Creating a Customer Master Key (CMK)

Lab Steps

Logging in to the Amazon Web Services Console
Learning important Key Management Service (KMS) terms
Creating a Customer Master Key (CMK)
Encrypting S3 Data using Server-Side Encryption with KMS Managed Keys (SSE-KMS)
Enforcing S3 Encryption Using Bucket Policies
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.


In this lab step you will manually create a Customer Master Key (CMK) using the AWS Console. This is accomplished from the Key Management Service (KMS) section of the console.



1. In the AWS Management Console search bar, enter KMS, and click the KMS result under Services:



2. Select Customer managed keys in the left pane of the KMS console.

Warning: Cloud Academy cleans up the lab environment for you after a lab is completed or terminated. As a precaution, AWS prevents keys from being deleted immediately. Rather, they are queued for deletion, and an expiration period is set (of 7-30 days). For this reason, you may see residual keys from other students within the last week. For this reason, you may need to append a unique number to the Alias field in the next instruction.


3. Click Create Key, then expand Advanced Options and set the following values:

  • Key typeSymmetric (Symmetric keys are suitable for most data encryption applications. The same key is used for both encrypt and decrypt operations with symmetric key algorithms.)
  • Key usageEncrypt and decrypt
  • Advanced options:
    • Key Material Origin:  Leave as KMS (default). AWS will generate the key material for encryption. Note that another common use case is for customers to generate their own keys, and have AWS keep a back up encrypted copy and help manage them with KMS.
    • Regionality: Single-Region key



4. Click Next to advance to the Add Labels page of the wizard.


5. Set the following values before clicking Next (leave the default values for other fields)

  • Aliascalabs-CMK-key (Append a unique number to the key's Alias if needed to be unique. For example, calabs-CMK-key2.)
  • Description


6. Click Next to advance to Define Key Administrative Permissions and leave the default values.

Administrative permissions allow users and roles to administer CMKs but not to perform cryptographic operations. In production environments, this is sometimes used to easily grant limited access to other users. The Allow key administrators to delete this key checkbox makes it explicit if deleting keys is allowed, since the key can't be recovered once deleted, making recovery of encrypted data impossible. Note that key deletion is not immediate and first enters into a pending state before the key is deleted. The delete operation can be canceled while in the pending state.

These settings generate a key policy. The default policy allows IAM policies to grant access the key, which is why you don't require selecting your student user as an administrator. The lab IAM policy of your student user allows you to perform the required actions of the lab.


7. Click Next to advance to Define Key Usage Permissions.

Usage permissions grant access to perform cryptographic operations such as encrypting and decrypting. Enterprises usually have different permissions for administrators and users, hence the wizard walks you through defining both.

Notice that you can grant access to the key so other AWS accounts can use it for encryption/decryption. 


8. Click Next to preview the key policy and then click Finish when ready.  

The CMK is created.


9. Confirm the key created correctly and that the Status is Enabled:




In this lab step, you learned how to manually create a Customer Master Key from the AWS console. However, in production, different policies typically need to be configured. (Rather than leaving them as the default/blank.)