Managed key management services provide straight-forward encryption solutions for your cloud-hosted data. With KMS encryption, you are not required to build, maintain, and secure your own key management infrastructure.

It’s important to understand that once setup is implemented, from a user’s perspective the encryption of data is transparent. For example, if you look at a text file on an encrypted volume, it is readable. That is because the encryption is not on a file-by-file basis, with some being encrypted and some that are not. Encryption takes place at a lower level (the operating system level). If you view a text file the decrypted file is displayed. Similarly, for S3 object storage, you can still view text files, images, etc.

What volume encryption protects against is if someone gains physical access to the drive with the encrypted data on it. If they don’t have the Customer Master Key (CMK), they cannot decrypt the contents. This is a good security practice and is mandatory by some regulations depending on the type of data.

In this lab, you will learn how to use the key management services of the three major cloud providers.

AWS Key Management Service

Amazon Web Services Key Management Service (KMS) is a managed service that simplifies the creation and management of encryption keys used to encrypt and decrypt your data. Most storage-related AWS services are supported by KMS, including EBS (Elastic Block Store), S3 (Simple Storage Service), Redshift, and RDS (Relational Database Service).

Amazon will bill you for any applicable AWS resources and time used that are not covered in the AWS Free Tier.

Part 1: Introduction to KMS

  1. In your browser, login to the AWS Management Console.
  2. In Services, select Key Management Service.
  3. IN the top right of the console, ensure the region is set to N. Virginia.
  4. Click Create a Key. Notice there are two options: symmetric or asymmetric. Since we will be using this with EBS, select Symmetric. Click Next.
  5. Name the key “Lab4-Key-USEast1”. Click Next. We will be using the root account, so click Next.
  6. Click Next. Notice the Key Policy. Click Finish. You have now created a KMS key.
  7. Notice that the Key spec is SYMMETRIC_DEFAULT. Click the information icon next to Key spec and notice the different encryption algorithms available for KMS.

Part 2: Encrypting EBS Data

  1. In Services, select EC2.
  2. Launch an EC2 instance using the Amazon Linux 2 AMI and the t2.micro type. Leave everything as default, except in Add Storage click Add New Volume. Enable Delete on Termination for the new EBS volume.
  3. Under Encryption, select the Lab4-Key-USEast1 key for the new EBS volume. Leave it as Not Encrypted.

    Previously it was the case that root device volumes could not be encrypted.

  4. Continue on with the launch steps as you normally would and launch the instance.
  5. Once the EC2 instance is running, select the instance and click Storage to view its storage details. Notice that there are two attached volumes and one is encrypted with a KMS key.
  6. Click on the Volume ID of the root volume. Click Actions. Click Modify Volume.

    Notice that the volume size, type, and consequently its IOPS (or input/output operations per second) can be modified, but not the encryption. The only way at this point to add encryption would be if you were to create a snapshot of the volume and copying it to a new instance you are launching and enabling encryption at that time.

Part 3: Encrypting S3 Data

Amazon Simple Storage Service (S3) is a service that provides object storage through a web service interface. Amazon S3 uses the same scalable storage infrastructure that Amazon.com uses to run its global e-commerce network.

  1. In Services, select S3.
  2. Click Create Bucket.
  3. In Bucket name, set a unique bucket name of your choice.
  4. Enable the Default encryption. In Encryption key type, select AWS Key Management Service key (SSE-KMS). In AWS KMS key, select AWS managed key (aws/s3). Click Create bucket.
  5. Click the newly created bucket to open it. Click Upload. Click Add files.
  6. Select a file from your local machine to upload and click Open. Click Upload. Once the upload has succeeded, click Exit.
  7. To confirm that the file was successfully encrypted, click the file to open it. Scroll down to Server-side encryption settings. Notice the KMS master key ARN that has been created to encrypt the file from the S3 bucket.
  8. Upload another file, but this time in the upload page after selecting the file, expand Additional upload options and scroll down to Server-side encryption settings.
  9. In Encryption settings, select Override default encryption bucket settings. In Encryption key type, select AWS Key Management Service key (SSE-KMS). In AWS KMS Key, select Choose from your KMS master keys and select Lab4-Key-USEast1 for the KMS master key.
  10. Scroll to the bottom and click Upload.
  11. Once the upload has succeeded, click Exit.
  12. To confirm that the file was successfully encrypted by the custom key, click the file to open it.
  13. Scroll down to Server-side encryption settings. Notice that in KMS master key ARN, a new master key ARN number has been created to override the S3 bucket policy.

    Notice that S3 bucket encryption policies override the settings of the folders within them. If you need to use separate encryption keys for some documents within a bucket, you will need to change the settings on each document individually.

  14. You are done with this lab. Terminate any instances and delete any file you uploaded to S3 that you no longer need.
  15. Please write up a paragraph answering the following questions.
    1. In step 5, why did we specify the region in the key’s Name?
    2. In step 6, in your own words what permissions did the key policy give?
    3. What encryption algorithm was used to encrypt the data? Would you recommend using it? Why or why not?
    4. Imagine a bank using an on-prem (using no cloud services or infrastructure) banking application. Even though the application uses infrastructure in their own data centers, and encryption keys with key material they generated themselves, there may be many keys to manage. What recommendations would you give to this bank if they are considering migrating to the cloud?

More Info