DEV Community

Cover image for AWS KMS BLOG
Muhammad Awais Zahid
Muhammad Awais Zahid

Posted on

AWS KMS BLOG

aws kms key with s3 - how to use aws kms key to encrypt data - aws kms s3 demo

Topics to cover in this

what is kms ?
types of kms ?
create 2 IAM users with s3 full permission
how to create kms key
create S3 bucket
configure both users with aws-cli
verify both users access with s3
how to enable encryption on s3 bucket
verify

what is kms
aws key management service (aws kms ) is a managed service - here managed service means kms is managed by aws, not by us like kms key update, policy update, kms backup

kms key provides the next level of security to our data by providing encryption to data

kms key helps us to manage our data securely and also reduce the burden of managing user access with IAM policy or s3 bucket policy

In simple words, key management services or kms help us to encrypt and decrypt the data

types of kms
we have 2 types of kms key provided by aws

symmetric - a single encryption key used for both encrypt and decrypt the data
asymmetric - a public and private key pair that can be used to encrypt/decrypt the data.

create 2 IAM users with s3 full permission
login to aws console
go to service and in the search tab look for IAM
from the dashboard select user - select programmatic access
create 2 users and give both s3 full permission
make sure to download the access key and secret key and store it in a secure location

how to create kms key
login to aws console - select the region
go to service and in the search tab look for kms
in kms on the left side 3 options are there -
aws managed keys
customer-managed keys
customer key store
select the customer-managed keys
in this demo will use symmetric key - select symmetric
in the advance key section select the kms
regionality leave default
in the next windows 3 options to fill
alias - recommended giving some alias name
description - recommended giving some description ( optional field )
Tags - recommended giving some tags name ( optional field )
in the next screen select the key administrator - here need to give the user/group/role who administer access to this policy

The next tab is for key deletion (optional field )
next need to select key permissions - here need to select users for whom kms access require

*verify the key policy *

{
"Id": "key-consolepolicy-3",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Enable IAM User Permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-id:username"
},
"Action": "kms:",
"Resource": "
"
},
{
"Sid": "Allow access for Key Administrators",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:::user/username"
},
"Action": [
"kms:Create*",
"kms:Describe*",
"kms:Enable*",
"kms:List*",
"kms:Put*",
"kms:Update*",
"kms:Revoke*",
"kms:Disable*",
"kms:Get*",
"kms:Delete*",
"kms:TagResource",
"kms:UntagResource",
"kms:ScheduleKeyDeletion",
"kms:CancelKeyDeletion"
],
"Resource": "*"
}
]
}

finish

create s3 bucket

login to aws console - select the region
go to service and in the search tab look for s3
in the left panel - select s3 bucket - create a bucket
give a unique name to your bucket and select the same region in which aws kms key is created
leave all the settings as it and click on create a bucket

configure both users with aws-cli
aws configure --profile user1
aws configure --profile user2

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=

next step - put some files inside the s3 bucket and verify both user access to it

aws s3 ls

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user1

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user2

Till this point both users were able to download, list file without error

how to enable encryption on s3 bucket

login to aws console - select the region
go to service and in the search tab look for s3
select the bucket on which you need to enable encryption
select properties - scroll down and select default encryption - enable it

verify both users access again

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user1

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user2

Now here only users with kms key access are able to call the s3 bucket operation

Top comments (0)