← Back to Labs
Fundamental01:30:00

Encrypt S3 bucket, EBS Volume and AMI using AWS KMS

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8Task 9Task 10Task 11Task 12
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Creating an AWS KMS Key

↑ Top
  1. Make sure you are in the US East (N. Virginia) us-east-1 Region.
  2. Navigate to Key Management Service by clicking on the Services menu, under the Security, Identity and Compliance section.
  3. Click on Create Key.
  4. Note: Ignore, if any other customer-managed keys present in the account. It will take some time to delete the keys.
  5. Select the Key Type as Symmetric and click on Next.
  6. Under the Add Labels, give the following details: Alias: Enter Whizkey (Change the name, if there is a key present with the same name) Description: KMS key for encryption Leave everything else as default Click on Next.
  7. Under the Add Labels, give the following details:
  8. Alias: Enter Whizkey (Change the name, if there is a key present with the same name)
  9. Description: KMS key for encryption
  10. Leave everything else as default
  11. Click on Next.
  12. In the Define key administrative permissions, Key Administrators: Select the IAM User, with which you are logged in (starting with Whiz_User_) Check the Allow key administrators to delete the key Click on Next
  13. In the Define key administrative permissions,
  14. Key Administrators: Select the IAM User, with which you are logged in (starting with Whiz_User_)
  15. Check the Allow key administrators to delete the key
  16. Click on Next
  17. In the Define key usage permissions, This account: Select the same username selected earlier. Click on Next.
  18. In the Define key usage permissions,
  19. This account: Select the same username selected earlier.
  20. Click on Next.
  21. Review the details and click on Finish button.
  22. Task 2: Creating an AWS KMS Key
Task 3

Task 3: Enabling KMS Key rotation

↑ Top
  1. Click the created alias Whizkey.
  2. Navigate to the Key rotation tab.
  3. Now, check the box for Automatically rotate. To do this, click Edit, then select Enable. In the Rotation period (in days) field, enter 365, and finally, click Save.
  4. Task 3: Enabling KMS Key rotation
  5. You have now successfully enabled yearly rotation for your KMS master key.
  6. When automatic key rotation is enabled, KMS generates new cryptographic material every 365 days and retains the older cryptographic material (old key).In this way, both keys can be used to encrypt or decrypt data.
Task 4

Task 4: Creating and encrypting S3 Bucket

↑ Top
  1. Navigate to S3 by clicking on the Services menu, under the Storage section.
  2. Click on Create Bucket.
  3. Region: Select US East (N. Virginia) us-east-1 (i.e same region as the KMS master key)
  4. In the General Configuration,
  5. Bucket type : General purpose
  6. Bucket name: Enter a globally unique name.
  7. Task 4: Creating and encrypting S3 Bucket
  8. Object ownership: Select ACLs enabled option and select Object Ownership as Object Writer
  9. In the Bucket Public Access settings for this bucket, Uncheck the Block all public access. Acknowledge the same by Checking the below option.
  10. Task 4: Creating and encrypting S3 Bucket
  11. In the Bucket Versioning, Check the option Enable.
  12. Task 4: Creating and encrypting S3 Bucket
  13. In the Default encryption,
  14. Encryption key type: Select AWS Key Management Service key (SSE-KMS)
  15. AWS KMS key: Select Choose from your AWS KMS keys
  16. Select Whizkey from the dropdown menu.
  17. Task 4: Creating and encrypting S3 Bucket
  18. Keep other settings as default and click on Create Bucket.
  19. whizsource123 bucket is created now.
Task 5

Task 5: Encrypting and uploading an object to S3 Bucket

↑ Top
  1. Click on the whizsource123.
  2. Click on the Upload button.
  3. Click on the Add Files button and browse for a file(image or text) on your local machine.
  4. Before clicking on Upload, scroll down and expand the Properties tab
  5. Select the following details:
  6. Storage class: Select One Zone-IA
  7. Server-side encryption: Select Specify an encryption key
  8. Encryption settings: Choose Override default encryption bucket settings
  9. Encryption key type: Select AWS Key Management Service key (SSE-KMS)
  10. AWS KMS key: Select Choose from your AWS KMS keys
  11. Select Whizkey from the dropdown menu.
  12. Leave other settings as default and click on the Upload button.
  13. Click on the Close button.
Task 6

Task 6: Verifying the encryption of the object

↑ Top
  1. Now let us check whether the encryption is working.
  2. Select the object you have uploaded.
  3. Click on Actions, scroll down and select Make public using ACL.
  4. Choose Make Public and click on the Close button.
  5. Click the object. Copy the Object URL and paste the URL on a new browser tab.
  6. Task 6: Verifying the encryption of the object
  7. Note: You are getting this error as the file is encrypted using AWS KMS Encryption and is restricting the access from outside source. To access this file it should be decrypted first.
  8. Click the object, and click on the Open button on the top-right corner.
  9. Task 6: Verifying the encryption of the object
  10. Now you can see the object which you uploaded opened in a new tab.
  11. Task 6: Verifying the encryption of the object
  12. Note: You are able to access the file as the request to open the file came from a source which can decrypt the file.
Task 7

Task 7: Cross-Region Replication and Versioning in S3

↑ Top
  1. We already have a bucket whizsource123 (Source bucket) which we will use as the source bucket from where the data will be replicated. Now we need to create a bucket that will replicate the data from the source bucket.
  2. Change Region: From the drop down please Select Asia Pacific (Mumbai) ap-south-1
  3. Navigate to the S3 dashboard and click on Create Bucket.
  4. In the General Configuration, Bucket name: Enter a globally unique name.
  5. Task 7: Cross-Region Replication and Versioning in S3
  6. In the Bucket Public Access settings for this bucket, Uncheck the Block all public access. Acknowledge the same by Checking the below option.
  7. In the Bucket Versioning, Check the option Enable.
  8. Task 7: Cross-Region Replication and Versioning in S3
  9. Keep other settings as default and click on Create Bucket.
  10. Now open the whizsource123 bucket and click on the Management tab. Scroll down and select Create Replication rule
  11. Enter a rule name, Whizrule1, and keep the status as Enabled.
  12. .
  13. Choose a rule scope : Select Apply to all objects in the bucket
  14. Under Destination, select choose a bucket in this account and click on Browse S3.
  15. In the search option enter the Mumbai region bucket name, choose by browse the S3 option.
  16. Task 7: Cross-Region Replication and Versioning in S3
  17. Select the target bucket created earlier and click on Choose Path.
  18. Under IAM Role, Choose from existing IAM roles: select replication_role<random.numbers>
  19. Under Encryption, check Replicate objects encrypted with AWS KMS and select the alias aws/s3.
  20. Task 7: Cross-Region Replication and Versioning in S3
  21. AWS KMS key for encrypting destination object: Select Choose from your AWS KMS keys
  22. Select aws/s3 from the dropdown menu.
  23. Leave other settings as default. Review and click on Save.
  24. When, prompted click on the cancel button.
  25. Now navigate to the source bucket and upload an object in the Source bucket by clicking on Add Files. Click on Upload.
  26. Navigate to your Target Bucket to see the replication. It may take up to 3-5 minutes for replication.
  27. Note: You can see that the object from the source bucket has not been replicated, as the source and destination buckets have different encryption. Source bucket has Whizkey(Customer managed key) encryption and the destination bucket has aws/s3(AWS Managed) encryption.
  28. Now go to whizsource123 bucket and click on Add files. Before clicking on the Upload button, scroll down and click on the Properties option.
  29. Choose the option to specify an encryption key and choose Override default encryption bucket settings.
  30. Now in the Encryption key type, choose Amazon S3 key (SSE-S3).
  31. Click on Upload.
  32. Task 7: Cross-Region Replication and Versioning in S3
  33. Now you have successfully configured the Cross-Region Replication in S3 Bucket and the object created in whizsource123 will be replicated to whiztarget123.
  34. Navigate to the target bucket and refresh. You will be able to see the replicated object.
  35. Click the object and select Open to see the object in the target bucket.
  36. Task 7: Cross-Region Replication and Versioning in S3
Task 8

Task 8: Disabling the KMS Key

↑ Top
  1. Make sure you are in the US East (N.Virginia) us-east-1 Region.
  2. Navigate to Key Management Service by clicking on the Services menu, under the Security, Identity and Compliance section.
  3. Select the alias Whizkey.
  4. Click on Key actions and select Disable.
  5. Check the confirmation and click on Disable Key.
  6. Navigate to the Services section and click on S3 under Storage
  7. Click on whizsource123 and click on the object other than the one uploaded recently (since we have Amazon S3 master key for the recently uploaded object).
  8. Click Open on the top right side of the screen.
  9. Task 8: Disabling the KMS Key
  10. You can see that access is denied as the KMS Key is disabled.
  11. Navigate back to Key Management Service and enable Whizkey by clicking on the alias Whizkey and click on Enable in the Key actions.
Task 9

Task 9: Encrypting EBS volume

↑ Top
  1. Make sure you are in the US East (N. Virginia) us-east-1 Region.
  2. Navigate to EC2 by clicking on the Services menu, under the Compute section.
  3. On the left navigation panel, click on Volumes under Elastic Block Store.
  4. Click on Create Volume.
  5. In the Create volume,
  6. Volume Type: Select General Purpose SSD(gp2)
  7. Size: Change to 1 GiB
  8. Availability Zone: Choose us-east-1a
  9. Encryption: Check
  10. Key: Choose Whizkey from the list.
  11. Tags: Key: Enter Name Value: Enter WhizEBS
  12. Tags:
  13. Key: Enter Name
  14. Value: Enter WhizEBS
  15. Click on Create Volume and Close.
  16. Now we can see WhizEBS created. Select WhizEBS and under description, we can see that the volume is encrypted.
  17. Your master key is used to encrypt/decrypt this volume.
  18. Task 9: Encrypting EBS volume
Task 10

Task 10: Encrypting AMI and Snapshot

↑ Top
  1. On the left navigation panel, click on Instances.
  2. You can see an EC2 instance already running.
  3. Select the instance, click on the Actions, and select Create Image under Image and Templates.
  4. Create Image
  5. Image name: Enter WhizUnencrypted
  6. Leave everything else as default and click on Create Image.
  7. On the left navigation panel, click on AMIs under Images.
  8. Select WhizUnencrypted and wait till the status changes to available.
  9. Click on the Actions button and select Copy AMI.
  10. Fill in the details:
  11. Name: Change the name to WhizEncrypted
  12. Destination region: Choose US East (N. Virginia)
  13. Encrypt EBS snapshots of AMI copy: Check
  14. KMS key: Select Whizkey
  15. Click on Copy AMI.
  16. Refresh the page to see the copied AMI. Wait till the status of the AMI becomes available.
  17. Select the copied AMI i.e WhizEncrypted and copy the AMI ID from the details tab.
  18. On the left navigation panel, click on Snapshots under Elastic Block Store.
  19. In the search, paste and search the AMI ID.
  20. Wait for the snapshot status to change from pending to completed.
  21. Select the snapshot and check the description tab to see that the snapshot is encrypted using Whizkey.
  22. Note: Now any instance launched with encrypted AMI will be encrypted by Whizkey.
  23. Task 10: Encrypting AMI and Snapshot
Task 11

Task 11 : Validation of the Lab

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the left side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 11 : Validation of the Lab
  5. Key Rotation: AWS KMS supports automatic key rotation to enhance security by regularly changing encryption keys.
Task 12

Task 12: Delete AWS Resources

↑ Top
  1. Make sure you are in the US East (N. Virginia) us-east-1 Region.
  2. Navigate to Key Management Service by clicking on the Services menu, under the Security,Identity and Compliance section.
  3. Select Whizkey, click on the Key actions button, and click Schedule key deletion.
  4. Schedule key deletion
  5. Waiting period: 7 days
  6. Check confirmation for deletion.
  7. Click on Schedule deletion.
  8. Make sure you are in the US East (N. Virginia) us-east-1 Region.
  9. Navigate to EC2 by clicking on the Services menu, under the Compute section.
  10. On the left navigation panel, click on AMIs under Images.
  11. Select WhizUnencrypted and WhizEncrypted AMIs and click on Actions button
  12. Select Deregister AMI from the dropdown menu and click on Deregister AMI.
  13. On the left navigation panel, click on Snapshots under Elastic Block Store.
  14. Remove the AMI ID if present in the search.
  15. Select both snapshots and click on the Actions button
  16. Click on Delete Snapshot and confirm by entering delete and click on Delete
  17. Click on Instances on the left side panel
  18. Select the instance, click on Instance state and then click on Terminate Instance
  19. In the pop-up screen, click on Terminate to delete the EC2.
  20. You have created KMS Key and enabled key rotation.
  21. You have created Cloudtrail and accessed the logs.
  22. You have encrypted S3 buckets and created cross-region replication.
  23. You have encrypted EBS Volume and AMI.
  24. You have scheduled the deletion of KMS Master Key.
  25. Sign out of the AWS Account.
  26. You have successfully completed the lab.
  27. Once you have completed the steps, click on End Lab from your lab lab console and wait till the process gets completed.
← Back to Labs