CloudAcademy

Using Amazon Key Management Service to Encrypt S3 and EBS Data

The hands-on lab is part of these learning paths

Security - Specialty Certification Preparation for AWS

course-steps 21 certification 1 lab-steps 11

Scenario: Migrating From an End-of-Life Data Center to AWS

course-steps 6 certification 1 lab-steps 8 quiz-steps 2

Big Data – Specialty Certification Preparation for AWS

course-steps 14 lab-steps 5 quiz-steps 3

AWS Security Services

course-steps 7 certification 1 lab-steps 3 quiz-steps 5

AWS Access & Key Management Security

course-steps 5 certification 1 lab-steps 2 quiz-steps 3

DevOps Engineer – Professional Certification Preparation for AWS

course-steps 16 certification 1 lab-steps 10 quiz-steps 2

Lab Steps

keyboard_tab
lock
Logging in to the Amazon Web Services Console
lock
Learning important Key Management Service (KMS) terms
lock
Turning on CloudTrail and logging to S3 with Encryption
lock
Creating a Customer Master Key (CMK)
lock
Launching a basic EC2 Instance
lock
Creating an Encrypted EBS Volume
lock
Disabling the Customer Master Key
lock
Creating and Importing your own Customer Master Key

Ready for the real environment experience?

DifficultyIntermediate
Duration1h 30m
Students304

Description

Amazon Key Management Service along with S3 and EBS data encryption

Lab Overview

Amazon Web Services Key Management Service (KMS) is a managed service that simplifies the creation and management of encryption keys used to encrypt/decrypt your data. Most storage related AWS services are supported by KMS, including:

  • EBS (Elastic Block Store)
  • S3 (Simple Storage Service)
  • Redshift
  • RDS (Relational Database Service)

This Lab will include examples of encrypting EBS volumes and S3 buckets. It's important to understand that once setup is implemented, from a user's perspective the encryption of data is transparent. For example, if you look at a text file on an encrypted volume it is readable. That is because the encryption is not on a file by file basis, with some being encrypted and some that are not. Encryption takes place at a lower level (the operating system level). If you view a text file the decrypted file is displayed. Similarly for S3 object storage... you can still view text files, images, etc. What volume encryption protects against is if someone gains physical access to the drive with the encrypted data on it. If they don't have the Customer Master Key (CMK) they cannot decrypt the contents.

Although not the focus of this Lab, realize that just because KMS is integrated with many AWS services, KMS can be utilized without other AWS services. What good does that do you might ask? Consider the following use case: an internally developed banking application that uses no AWS services or infrastructure. Even though the application uses infrastructure in their own data centers, and encryption keys with key material they generated themselves, there may be many keys to manage. You can generate your own key material and KMS can store and manage all of it, including helpful maintenance functions such as key rotation and scheduled key deletions. Even if someone gains physical access to disk arrays in their data center, they will not be able to gain access to the data. They would need the encrypted keys uploaded to and managed by AWS KMS.

Lab Objectives

Upon completion of this lab you will be able to:

  • Explain key terms surrounding AWS KMS
  • Create a new Customer Master Key (CMK) using AWS KMS 
  • Use the CMK to encrypt an EBS volume and attach that to a running EC2 instance for use
  • Turn on CloudTrail for auditing purposes and deliver its logs to an encrypted S3 bucket
  • Generate a CMK external to AWS and import it to attach and encrypt an EBS volume
  • Disable and enable CMKs
  • Confirm that encryption is turned on and working

Lab Prerequisites

This is an intermediate level lab. Although it walks you through all steps in the learning process, you should be familiar with the following:

  • Basic understanding of security concepts such as encryption/decryption and security keys
  • EC2 instances
  • EBS volumes
  • S3 buckets
  • IAM (Identity Access Management) Roles, Policies, and permissions

Lab Environment

Before completing the lab instructions the environment will look as follows:

  • A temporary role will be created for you so you can read from/write to an S3 bucket from a running EC2 instance

After completing the lab instructions the environment should look similar to:

About the Author

Students13260
Labs14

Greg has been a consistent high performer for pioneering technologies in the wireless web industries with an illustrious career that is testament to his breadth of knowledge. Dabbling with MS Azure, at Cloud Academy, Greg really thrives on evangelizing the benefits of Amazon Web Services. A dedicated and passionate professional who learns new and emerging technologies quickly, Greg always ensures the highest quality and calibre of everything he produces.