DEV Community

Cover image for Day 41: Securing Data with AWS KMS
Thu Kha Kyawe
Thu Kha Kyawe

Posted on

Day 41: Securing Data with AWS KMS

#aws #100daysofcloudaws

Lab Information

The Nautilus DevOps team is focusing on improving their data security by using AWS KMS. Your task is to create a KMS key and manage the encryption and decryption of a pre-existing sensitive file using the KMS key.

Specific Requirements:

Create a symmetric KMS key named xfusion-KMS-Key to manage encryption and decryption.
Encrypt the provided SensitiveData.txt file (located in /root/), base64 encode the ciphertext, and save the encrypted version as EncryptedData.bin in the /root/ directory.
Try to decrypt the same and verify that the decrypted data matches the original file.
Make sure that the KMS key is correctly configured. The validation script will test your configuration by decrypting the EncryptedData.bin file using the KMS key you created.

Lab Solutions

Step 1: Create a Symmetric KMS Key

Log in to the AWS Management Console

Go to KMS → Customer managed keys

Click Create key

Key Configuration

Key type: Symmetric

Key usage: Encrypt and decrypt

Advanced options: Default

Click Next

Alias

Alias name:

xfusion-KMS-Key

Click Next

Key Administrators

Select your IAM user / role

Click Next

Key Users

Allow the same IAM user / role to use the key

Click Next

Review and click Next and then Finish

✅ Symmetric KMS key is now created and ready for use.

Step 2: Verify the Sensitive File Exists

On the aws-client host:

ls /root/SensitiveData.txt

You should see:

/root/SensitiveData.txt

Step 3: Encrypt the File Using KMS
3.1 Encrypt the File

Run the following command:

aws kms encrypt \
  --key-id 44763377-ee76-44a6-a92b-c6f65822cc7c \
  --plaintext fileb:///root/SensitiveData.txt \
  --output text \
  --query CiphertextBlob | base64 \
  --decode > EncryptedData.bin
Enter fullscreen mode Exit fullscreen mode

Step 5: Verify Data Integrity

aws kms decrypt \
    --ciphertext-blob fileb://EncryptedData.bin \
    --key-id 44763377-ee76-44a6-a92b-c6f65822cc7c \
    --output text \
    --query Plaintext | base64 \
    --decode > PlaintextFile.txt
Enter fullscreen mode Exit fullscreen mode

Compare original and decrypted files:

diff /root/SensitiveData.txt /root/PlaintextFile.txt
Enter fullscreen mode Exit fullscreen mode

Expected result:

No output → files are identical ✅

Resources & Next Steps
📦 Full Code Repository: KodeKloud Learning Labs
📖 More Deep Dives: Whispering Cloud Insights - Read other technical articles
💬 Join Discussion: DEV Community - Share your thoughts and questions
💼 Let's Connect: LinkedIn - I'd love to connect with you
Credits
• All labs are from: KodeKloud
• I sincerely appreciate your provision of these valuable resources.

Top comments (0)