AWS Key Management Service (KMS) is an Amazon Web Services offering that lets administrators create, delete, and manage keys that encrypt data in AWS databases and products. In this blog, we'll go through what AWS KMS is, including its core features, benefits, and more.
Whether data is stored in the cloud or on-premises, its security is of paramount importance for a company. Encryption is one of the most powerful data security solutions which will protect data from unauthorized access, destruction, and disclosure. In this tutorial, let’s discuss the AWS Key Management Service (KMS)- the most efficient data security solution from Amazon for applications and services running in the cloud as well as on-premise.
Interested in Mastering AWS Course? Enroll now for a FREE demo on AWS Certification Training Course |
In this AWS Key Management Service blog, you will learn the below topics:
AWS Key Management Service (KMS) is a product of Amazon that helps administrators to create, control and delete keys, which encrypt the data stored in AWS products and databases. You can access AWS KMS within AWS Identity and Access Management (IAM) by selecting the section- “Encryption Keys” or using the software. It offers the user with centralized control over encryption keys to define the user data. The user will produce, rotate, import, disable, outline, and delete usage policies for, and audit how to use the secret writing keys to encode the user information.
If you want to know more about AWS: Visit here to learn AWS
The functions of AWS KMS include both the management functions and the Cryptographic functions as listed below:
AWS Key Management Service is mostly integrated with other AWS CloudTrail in order to deliver the encryption or provide various services with the help of key usage logs to get services done such as regulatory, auditing, and compliance needs.
AWS KMS allows you to store and manage your keys securely. The stored keys are called CMKs (Customer Master Keys). The government-approved Hardware Security Modules (HSMs) will generate and protect these keys and allow you to use them only in plaintext in the modules. You can directly submit data to encrypt or decrypt KMS using master keys. You can set specific usage policies on them to determine which users can use them for encrypting or decrypting data.
[Related blog: AWS vs Azure]
Let’s get started with KMS with a code example that demonstrates the core functions used in the AWS-KMS boilerplate repository. Let’s assume that we have an existing AWS account.
Step 1: Create a Customer Master Key (CMK)
The first step is creating a CMK, and this step can be skipped if you already have a setup to use. You can retrieve the available list of master keys using the following command:
$ aws kms list-keys
{
"Keys":
[{
"KeyArn": "arn:aws:kms:region:************:key/********-****-****-****-************",
"KeyId": "********-****-****-****-************"
}]
Step2: Create Key primary (optional)
Using generate-data-key command and the new CMK, generate new data key that returns an encryption key to use later in local data encryption. Now, using the key-spec parameter and AES algorithm, generate a 256 bit long symmetrical encryption key.
$ aws kms create-primary
--secondary-name 'primary/kms-mindmajix tutorial'
--target-key-id '********-****-****-****-************'
Step 3: Create a data key
Using the command generate-data-key and our new CMK, generate a data key that returns an encryption key to use later in local data encryption. Now using the key-spec parameter and AES algorithm, generate a 256-bit symmetric encryption key.
$ aws kms generate-data-key
--key-id primary/kms-mindmajix tutorial
--key-spec 'AES_256' > './.key/data_key.json'
Note that the CiphertextBlob and the Plaintext properties return base64 encoded and the KeyId need not to refer the data key that is generated but to the CMK.
It is essential to note that KMS does not hold the Data Key records on the servers. Therefore, you should manage these keys by yourself.
{
"Plaintext": "4XY5FgHP1JyH7SkNYjY6C6gpZlWLbG0jkw06dVu0B4I=",
"KeyId":"arn:aws:kms:region:
************:key/********-****-****-****-************",
"CiphertextBlob": "AQIDAHiP2nl/OYfqakZzv1qo7ir0iHai3O1Utd4q71Louy78XgGOk8YwfNOJo77u6nxAye/RAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMWfzIpfhT/iCHuZBdAgEQgDvFMB7ItgfGhdDdKZj6dMpzdiyYLuGKXNK2WpCrl1wi0S8uCZdtKpllJMNlhLaRVeX0ghxMqD+JK8gSfQ=="
}
Step 4: Storing the CipherTextBlob
Next step is extracting CipherTextBlob from the data_key.json base 64 decodes and store it in your respiratory. The toolkit OpenSSL will provide a base64 implementation that we use at the time of decoding.
The blob consists of meta-data about which CMK was used at the time of data key creation. It allows you to retrieve the key of plaintext later on decryption.
$ sed -nr 's/^.*"CiphertextBlob":s*"(.*?)".*$/1/p' './.key/data_key.json'
| openssl base64 -d > './.key/ciphertext_blob_decoded'
Step 5: Encrypting the data
Before moving to data encryption to extract the data, you need to base64 decode the text key of data_key.json since we made with the CipherTextBlob in the previous step.
$ sed -nr 's/^.*"Plaintext":s*"(.*?)".*$/1/p' './.key/data_key.json'
| openssl base64 -d > './.key/plaintext_key_decoded'
Since we’ve stored both the decoded cypher and the plaintext key in the .key/directory, now we can get out of the data_key .json files as they are no longer required.
Note that we are using the shred command instead of remove (rm) command to securely delete the key file.
$ shred
--iterations=100
--remove=wipesync
--zero './.key/data_key.json'
Finally, we can start encrypting data using AES and OpenSSL. The following commands will help to do so.
$ OpenSSL enc -e -aes256
-kfile './.key/plaintext_key_decoded'
-in '.decrypted/database.json'
-out '.encrypted/database.json'
Now, we have to delete plaintext key; make sure that base64 decode CipherTextBlob are correctly stored as the blob is the only way to recover and decrypt the data stored.
$ shred
--iterations=100
--remove=wipesync
--zero './.key/plaintext_key_decoded'
Step 6: Decrypting the data
The data decryption is the most critical part. We have the deleted plaintext key after encryption, it is required to restore it first through leveraging the command AWS KMS decrypt.
Note that the responses from the command “decrypt” return JSON objects with the CMK Id. The query parameter enables us to return only the property which we are interested in, and which are error-prone and quite messy.
$ aws kms decrypt
--ciphertext-blob 'fileb://./.key/ciphertext_blob_decoded'
--query 'Plaintext'
--output text | openssl base64 -d -out './.key/plaintext_key_decoded'
Finally, pass the plaintext key to OpenSSL toolkit where we can get our encrypted example data to get decrypted.
$ openssl enc -d -aes256
-kfile './.key/plaintext_key_decoded'
-in '.encrypted/database.json'
-out '.decrypted/database.json'
Step 7: Log & audit CMK activity
AWS KMS is mostly integrated with other AWS CloudTrail to deliver the encryption or provide various services with the help of key usage logs to get services done such as regulatory, auditing, and compliance needs. Using CloudTrails, you can determine the IP address of the code from which the request was made, when it was made, who made the request, and so on.
[Related Blog: AWS Athena]
AWS KMS provides you with centralized control over the encryption keys to protect your data. It empowers developers to attach encryption functionality easily to their application code directly using encrypt and decrypt service APIs or through integrating with the AWS Encryption SDK.
Here is the list of the main benefits of AWS KMS:
Now, you have got a grasp of the primary theories behind KMS and also implementing encryption mechanisms for the project. It is a critical thing controlling the security breaches occurring all the time. KMS offers data scrambling, so only the owner of the key or password can read it. This protects data confidentiality so that if an unauthorized person gained access to the service or the storage device, they would be unable to see the data. It also protects the data integrity so that it cannot tamper without the owner’s knowledge.
If you interested to learn AWS and building a career in Cloud Computing? Then check out our AWS Certification Training Course at your near Cities
AWS Online Training in Ahmedabad, AWS Online Training in Bangalore AWS Online Training in Chennai, AWS Online Training in Delhi, AWS Online Training in Dallas, AWS Online Training in Hyderabad, AWS Online Training in London, AWS Online Training in Mumbai, AWS Online Training in NewYork, AWS online training in Pune
These courses are incorporated with Live instructor-led training, Industry Use cases, and hands-on live projects. This training program will make you an expert in AWS and help you to achieve your dream job.
Our work-support plans provide precise options as per your project tasks. Whether you are a newbie or an experienced professional seeking assistance in completing project tasks, we are here with the following plans to meet your custom needs:
Name | Dates | |
---|---|---|
AWS Training | Nov 23 to Dec 08 | View Details |
AWS Training | Nov 26 to Dec 11 | View Details |
AWS Training | Nov 30 to Dec 15 | View Details |
AWS Training | Dec 03 to Dec 18 | View Details |
Prasanthi is an expert writer in MongoDB, and has written for various reputable online and print publications. At present, she is working for MindMajix, and writes content not only on MongoDB, but also on Sharepoint, Uipath, and AWS.