aws kms key with s3 - how to use aws kms key to encrypt data - aws kms s3 demo

Topics to cover in this 

  1. what is kms ?
  2. types of kms ?
  3. create 2 IAM users with s3 full permission
  4. how to create kms key 
  5. create S3 bucket 
  6. configure both users with aws-cli
  7. verify both users access with s3
  8. how to enable encryption on s3 bucket 
  9. verify 


what is kms 

aws key management service (aws kms ) is a managed service - here managed service means kms is managed by aws, not by us like kms key update, policy update, kms backup

kms key provides the next level of security to our data by providing encryption to data

kms key helps us to manage our data securely and also reduce the burden of managing user access with IAM policy or s3 bucket policy 

In simple words, key management services or kms help us to encrypt and decrypt the data 


types of kms 

we have 2 types of kms key provided by aws 

  1. symmetric - a single encryption key used for both encrypt and decrypt the data 
  2. asymmetric - a public and private key pair that can be used to encrypt/decrypt the data. 

create 2 IAM users with s3 full permission 

login to aws console 
go to service and in the search tab look for IAM 
from the dashboard select user - select programmatic access
create 2 users and give both s3 full permission 
make sure to download the access key and secret key and store it in a secure location 

how to create kms key 

login to aws console - select the region 
go to service and in the search tab look for kms 
in kms on the left side 3 options are there -
  1. aws managed keys
  2. customer-managed keys 
  3. customer key store
select the customer-managed keys
in this demo will use symmetric key - select symmetric
in the advance key section select the kms 
regionality leave default 
in the next windows 3 options to fill 
  1. alias - recommended giving some alias name 
  2. description - recommended giving some description ( optional field ) 
  3. Tags - recommended giving some tags name ( optional field ) 
in the next screen select the key administrator - here need to give the user/group/role who administer access to this policy 

The next tab is for key deletion (optional field ) 
next need to select key permissions - here need to select users for whom kms access require 

verify the key policy 

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::aws-account-id:username"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam:::user/username"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        }
    ]
}


finish 


create s3 bucket 


login to aws console - select the region 
go to service and in the search tab look for s3
in the left panel - select s3 bucket - create a bucket 
give a unique name to your bucket and select the same region in which aws kms key is created 
leave all the settings as it and click on create a bucket 


configure both users with aws-cli

aws configure --profile user1
aws configure --profile user2

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_DEFAULT_REGION=

next step - put some files inside the s3 bucket and verify both user access to it 

aws s3 ls

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user1  

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user2 


Till this point both users were able to download, list file without error 


how to enable encryption on s3 bucket


login to aws console - select the region 
go to service and in the search tab look for s3
select the bucket on which you need to enable encryption 
select properties - scroll down and select default encryption - enable it 


verify both users access again 

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user1  

aws s3 cp s3://enteryourbucketnamehere/filename . --profile user2 



Now here only users with kms key access are able to call the s3 bucket operation 





















Comments

Post a Comment

Popular posts from this blog

aws-ecs demo | amazon elastic container service demo | aws container demo | aws fargate

Image
 aws ecs demo | amazon elastic container service demo | aws container demo | aws fargate Below topics will cover aws ec2 machine creation  install docker on aws linux machine 2  create docker image  create iam user with programmatic access and give permission to  ecs, ecr, ec2 configure user created in above step in linux machine  create ecr repository and push docker image  create task definition create cluster  create service  demo step to create ec2 machine  https://www.blogger.com/blog/post/edit/4755733674328893075/1117922512913062110?hl=en go the aws console, in the search bar search for ec2  click launch instance from the top right side  next select the machine - Amazon Linux 2 AMI in the choose instance type select - t2.micro in the configure instance and add storage step - go with default values give the name of your machine in the add tags section  in the configure security open port 22 and port 80 in the inbound ...
Read more

aws ssm automation

Image
This blog will help you to deploy bash scripts or run linux commands on multiple servers at once. Steps involved  1. Create multiple EC2 machines  2. Create IAM role for EC2 and attach SSM policy.  3. Attach IAM role created in step 2 to EC2 machine  4. Check in AWS SSM console if servers are showing or not in RUN command.  5. Go to AWS SSM - select Run command and than select Shell script to run command on multiple linux machine at once  6. Enter the bash script in the console  7. Select the logs destination  8. Deploy - check the in the console for status  1. Create multiple EC2 machine  Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/. Choose Launch Instance. Choose an Amazon Machine Image (AMI), find an Amazon Linux 2 AMI at the top of the list and choose Select. Choose an Instance Type, choose Next: Configure Instance Details. Configure Instance Details, provide the following information: Leave Number of instances ...
Read more