What Did I Learn -
I learned quite a bit about envelope encryption I did not know prior, I did know about it encrypting anything over 4 KB and encrypting the data key, I was not aware Envelope encryption utilizes CMK to encrypt the data key or envelope key. Or that we would use Envelope encryption to avoid sending data into KMS over the network. We found that Customer Managed CMK can be used to encrypt/decrypt files up to 4 KB and generate the data key. We also learned some meaning to new KMS API Calls, such as
aws kms re-encrypt for decrypting ciphertext then encrypting it again using a CMK that we specify, this can be used for manual key rotation, and
aws kms enable-key-rotation that enables automatic key rotation once a year.
What Did I Do -
Let us create a CMK, first we head to trusty IAM and make a Group for KMS and attach the Admin policy for our users. After this we create our users and attach our role. From here we head to our AWS Dashboard and head into KMS and click create a key in our region we will be using. We will just be selecting KMS and Symmetric for our settings, on the next stage we created our alias and description. For our administrator, select the user you want to administrate and manage your keys. For the key usage permissions select the user we want to be able to use the key by encrypting and decrypting the information. From here we can review the policy and finish creating the policy.
For Tomorrow -
Tomorrow (Actually tomorrow) is going to be all about messaging services, and fun stuff like Kinesis, and Elastic Beanstalk.