AWS Key Management Service

Hands-On Demo

  1. Create a customer managed key (CMK) in AWS KMS
  2. Create an S3 bucket and enable default encryption with the KMS key
  3. Upload an object to the S3 bucket and verify encryption
  4. Test access to the encrypted object
  5. Create 2 additional users, 1 with access to KMS and 1 without.
  6. Test these 2 users access 
  7. Clean up resources

Agenda

Demo Overview

Create Customer-managed key

Advanced options

my-s3-encryption-key

Tags - optional

Review

Key policy

Create S3 bucket

my-encrypted-bucket-340923

Default encryption

Create bucket

Create a Test File  

echo "kms encryption test file" > encryption-test-file.txt

Upload to S3 Bucket

Server-side encryption settings

Open the File

View in Browser

Test

Create a S3 Admin User - 2nd User  

S3-Admin-User

Assign S3 Full Access  

AmazonS3FullAccess

Login with S3 User  

S3-Admin-User

Go to S3 Bucket

Open the file 

Access Denied for S3 User

S3-KMS-Admin-User

Create a KMS User - 3rd User  

AmazonS3FullAccess

Create user

S3-KMS-Admin-User

Assign S3-KMS-Admin-User as Key User for the Key

Login with KMS User

S3-KMS-Admin-User

Open the test file 

Success because KMS User has Key Usage Permission 

Clean Up

Delete IAM Users

delete

Empty The S3 Bucket  

permanently delete

Delete S3 Bucket 

Delete KMS Key 

🙏

Thanks

for

Watching