DEV Community

Aadit Unni
Aadit Unni

Posted on • Updated on

Create a new Customer Master Key (CMK) in Key Management Service (KMS) and encrypt an object

[20/100] #100DaysOfCloud Today, I created a new Customer Master Key (CMK) in Key Management Service (KMS) and encrypted an S3 object.

  • AWS Key Management Service (AWS KMS) lets you create, manage, and control cryptographic keys across your applications and more than 100 AWS services.
  • Use AWS KMS to encrypt data across your AWS workloads, digitally sign data, encrypt within your applications using AWS Encryption SDK, and generate and verify message authentication codes (MACs).
  • Symmetric encryption – uses a single key for both encryption and decryption. The shared key must be sent together with the encrypted data in order for other parties to read it.
  • Asymmetric encryption - it uses a public and private key for encryption and decryption. The public key is used only for encrypting data and the private key is only used for decrypting data. The private key stays on the user while both the public key and the encrypted data is sent to other parties.
  • The KMS keys that you create are customer managed keys. Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys, including establishing and maintaining their key policies, IAM policies, and grants, enabling and disabling them, rotating their cryptographic material, adding tags, creating aliases that refer to the KMS keys, and scheduling the KMS keys for deletion.
  • AWS managed keys are KMS keys in your account that are created, managed, and used on your behalf by an AWS service integrated with AWS KMS.
  • AWS owned keys are a collection of KMS keys that an AWS service owns and manages for use in multiple AWS accounts. Although AWS owned keys are not in your AWS account, an AWS service can use an AWS owned key to protect the resources in your account.

You can try to create a new Customer Master Key (CMK) in Key Management Service (KMS) and encrypt an S3 object by yourself by following the steps from the link below:
GitHub

Top comments (0)