Uncategorized

Introduction to AWS Key Management Service

First, we are to make the key were are going to use, this will be the master key. At First, we were to go into IAMs dashboard and then into Encryption keys located at the bottom left in the menu pane. Here I set my location for my key to be Oregon, as I had All of my other AWS items saved on that server. Here we can see the name and the Description I have made for this key;

Create Alias and Description;1The next section that it came up with was the Define Key administrative permissions, this was where we add the administrator for the Key itself, here I selected the User three2; Adding the user for the keysAfter this there was the Define Key usage permissions page which i used the same user as before again. Below is code what created the Key, here we can see the different aspects of the key its self.

{
“Id”: “key-consolepolicy-3”,
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Enable IAM User Permissions”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::761611372931:root”
]
},
“Action”: “kms:*”,
“Resource”: “*”
},
{
“Sid”: “Allow access for Key Administrators”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::761611372931:user/UserThree”
]
},
“Action”: [
“kms:Create*”,
“kms:Describe*”,
“kms:Enable*”,
“kms:List*”,
“kms:Put*”,
“kms:Update*”,
“kms:Revoke*”,
“kms:Disable*”,
“kms:Get*”,
“kms:Delete*”,
“kms:TagResource”,
“kms:UntagResource”,
“kms:ScheduleKeyDeletion”,
“kms:CancelKeyDeletion”
],
“Resource”: “*”
},
{
“Sid”: “Allow use of the key”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::761611372931:user/UserThree”
]
},
“Action”: [
“kms:Encrypt”,
“kms:Decrypt”,
“kms:ReEncrypt*”,
“kms:GenerateDataKey*”,
“kms:DescribeKey”
],
“Resource”: “*”
},
{
“Sid”: “Allow attachment of persistent resources”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: [
“arn:aws:iam::761611372931:user/UserThree”
]
},
“Action”: [
“kms:CreateGrant”,
“kms:ListGrants”,
“kms:RevokeGrant”
],
“Resource”: “*”,
“Condition”: {
“Bool”: {
“kms:GrantIsForAWSResource”: true
}
}
}
]
}

3;Key finished.PNG

In This lab, it asks us to make a note of the Key Id, which is mentioned below.

“c9f589d6-5f33-450b-a989-090663c87402”

Encrypt data in an S3 Bucket

As suggested, we needed to start the AWS Cloud Trail, here I went into the AWS console and found this. Here is where you turn on cloud trail, and you create your trail to a new bucket that it creates at the same time.

 

Once we have clicked on the bucket, we will add a file to the new bucket we created previously. Once we have done this, we will set the details and use the server side Encryption, this is where we will encrypt it with the key we have previously made. Once we have gotten it uploaded, we will make a note of the Last Modified timestamp of the file that was just uploaded.

 

 

Monitor KMS activity using Cloudtrail logs

Here we went through the AWS logs looking for the log file of what we have just one, below is a photo of this.  When we go into these, we can see the logs are in JSON coding language.

 

Manage Encryption Keys

The last stage in this lab was to delete and add users for the key its self. There were other settings that could be paid around in here too. To get to this, we went into the IAM section then to the encryption keys section on the bottom left, clicked on the key its self and then went into the setting.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s