← Back to Labs
Intermediate01:00:00

Encryption and Decryption Using KMS

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page, Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  3. On the AWS sign-in page,
  4. Leave the Account ID as default. Never edit/remove the 12 digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  5. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button.
  6. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
Task 2

Task 2: Create a User group for KMS users and attach a Policy to the Group

↑ Top
  1. Make sure to choose N.Virginia region in the AWS Management console dashboard, which is present in the top right corner.
  2. Navigate to the Services menu at the top, click on IAM in the Security, Idenitity, & Compliance section.
  3. In the IAM section, click on User groups.
  4. Click on Create group
  5. Enter the following user group name: KMSGroup
  6. Attach permissions policies: For the Policy name type KMS and select KMS_Policy
  7. Now, Click on Create Group button.
  8. We have successfully created a new group for our KMS lab.
Task 3

Task 3: Create two users for managing the KMS

↑ Top
  1. In this task, We are going to add two users to the group we created.
  2. KeyManager: Has access to the Console to manage keys (Create, Delete, Rotate).
  3. KeyEncryption: Has programmatic access to use the keys for encryption/decryption but cannot manage them. This separation minimizes the impact if credentials are compromised.
  4. Click on Users on the left side of the IAM dashboard.
  5. Click on the Create User button.
  6. Enter the following user name: KeyManager
  7. Check the Provide user access to the AWS Management Console checkbox.
  8. Click on the Custom password.
  9. Give the following password: lab@123
  10. Uncheck the Users must create a new password at the next sign-in. Click on Next.
  11. Task 3: Create two users for managing the KMS
  12. For permission, select Add User to group.
  13. Select the KMSGroup that we created, and click on the Next button.
  14. In the review section, if all the settings are as per the requirement.
  15. Click on Create User.
  16. We have successfully created our KeyManager. Click on Return to users list button and click again on Continue button to return back to Users tab.
  17. Now, similarly, we're going to create a new user, and this will be the person who does the decryption.
  18. Click on Users on the left side of the IAM dashboard.
  19. Click on the Create User button.
  20. Enter the following user name: KeyEncryption
  21. Check the Provide user access to the AWS Management Console checkbox.
  22. Click on the Custom password
  23. Give the following password: 123@lab
  24. Uncheck the Users must create a new password at the next sign-in. Click on Next.
  25. For permission, select Add User to group .
  26. Select the KMSGroup that we created, and click on the Next button.
  27. In the review section, if all the settings are as per the requirement
  28. Click on Create User. Click on Return to users list button and click again on Continue button to return back to Users tab.
  29. Now, to get the Access Key and Secret Access Key
  30. Click on Users on the left side of the IAM dashboard.
  31. Click on KeyEncryption user and go to the Security credentials tab.
  32. Scroll down and click on Create access key button.
  33. Select Use case as Command Line Interface (CLI), check the confirmation box and click on Next button.
  34. Leave Description tag value as blank in Set description tag step.
  35. Click on Create access key button.
  36. Click on Download .csv file button to download the secret access key of the user as it will be required to connect with our EC2 instance for encryption.
Task 4

Task 4 : Creating a KMS Key

↑ Top
  1. AWS Managed Keys: Created by AWS services (like S3) for you. You cannot manage their policies.
  2. Customer Managed Keys: Created by you. You have full control over Key Policies, rotation, and deletion. This lab uses a CMK.
  3. Navigate to the Services menu at the top, click on AWS Key Management Service (KMS) in the Security, Identity, & Compliance section
  4. Click on the Create a key button.
  5. Select Key type as Symmetric and Key usage as Encrypt and decrypt, click on next button.
  6. Task 4 : Creating a KMS Key
  7. Symmetric (AES-256): Same key for encryption and decryption. Used for most AWS services (S3, EBS, RDS). Fast and efficient.
  8. Asymmetric (RSA/ECC): Public key encrypts, Private key decrypts. Used when you need to share the encryption key publicly without compromising the decryption capability.
  9. Enter Alias as : Admin
  10. Leave the other field as it is, and click on the Next button.
  11. In Define key administrative permissions select KeyManager and click on Next button.
  12. Task 4 : Creating a KMS Key
  13. In Define key usage permissions select KeyEncryption and click on Next button.
  14. Once you click on Next you’ll be moved to the review section. Review the key policy that we have created and if everything is fine, just click on Finish button.
  15. We have successfully created the KMS key. Copy the Key ID in Notepad for future use.
  16. Task 4 : Creating a KMS Key
  17. Now that we have created the KMS and User policies, move to the service section and choose EC2 under the Compute section.
Task 5

Task 5 : Launching an EC2 Instance

↑ Top
  1. We will use this EC2 instance as our "workstation" to run AWS CLI commands. It represents an application server that needs to encrypt data.
  2. Make sure you are in N.Virginia Region.
  3. Navigate to the Services menu at the top, click on EC2 in the Compute section.
  4. Click on Launch Instance
  5. Enter Name as following: MyEC2Server
  6. For AMI Select Amazon Linux 2023 in the quickstart menu.
  7. Task 5 : Launching an EC2 Instance
  8. For Instance Type: Select t2.micro.
  9. For Key pair(login): Select Create a new key pair Button Key pair name: WhizKey Key pair type: RSA Private key file format: .pem
  10. For Key pair(login): Select Create a new key pair Button
  11. Key pair name: WhizKey
  12. Key pair type: RSA
  13. Private key file format: .pem
  14. Keep all the settings as default and click on the Launch instance button.
  15. Click on View all instances button.
  16. Your instance is now launching, wait for the complete initialization of the instance till the Status check changes to 2/2 checks passed
Task 6

Task 6: SSH into the EC2 Instance

↑ Top
  1. Please follow the steps in SSH into EC2 Instance.
Task 7

Task 7: Perform KMS Encryption and Decryption

↑ Top
  1. Now you will use the AWS CLI to interact with the KMS service.
  2. Once you click on connect you get a terminal which is our EC2-user login on EC2-instance. Here we will perform KMS Encryption and Decryption.
  3. First we need to create a file with the name secret.txt , Execute the command.
  4. Now that we have created a file secret.txt we need to execute the following configuration command.
  5. Enter the AWS Access key ID and AWS Secret Access Key from the user KeyEncryption file that you downloaded in task 3.
  6. Enter default region as us-east-1
  7. Leave the default output as blank and press Enter
  8. Once AWS configure is complete, we need to execute the command for encryption.
  9. Run the following command to encrypt text file but first replace <replace-key-id> with the Key ID copied earlier.
  10. Ask KMS to generate a Data Key (GenerateDataKey).
  11. Use the Data Key to encrypt your large file locally (using OpenSSL etc.).
  12. Store the Encrypted Data Key alongside your encrypted file.
  13. We have successfully encrypted our text file. To view the statement, execute
  14. We are going to decrypt the encrypted file to view the data.
  15. We have successfully decrypted our text file . To view the statement execute.
  16. Run the following command to re-encrypt text file but first replace <replace-key-id> with the Key ID copied earlier.
  17. You can check the created files by using command :
  18. We have successfully encrypted our text file . To view the statement execute
  19. Task 7: Perform KMS Encryption and Decryption
  20. We have successfully executed the re-encrypt statement.
Task 8

Task 8 : Validation of the Lab

↑ Top
  1. Once the lab steps are completed, please click on the Validation button on the left side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output :
  4. Task 8 : Validation of the Lab
  5. AWS Documentation: AWS KMS Developer Guide
  6. Best Practice: Best practices for IAM policies in AWS KMS
  7. You have successfully created a group for KMS users and attached a policy to the group.
  8. You have successfully created 2 users for managing the KMS.
  9. You have successfully created a KMS Key.
  10. You have successfully launched an EC2 Instance and connected to SSH using the browser.
  11. You have successfully configured KMS.
  12. You have become familiar with Encryption, decryption, re-encryption.
  13. Sign out of AWS Account.
  14. You have successfully completed the lab.
  15. Once you have completed the steps, click on End Lab from your lab lab console and wait till the process gets completed.
← Back to Labs