hands-on lab

Configuring Access to AWS KMS Keys

Up to 1h
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


AWS Key Management Service (KMS) is a service that allows you to create and manage cryptographic keys in the public AWS cloud. Using these keys you can secure your data by encrypting it when it's stored and decrypting it on demand.

Learning how to securely manage access to AWS KMS keys is an important part of building secure well-architected systems using AWS. By learning about the options available, you will be more confident about the security posture of your data.

In this hands-on lab, you will see how to use key policies and grants to control access to a KMS key.

Learning objectives

Upon completion of this beginner-level lab, you will be able to:

  • Enable a KMS key
  • Encrypt data using a Python AWS Lambda function
  • Create a grant for a KMS key using the AWS CLI

Intended audiences

  • Candidates for the AWS Certified DevOps Engineer Professional certification
  • Cloud Architects
  • Data Engineers
  • DevOps Engineers
  • Software Engineers


Familiarity with the following will be beneficial but is not required:

  • AWS Key Management Service (KMS)
  • AWS Lambda
  • AWS Identity and Access Management (IAM)
  • The Python scripting language

The following content can be used to fulfill the prerequisites:

Environment before

Environment after

About the author

Learning paths

Andrew is a Labs Developer with previous experience in the Internet Service Provider, Audio Streaming, and CryptoCurrency industries. He has also been a DevOps Engineer and enjoys working with CI/CD and Kubernetes.

He holds multiple AWS certifications including Solutions Architect Associate and Professional.

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Using the AWS Key Management service
Examining the AWS Lambda function
Allowing access with an AWS KMS key policy
Granting access to use a KMS key
Granting the CreateGrant permission