Client-Side Encryption with KMS Managed Keys (CSE-KMS)

Contents

Amazon S3
1
Overview of Amazon S3
PREVIEW10m 49s
2
Storage Classes
PREVIEW12m 35s
S3 Management Features
3
Versioning
PREVIEW5m 19s
4
Server-Access Logging
6m 48s
5
Object-Level Logging
2m 31s
6
Transfer Acceleration
2m 15s
Start course
Overview
Difficulty
Beginner
Duration
1h 3m
Students
2275
Ratings
4.7/5
starstarstarstarstar-half
Description

This course provides detail on the AWS Storage services relevant to the Developer - Associate exam.

Want more? Try a lab playground or do a Lab Challenge!

Learning Objectives

  • An overview of Amazon S3
  • An understanding of storage classes
  • S3 versioning
  • Server-access logging
  • Object-level logging
  • Transfer Acceleration
  • Implementing access control policies
  • Cross-Origin Resource Sharing (CORS)
  • Encryption mechanisms, including:
    • SSE-S3
    • SSE-KMS
    • SSE-C
    • CSE-KSM
    • CSE-C
Transcript

Client-Side Encryption with KMS Managed Keys, CSE-KMS. The encryption process is as follows. Using an AWS SDK, such as the Java client, a request is made to KMS for Data Keys that are generated from a specific CMK. This CMK is defined by providing the CMK-ID in the request. KMS will then generate two Data Keys from the specified CMK. One key will be a Plaintext Data Key. The second will be a Cipher blob of the same Data Key. Both keys are then sent back to the client. The client will then combine the Object Data with the Plaintext Data Key to create an encrypted version of the Object Data. The client then uploads both the encrypted Object Data and the Cipher blob version of the Data Key to S3. S3 will then store the encrypted Object Data and associate the Cipher blob Data Key as Metadata of the encrypted Object Data. The decryption process is as follows. A request is made by the client to S3 to retrieve the Object Data. S3 sends both the encrypted Object Data and the Cipher blob back to the client. Using an AWS SDK, such as the Java client, the Cipher blob Data Key is sent to KMS. KMS combines the Cipher blob Data Key with the corresponding CMK to produce the Plaintext Data Key. This Plaintext Data Key is then sent back to the client and the Plaintext Data Key is then used to decrypt the encrypted Object Data.

About the Author
Avatar
Stuart Scott
AWS Content Director
Students
218887
Labs
1
Courses
213
Learning Paths
174

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.

Covered Topics

StorageAmazon Web ServicesStorage for AWSAmazon S3Amazon S3 Glacier