AWS Key Management Service (KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.

In this lab we going to use KMS to encrypt plain text using CLI

Requirements

  • AWS Account
  • AWS CLI Client installed

Steps

  • Create a IAM user to be the key administrator
  • Create a Key user with programmatic access to be the key user
  • Create the KMS costumer managed key
  • Encrypt plain text from CLI

Hands-On

  1. In AWS Management Console, go to IAM

2. Click on Users

3. Click on Add user

4. Give it a name, select AWS Management Console access, give it a password and click Next

5. Click on Next

6. Click on Next: Review

7. And click on Create user

8. Download the .csv credentials and click on Close

9. Click on Add user

10. Give it a name and select Programmatic access, click on Next

11. Click on Next

12. Click on Next: Review

13. And click on Create user

14. Download the .csv file and click on Close

15. Go to Key Management Service (KMS)

16. Select Customer managed keys

17. Click on Create key

18. Select Symetric and click on Next

19. Give it an Alias and click on Next

20. Select the key administrator and click on Next

21. Select the key user and click on Next

22. Review the policy and click on Finish

23. Copy the Key ID and paste it in a secure place to used it later

24. From your console run aws configure, paste your AWS Access Key ID, AWS Secret Access Key from the csv of the Key user, and put your Region and output format

aws configure
AWS Access Key ID [None]: AKIAZDD5XRMMC3GOPGSS
AWS Secret Access Key [None]: gjesfbu9cmHw5Ujjs5SOvItgOPEh6RmoFP7fc/0P
Default region name [None]: us-east-2
Default output format [None]: json

25. now lets try to encrypt a "Hello World" with the command aws kms encrypt

aws kms encrypt --key-id 525ae85b-8eb5-46bb-93a2-4fa398396445 --plaintext "Hello World!" --cli-binary-format raw-in-base64-out
{
    "CiphertextBlob": "AQICAHgpf76lxSiDpy1Dlp/cx+zzU35JyfZaXwTLbuh86/PEdQEcCld6GNUR1jbeF0ynQ7sfAAAAajBoBgkqhkiG9w0BBwagWzBZAgEAMFQGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQM5htoMbgsePyh1CqTAgEQgCdQTFS4j4ZmEnpEygfYghLu/RcppVaV0aY5cSAtf5mEilU47iR7+tc=",
    "KeyId": "arn:aws:kms:us-east-2:625181428504:key/525ae85b-8eb5-46bb-93a2-4fa398396445",
    "EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}

26. Great you have the CiphertextBlob and the KeyId, in the case you are only interest in the CiphertextBlob (our encrypt message) you can add --query CiphertextBlob

aws kms encrypt --key-id 525ae85b-8eb5-46bb-93a2-4fa398396445 --plaintext "Hello World!" --cli-binary-format raw-in-base64-out --query CiphertextBlob
"AQICAHgpf76lxSiDpy1Dlp/cx+zzU35JyfZaXwTLbuh86/PEdQHaq0ZYx/9cKV6VraZ2E9X2AAAAajBoBgkqhkiG9w0BBwagWzBZAgEAMFQGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMxlFYIkEuvYaKZMW1AgEQgCenGmWeobMiap3v/ySH5TYjYjPInEAimhhFvYv7eRCd2gWdHI3riMg="

27. Now if you want only the value you can add --output text

aws kms encrypt --key-id 525ae85b-8eb5-46bb-93a2-4fa398396445 --plaintext "Hello World!" --cli-binary-format raw-in-base64-out --query CiphertextBlob --output text
AQICAHgpf76lxSiDpy1Dlp/cx+zzU35JyfZaXwTLbuh86/PEdQFcAYVdnen+n2/gdp02baxpAAAAajBoBgkqhkiG9w0BBwagWzBZAgEAMFQGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMYaN8GMpjO/D+TbseAgEQgCdtL479c/BuYSqEZTls2G3/TmvGCGqgBLk9S7BKlZTlETUJnpZunvA=

28. Now this data is in base64, lets decode it

aws kms encrypt --key-id 525ae85b-8eb5-46bb-93a2-4fa398396445 --plaintext "Hello World!" --cli-binary-format raw-in-base64-out --query CiphertextBlob --output text | base64 -d
0[0Y0T��`�He.0��S~I��Z_�n�|���u��oUsT��m��Lp��j0h	*�H��
              8@�E"L&����'c�=:����a:+M�M�x�����b�����D����W�

29. As you see now the output is binary, lets save it to a file to decode it

aws kms encrypt --key-id 525ae85b-8eb5-46bb-93a2-4fa398396445 --plaintext "Hello World!" --cli-binary-format raw-in-base64-out --query CiphertextBlob --output text | base64 -d > encryptedtext.txt

30. Now lets decrypt the text, using aws kms decrypt

aws kms decrypt --ciphertext-blob fileb://encryptedtext.txt
{
    "KeyId": "arn:aws:kms:us-east-2:625181428504:key/525ae85b-8eb5-46bb-93a2-4fa398396445",
    "Plaintext": "SGVsbG8gV29ybGQh",
    "EncryptionAlgorithm": "SYMMETRIC_DEFAULT"
}

31. Lets get the Plaintext only with query

aws kms decrypt --ciphertext-blob fileb://encryptedtext.txt --query Plaintext
"SGVsbG8gV29ybGQh"

32. And get only the text

aws kms decrypt --ciphertext-blob fileb://encryptedtext.txt --query Plaintext --output text
SGVsbG8gV29ybGQh

33. And lets decode it

aws kms decrypt --ciphertext-blob fileb://encryptedtext.txt --query Plaintext --output text | base64 -d
Hello World!

Great, now you know how to use AWS KMS keys in the next post we going deeper into the AWS Services

Clean-Up

  1. Remove the CLI credentials
rm ~/.aws/credentials
rm ~/.aws/config

2. In AWS Management Console go to KMS

3. Click on Customer managed keys

4. Select the KMS Key, click on Key actions, and click on disable

5. Confirm

6.Click again in Key actions and select schedule deletion

7. Put 7 days and confirm

8. You will see the Status is Pending deletion

9. Go to IAM

10. Click on Users

11. Select the users we create for this lab and click on Delete user

12. Confirm