Amazon Web Services Key Management Service (KMS) is a managed service that simplifies the creation and management of encryption keys used to encrypt/decrypt your data. Most storage-related AWS services are supported by KMS, including:
This lab will include examples of encrypting EBS volumes and S3 buckets. It's important to understand that once setup is implemented, from a user's perspective, the encryption of data is transparent. For example, if you look at a text file on an encrypted volume, it is readable. That is because the encryption is not on a file-by-file basis, with some being encrypted and some not. Encryption takes place at a lower level (the operating system level). If you view a text file, the decrypted file is displayed. Similarly, for S3 object storage, you can still view text files, images, etc. What volume encryption protects against is if someone gains physical access to the drive with the encrypted data on it. If they don't have the Customer Master Key (CMK), they cannot decrypt the contents.
Although not the focus of this lab, realize that just because KMS is integrated with many AWS services, KMS can be utilized without other AWS services. What good does that do you might ask? Consider the following use case: an internally developed banking application that uses no AWS services or infrastructure. Even though the application uses infrastructure in their own data centers, and encryption keys with key material they generated themselves, there may be many keys to manage. You can generate your own key material and KMS can store and manage all of it, including helpful maintenance functions such as key rotation and scheduled key deletions. Even if someone gains physical access to disk arrays in their data center, they will not be able to gain access to the data. They would need the encrypted keys uploaded to and managed by AWS KMS.
Upon completion of this lab you will be able to:
This is an intermediate-level lab. Although it walks you through all steps in the learning process, you should be familiar with the following:
The following courses can be used to fulfill the prerequisites:
Before completing the lab instructions the environment will look as follows:
After completing the lab instructions the environment should look similar to:
October 30th, 2022 - Updated instructions and screenshots to match the new EC2 instance creation wizard etc.
February 2nd, 2022 - Removed the step about using your own key material after refactoring it into another lab
June 4th, 2021 - Updated the instructions to get to the full CloudTrail creation workflow
May 14th, 2020 - Updated the instructions/screenshots for the CloudTrail creation
February 3rd, 2020 - Added custom validation steps to check the work you perform in the lab
January 6th, 2020 - Updated content for creating a Customer Master Key to reflect the latest KMS console experience
August 12th, 2019 - Updated a lab step to reflect new AWS Management Console structure
January 10th, 2019 - Added a validation lab step to check the work you perform in the .ab
Greg has been a consistent high performer for pioneering technologies in the wireless web industries with an illustrious career that is a testament to his breadth of knowledge. Dabbling with MS Azure, at Cloud Academy, Greg really thrives on evangelizing the benefits of Amazon Web Services. A dedicated and passionate professional who learns new and emerging technologies quickly, Greg always ensures the highest quality and caliber of everything he produces.