AWS-Key Management Service(KMS)

AWS Key Management Service (AWS KMS) lets you create, manage, and control cryptographic keys across your applications and AWS services.

• The service is integrated with other AWS services making it easier to encrypt data you store in these services and control access to the keys that decrypt it.

• Creating KMS key. KMS > Customer managed Keys > Create key

• Install the aws-encryption-cli to encrypt and decrypt the file via CLI.

sudo apt install python3-pip
sudo pip install aws-encryprion-sdk-cli
aws-encryption-cli --version

• AWS CLI commands to encrypt the file

kannan@kannan-PC:~$ aws kms encrypt \
    --key-id alias/kannan1 \
    --plaintext fileb://kms.txt \
    --output text \
    --query CiphertextBlob | base64 \
    --decode > kms_encrypt.txt
kannan@kannan-PC:~$ cat kms_encrypt.txt 
x����X�[���4u|��e�J�Q0X��U�
0f0d0_  `�He.0             p����gWI�u0s *�H��
              YU"�    I����2$y��|e!��l�\nų���5�%�����k�~d��~e�g=�+jI�N@g6ETkannan@kannan-PC:~$ 

• AWS CLI commands to decrypt the file

kannan@kannan-PC:~$ aws kms decrypt \
    --ciphertext-blob fileb://kms_encrypt.txt \
    --key-id alias/kannan1  \
    --output text \                            
    --query Plaintext | base64 \
    --decode > kms_decrypt.txt
kannan@kannan-PC:~$ cat kms_decrypt.txt 
Test line for kms key 

• create directory to store the encrypted and decrypted files

mkdir encrypt
mkdir decrypt

• create a variable to store the arn value which is genetrated for the KMS key

kannankey=arn:aws:kms:ap-south-1:155364343822:key/ef88420b-bbc5-4807-b1f3-c82eb5191c7f

kannan@kannan-PC:~$ cd encrypt/
kannan@kannan-PC:~/encrypt$ ls
example.txt.encrypted  kms.txt.encrypted
kannan@kannan-PC:~/encrypt$ cat kms.txt.encrypted 
xiCeJC�T��mb���w�����/'a8��_aws-crypto-public-keyDA9IoQRQ6f8U3WV8eoVxkQyhEZ1O/QXOXdr9L/Zx6bHP53ZEIfhYq26YJIshCIf8f8Q==aws-kmsLarn:aws:kms:ap-south-1:1550o0m0h��`�He.0���zp~0|-b*�H��807-b1f3-c82eb5191c7f�x4�u���l�\��?����<�Dya
              .�K�B�w
3����>����ǔXnL��U��cj9�1���g�%uray��߳�ɗ���x��0KYf�aE����6�j�@�Ϯ6�_k�!�Q�7x<�ǯ4u��V�6��G�������Vn�v<�%j��龎�����J��vz�u%aÌ�sg0e0b(��)!��
d9�G�Ɩ�.0$����%��
                 V�Ϗc;_���]��fl1�{
                                  o�檈R&\��\&��m6)L\,锌z!��S�<Ɪ,��kannan@kannan-PC:~/encrypt$ 
kannan@kannan-PC:~/encrypt$ cd ..
kannan@kannan-PC:~$ cd decrypt/
kannan@kannan-PC:~/decrypt$ ls
example.txt.encrypted.decrypted  kms.txt.encrypted.decrypted
kannan@kannan-PC:~/decrypt$ cat kms.txt.encrypted.decrypted 
Test line for kms key 

We can encrypt and decrypt the S3 bucket using the KMS key

• EC2 >EBS>Volumes >create volume >enable "Encrypt this volume".

• create an S3 bucket using CLI

kannan@kannan-PC:~$ aws s3 mb s3://kannandemo-bucket
make_bucket: kannandemo-bucket

• select the bucket > properties > edit default encryption

• select "Server-side encryption with AWS Key Management Service keys (SSE-KMS)"

• choose "Choose from your AWS KMS keys"

• It will auto encrypt and decrypt the objects inside the S3 bucket.

To delete the KMS key we need to schedule the key deletion it took minimum 7 day