext and removes the plaintext data key from memory as soon as possible.
2. Close the window/tab that shows your image.
a) Find the Object URL in the image's details page.
b) Select the image in your bucket's detail page, and choose Copy URL. Paste the URL to a new browser tab, and hit enter.
3. Paste it to the new browser tab, and hit enter. The S3 Object URL should look similar to https://mycloudtrailbucket10619.s3-us-west-2.amazonaws.com/Eiffel.jpg
4. It should show Access Denied. Ooo, but how did that happen? If you remember our first S3 bucket exercise, this is because public access is not allowed by default.
5. Challenge: do you think you can enable public access on your own?
No worries if you're stuck, here are the steps:
This error message means that when you make a request to use Server Side Encryption with KMS-managed keys, you need to use AWS Signature Version 4 for authentication and security.
In this task, you will access your CloudTrail log files and view logs related your encryption operations.
3. If you don’t see any log files, click the refresh button every few seconds till you see a log file.
4. The log files will have an extension of *.json.gz.
5. Log for a log file with a Last modified date that's after you uploaded the image file.
6. If there isn’t a log file who’s Last modified data is later than the time stamp for the uploaded imaged file, refresh the page every few seconds.
7. It can more than 5 minutes to see a log file that has a Last modified time stamp that is after the time you uploaded the image file.
8. Choose the latest log file in the list.
9. Choose Open.
10. If you see a pop-up security warning, confirm that you want to open the file. If not, continue to the next step.
11. Search for the following in your log file:
a) Your encryption Key ID that you copied to your text editor in Task 1. Tip: Try to use CTRL+F (or command + F on Macs) to find the Key ID in the logs.
b) The name of the image you upload. (You should see the name of the file in the same log file that contains your encryption Key ID)
c) It can take up to 10 minutes before the right log comes through! We recommend being patient and checking every single log - not every log will include the KeyID.
In this task you will manage encryption keys for users and roles.
1. Go back to the AWS KMS console, and then choose myFirstkey (your KMS alias name).
2. In the Key users section, select the user or role that you are signed in with. In this exercise, you must select the IAM user that you're using.
3. Choose Remove.
4. You have removed the user’s permission to use this key.
5. Next, still in the Key users section, choose Add, and then:
6. Add again the user that you are signed in with
7. Choose Add
This shows how you can control which IAM users or roles can use KMS Keys that you create. Super easy!
In this task, you will delete the customer-managed key that you've created.
Important: Be careful! Deleting an AWS KMS key is serious. It erases the key and all its info, making it impossible to decrypt data that was encrypted with it.
You should only delete it if you're sure you won't need it.
If you're unsure, you can disable it instead. You can't get a deleted key back, but you can recover a disabled one
If you're curious, this is how we'd disable it instead:
Nice work! To finish off, now try to delete your CloudTrail trail and the S3 bucket you've set up in this exercise.
Congratulations! You've completed the hands-on exercise! You have successfully: