Lab 2 (Introduction to AWS Key Management)

This qwiklab will open up and give a clear basic understanding of AWS Key Management Service(KMS).

This qwik lab will cover the topics and those are:-

  • Create an Encryption Key.
  • Create an S3 bucket with CloudTrail logging functions.
  • Encrypt data stored in a S3 bucket using an encryption key.
  • Monitor encryption key usage using CloudTrail.
  • Manage encryption keys for users and roles.

AWS KMS is a managed service that makes it easy for the users to create and control the encryption keys which are used to encrypt the data. Key Management Service is combined with other AWS Services as well that includes Amazon S3, Amazon EBS, Amazon RedShift, Amazon workMail, Elastic Transcoder and Amazon RDS. KMS allows users to create keys that cannot be send out from the service and which can be used to encrypt and decrypt data based on policies the users define giving greater control of the security and services.

AWS CloudTrail is a web service which records the Application Program Interface (API) calls made on the users account and it delivers log files to the users amazon S3 bucket. Why we use CloudTrail Because it records important information about every single API call, which include the name of the API, Identity of the caller, the time of the call, and the response elements returned by the AWS service. It helps the user to track the changes which have been made to their AWS resources and it helps to troubleshoot the operational issues.

Amazon Simple Storage Service which is also know as (Amazon S3) is a storage for the internet. The main purpose behind this storage service is to make web-scale computing easier.
Note:  In qwik lab 4 you will get a wider idea about the S3 service.

Note: Each API request of AWS Key Management Service (outside of the free tier) costs: $0.03 per 10,000 requests in US East (N. Virginia), US East (Ohio), US West (Oregon), US West (Northern California), Canada (Central), EU (Ireland), EU (Frankfurt), EU (London), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Mumbai), South America (Sao Paulo) $0.04 per 10,000 requests in AWS GovCloud (US). If you are using a free tier up to a certain level you can use it free for an one year.

The below images will guide you through each step by step to complete this lab.

Note: Make a note of the default region that you are connected to because you are going to create a Encryption key you will have to select the same region otherwise when you going to set the permissions you will not see the encryption key you created.

To create an Encryption Key click on Services and click on IAM

1

From the bottom left select Encryption Keys and click on Get Started Now. before you click the create key click on Filter which is next to create key and select the default region which you have stated in the beginning of the Lab and click on Create Key to create a new encryption Key.

As show in the below image you will get a screen like this.
In the Alias text box type testKeyOne
In the the description text box type KMS Key for S3 data and click on Next

2

Select awsstudent and click on Next to proceed to the next step

3

Select awsstudent and click on Next.

4

Preview the key policy you created and click on Finish.

5

The below images will guide you through how to create a CloudTrail.

To create a CloudTrail click on Services and Then click on CloudTrail from the services menu.

6

When you are on the CloudTrail page click on Trails in the left navigation pane and click on Add new Trail

8

Give the Trail Name any name you like, as you can see the below image i have given the name trailname12.
For Apply trail to all regions tick the radio button NO

9

When you scroll down you will see a option called Create a new S3 bucket click on the YES radio button and give a unique name for the bucket you are going to create. i have given testbucket9507072 as my bucket name as you can see in the below image.

10

To go to the bucket you create click on services on the AWS console and click on S3

11

As you can see the below image you will be able to see the bucket which was created earlier. click on the bucket.

13

To upload a file in to the bucket click on the upload button and a window will popup. Choose the file from your computer and upload it and then click on Next.

14

Go with the default settings and click on Next.

15

In the set properties select the encryption as AWS Key Management Service Master Key. which is also known as AWS KMS master key. from the master key drop down box select the key which was created earlier. the name of the key i created was the testKeyOne.

16

click on upload.

17

Once the object has been uploaded in to the bucket, click on it and check the details. Note the permission column if it’s set to your encryption key you gave.

18

To Monitor and manage the KMS Key usage click on your bucket. as shown in the below image you will see folder called AWSLogs click on it.

19

Refresh to see the last modified date from the log (It may take up to 4 minutes)

20

To Manage the Encryption Keys click on the AWS console and click on IAM

7

Click on Encryption Keys, which is at the bottom in  the left navigation panel.

21

In the Key Users section select the awsstudent and click on remove.

22

when you click on remove a dialog box will appear click on yes, remove to confirm.

23

Click on the add button again in the key users section and select awsstudent and click on attach.

24

In the below image you can see the user that we attached.

25

Conclusion
By the end of this lab you have learned:

  • Create an Encryption Key.
  • Create an S3 bucket with CloudTrail logging functions.
  • Encrypt data stored in a S3 bucket using an encryption key.
  • Monitor encryption key usage using CloudTrail.
  • Manage encryption keys for users and roles.
Advertisements
This entry was posted in Quick Labs. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s