Server-Side Encryption with KMS Managed Keys (SSE-KMS)

Contents

SAA-C03 Introduction
1
Encryption (SAA-C03) Introduction
PREVIEW2m 32s
Key Management Service (KMS)
2
What is KMS?
PREVIEW8m 25s
3
Components of KMS
PREVIEW11m 6s
4
Understanding Permissions & Key Policies
24m 6s
5
Key Management
13m 59s
6
Sharing CMKs Across Multiple AWS Accounts
PREVIEW14m 4s
S3 Encryption Mechanisms
10
Overview of Encryption Mechanisms
PREVIEW2m 2s
SAA-C03 Review
20
Encryption Summary
4m 59s

The course is part of this learning path

AWS Solutions Architect – Associate (SAA-C03) Certification Preparation for AWS
11
17
25
1
Start course
Overview
Difficulty
Beginner
Duration
2h 12m
Students
1433
Ratings
4.5/5
starstarstarstarstar-half
Description

This section of the Solution Architect Associate learning path introduces you to the core encryption concepts and services relevant to the SAA-C03 exam. We overview the AWS encryption options and how to select and apply AWS encryption services to meet relevant situations and scenarios. 

Want more? Try a lab playground or do a Lab Challenge!

Learning Objectives

  • Learn the fundamentals of Amazon's Key Management Service (KMS), including permissions, key policies, and key management
  • Learn how the AWS Secrets Manager is used to implement security best practices by protecting secrets such as database credentials and API keys
  • Learn the fundamentals of CloudHSM, how it's implemented, and how to use it as a Custom Key Store in KMS
  • Learn how to implement server-side and client-side encryption
Transcript

Server-Side Encryption with KMS managed keys, SSE-KMS. The encryption process is as follows. Firstly, a client uploads object data to S3. S3 then requests data keys from a KMS-CMK. Using the specified CMK, KMS generates two data keys, a plain text data key and an encrypted version of the same data key. These two keys are then sent back to S3. S3 then combines the object data and the plain text data key to perform the encryption. This creates an encrypted version of the object data which is then stored on S3 along with the encrypted data key. The plain text data key is then removed from memory. The decryption process is as follows. A request is made by the client to S3 to retrieve the object data. S3 sends the associated encrypted data key of the object data to KMS. KMS then uses the correct CMK with the encrypted data key to decrypt it and create a plain text data key. This plain text data key is then sent back to S3. The plain text data key is then combined with the encrypted object data to decrypt it. This decrypted object data is then sent back to the client.

About the Author
Avatar
Stuart Scott
AWS Content Director
Students
218516
Labs
1
Courses
214
Learning Paths
174

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.