← Back to Labs
Fundamental00:50:00

How to Encrypt an S3 bucket using AWS KMS and monitor the activities with CloudTrail

Task 1Task 2Task 3Task 4Task 5Task 6Task 7Task 8
Task 1

Task 1: Sign in to AWS Management Console

↑ Top
  1. Click on the Open Console button, and you will get redirected to AWS Console in a new browser tab.
  2. On the AWS sign-in page,
  3. Leave the Account ID as default. Never edit/remove the 12-digit Account ID present in the AWS Console. otherwise, you cannot proceed with the lab.
  4. Now copy your User Name and Password in the Lab Console to the IAM Username and Password in AWS Console and click on the Sign in button
  5. Once Signed In to the AWS Management Console, Make the default AWS Region as US East (N. Virginia) us-east-1.
  6. In this task, you will create a customer-managed KMS key and use it to encrypt S3 objects.
  7. Navigate to Key Management Service by clicking on Services in the AWS Management Console, and selecting Key Management Service under Security, Identity and Compliance section.
  8. Click on Create a Key
  9. Task 1: Sign in to AWS Management Console
  10. Under configure key: Key type : Select Symmetric Key usage : Select Encrypt and Decrypt
  11. Under configure key:
  12. Key type : Select Symmetric
  13. Key usage : Select Encrypt and Decrypt
  14. Task 1: Sign in to AWS Management Console
  15. Click on Next
  16. Under Add labels: Alias : Enter whiz-kms-key Description : Enter KMS key to encrypt S3 Objects
  17. Under Add labels:
  18. Alias : Enter whiz-kms-key
  19. Description : Enter KMS key to encrypt S3 Objects
  20. Task 1: Sign in to AWS Management Console
  21. Click on Next
  22. Under Define key administrative permissions: Key administrators: Select the role that is associated with the account you are working with. For example: Whiz_user-<RANDOM_NUMBER>
  23. Under Define key administrative permissions:
  24. Key administrators: Select the role that is associated with the account you are working with. For example: Whiz_user-<RANDOM_NUMBER>
  25. Task 1: Sign in to AWS Management Console
  26. Click on Next
  27. Under Define Key usage permissions: Select the role that is associated with the account you are working with. For Whiz_user-<RANDOM_NUMBER>
  28. Under Define Key usage permissions:
  29. Select the role that is associated with the account you are working with. For Whiz_user-<RANDOM_NUMBER>
  30. Task 1: Sign in to AWS Management Console
  31. Click on Next. In Edit key policy, leave everything as default and click Next.
  32. Review everything and click on the Finish button.
  33. You have successfully created the KMS key.
  34. Task 1: Sign in to AWS Management Console
  35. Copy the Key ID and paste it in the notepad, we will use this later in the lab.
  36. In this task, you will create an S3 bucket to upload and encrypt an object an aslo to store events.
  37. Navigate to S3 by clicking on Services in the AWS Management Console, and selecting S3 under Storage section.
  38. Click on Create Bucket
  39. Under General configuration: Bucket type : General purpose Bucket name : Enter a unique name within the global namespace.
  40. Under General configuration:
  41. Bucket type : General purpose
  42. Bucket name : Enter a unique name within the global namespace.
  43. Object ownership: Select ACLs enabled option and choose Object writer as the Object owner
  44. Task 1: Sign in to AWS Management Console
  45. Leave the rest as default and click on Create Bucket.
  46. You have successfully created an S3 bucket.
  47. Task 1: Sign in to AWS Management Console
  48. In this task, you will create a CloudTrail and configure it to store KMS activities in S3 bucket.
  49. Navigate to CloudTrail by clicking on Services in the AWS Management Console, and selecting CloudTrail under Management & Governance section.
  50. Click on the menu section (three lines) on the left side panel and click on Trails.
  51. Click on Create Trail.
  52. Under General details: Trail name : Enter whiz-kms-trails Storage location : Choose Use existing S3 bucket Trail log bucket name : Click on Browse and choose the S3 bucket that you have created earlier(i.e lab-cloudtrail-kms)
  53. Under General details:
  54. Trail name : Enter whiz-kms-trails
  55. Storage location : Choose Use existing S3 bucket
  56. Trail log bucket name : Click on Browse and choose the S3 bucket that you have created earlier(i.e lab-cloudtrail-kms)
  57. Log file SSE-KMS encryption : Uncheck Enabled
  58. Task 1: Sign in to AWS Management Console
  59. Leave the rest as default and click on Next.
  60. Choose log events: Event type : Check both Management events and Data events.
  61. Choose log events:
  62. Event type : Check both Management events and Data events.
  63. Task 1: Sign in to AWS Management Console
  64. Management events: API activity : Check both Read and Write
  65. Management events:
  66. API activity : Check both Read and Write
  67. Task 1: Sign in to AWS Management Console
  68. Data events: Click on Switch to basic event selectors button. Click on Continue button on pop up. All current and future S3 buckets : Uncheck both Read and Write Individual bucket selection : Click on Browse and choose the S3 bucket that we have created earlier(i.e lab-cloudtrail-kms) Make sure you have checked both Read and Write next to the Browse.
  69. Data events:
  70. Click on Switch to basic event selectors button.
  71. Click on Continue button on pop up.
  72. All current and future S3 buckets : Uncheck both Read and Write
  73. Individual bucket selection : Click on Browse and choose the S3 bucket that we have created earlier(i.e lab-cloudtrail-kms)
  74. Make sure you have checked both Read and Write next to the Browse.
  75. Task 1: Sign in to AWS Management Console
  76. Click on Next.
  77. Review everything and click on Create Trail.
  78. You have successfully created a CloudTrail and can find yours under Trails.
  79. Task 1: Sign in to AWS Management Console
  80. In this task, you will upload an image from our local PC and encrypt it using the KMS key we have created in Task 3.
  81. Navigate to S3 by clicking on Services in the AWS Management Console, and selecting S3 under the Storage section.
  82. Click on the S3 bucket (lab-cloudtrail-kms) we have created.
  83. Task 1: Sign in to AWS Management Console
  84. Click on the Upload button.
  85. Task 1: Sign in to AWS Management Console
  86. Click on Add files and choose a picture from your local PC and Click on the Upload button.
  87. Task 1: Sign in to AWS Management Console
  88. Click on the object which we have uploaded. Go to the Properties tab.
  89. Scroll down to Server-side encryption settings and click Edit: Encryption settings : Override bucket settings for default encryption Encryption key type : Select Server Side Encryption with AWS Key Management Service key(SSE-KMS) AWS KMS key : Select Choose from your AWS KMS keys and from the drop-down menu select the KMS key we have created i.e whiz-kms-key
  90. Scroll down to Server-side encryption settings and click Edit:
  91. Encryption settings : Override bucket settings for default encryption
  92. Encryption key type : Select Server Side Encryption with AWS Key Management Service key(SSE-KMS)
  93. AWS KMS key : Select Choose from your AWS KMS keys and from the drop-down menu select the KMS key we have created i.e whiz-kms-key
  94. Task 1: Sign in to AWS Management Console
  95. Leave everything as default and click on the Save Changes button.
  96. Click on close and you will see your uploaded picture under the objects section.
  97. Note the Last Modified time in the notepad.
  98. In this task, you will try to access the encrypted object through both S3 console and Object URL.
  99. Click on the picture you have uploaded and click on Open on the top right side of your screen.
  100. Task 1: Sign in to AWS Management Console
  101. The picture opens in a new tab/window.
  102. What happens behind the scenes Amazon S3 sends the encrypted data key to AWS KMS. AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3. Amazon S3 decrypts the cypher text and removes the plaintext data key from memory as soon as possible.
  103. What happens behind the scenes
  104. Amazon S3 sends the encrypted data key to AWS KMS.
  105. AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3.
  106. Amazon S3 decrypts the cypher text and removes the plaintext data key from memory as soon as possible.
  107. Close the tab/window that displayed your picture.
  108. Now copy the Object URL and paste it into a new tab of your browser and hit Enter.
  109. You will see a page with the message “Access denied.” And that is because by default, the public access is blocked.
  110. Task 1: Sign in to AWS Management Console
  111. Go back to the bucket, click on the Permissions section.
  112. Task 1: Sign in to AWS Management Console
  113. Under Block public access, click on Edit and uncheck Block all public access and click on Save changes.
  114. Task 1: Sign in to AWS Management Console
  115. In the next screen, Type confirm and click on Confirm button.
  116. Task 1: Sign in to AWS Management Console
  117. You have successfully edited Block Public Access settings.
  118. Now go to the Objects tab and click on your object.
  119. On the top right corner, click the Object actions drop-down menu and click on Make public using ACL.
  120. Click on Make public button.
  121. Now refresh the tab where you have pasted the Object URL earlier.
  122. You should see a message something like this.
  123. Task 1: Sign in to AWS Management Console
  124. This is because the picture is encrypted and you are not able to view it using the public link. If you are uploading or accessing objects encrypted by SSE-KMS, you need to use AWS Signature Version 4 for added security.
  125. In this task, you will access and view our CloudTrail log files in the S3 bucket related to KMS encryption operations.
  126. Go back to the S3 bucket we have created and you will be able to find one more object with the name AWSLogs/.
  127. Task 1: Sign in to AWS Management Console
  128. Click on it and click on the next directory too representing your account number.
  129. Now click on the CloudTrail/ directory and click on us-east-1/.
  130. In case if you do not see any objects under CloudTrail/, please wait for 5 minutes and refresh the objects.
  131. Now click on the <year>, <month> and <date> one after the other.
  132. You will be able to see CloudTrail logs.
  133. Task 1: Sign in to AWS Management Console
  134. Click on the log file whose Last modified time is greater than the timestamp of the picture when it is uploaded.(Refer your notepad)
  135. If there is no log file whose Last modified time is greater than the timestamp of the picture when it is uploaded, wait for 5 more minutes.
  136. Click on the latest log file from the list.
  137. Click on Open.
  138. Press Ctrl+F and search for the Key Id you have saved in the notepad and the picture name you have created.
  139. If you are unable to find them, copy the object URL of the picture you have uploaded again and paste it in the browser and note down the time.
  140. Wait for some time and now search for the logs whose time is greater than that of what you just noted down.
  141. Now you will be able to find the Key ID in the log record.
  142. Encrypting an S3 bucket using AWS Key Management Service (KMS) and monitoring the activities with CloudTrail is a secure way to protect your data and track any changes or access to the bucket. Here are some points to consider for each heading:
  143. Once the lab steps are completed, please click on the Validate button on the left side panel.
  144. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  145. Sample output :
  146. You have successfully created a KMS key and an S3 bucket.
  147. You have successfully created a CloudTrail and configured it to store events in S3.
  148. You have successfully monitored KMS activity using CloudTrail Logs in S3 bucket.
  149. Sign out of the AWS Account.
  150. You have successfully completed the lab.
  151. Once you have completed the steps, click on End Lab from the lab console.
Task 2

Task 2: Create a customer-managed KMS key

↑ Top
  1. In this task, you will create a customer-managed KMS key and use it to encrypt S3 objects.
  2. Navigate to Key Management Service by clicking on Services in the AWS Management Console, and selecting Key Management Service under Security, Identity and Compliance section.
  3. Click on Create a Key
  4. Task 2: Create a customer-managed KMS key
  5. Under configure key: Key type : Select Symmetric Key usage : Select Encrypt and Decrypt
  6. Under configure key:
  7. Key type : Select Symmetric
  8. Key usage : Select Encrypt and Decrypt
  9. Task 2: Create a customer-managed KMS key
  10. Click on Next
  11. Under Add labels: Alias : Enter whiz-kms-key Description : Enter KMS key to encrypt S3 Objects
  12. Under Add labels:
  13. Alias : Enter whiz-kms-key
  14. Description : Enter KMS key to encrypt S3 Objects
  15. Task 2: Create a customer-managed KMS key
  16. Click on Next
  17. Under Define key administrative permissions: Key administrators: Select the role that is associated with the account you are working with. For example: Whiz_user-<RANDOM_NUMBER>
  18. Under Define key administrative permissions:
  19. Key administrators: Select the role that is associated with the account you are working with. For example: Whiz_user-<RANDOM_NUMBER>
  20. Task 2: Create a customer-managed KMS key
  21. Click on Next
  22. Under Define Key usage permissions: Select the role that is associated with the account you are working with. For Whiz_user-<RANDOM_NUMBER>
  23. Under Define Key usage permissions:
  24. Select the role that is associated with the account you are working with. For Whiz_user-<RANDOM_NUMBER>
  25. Task 2: Create a customer-managed KMS key
  26. Click on Next. In Edit key policy, leave everything as default and click Next.
  27. Review everything and click on the Finish button.
  28. You have successfully created the KMS key.
  29. Task 2: Create a customer-managed KMS key
  30. Copy the Key ID and paste it in the notepad, we will use this later in the lab.
Task 3

Task 3: Create an S3 bucket

↑ Top
  1. In this task, you will create an S3 bucket to upload and encrypt an object an aslo to store events.
  2. Navigate to S3 by clicking on Services in the AWS Management Console, and selecting S3 under Storage section.
  3. Click on Create Bucket
  4. Under General configuration: Bucket type : General purpose Bucket name : Enter a unique name within the global namespace.
  5. Under General configuration:
  6. Bucket type : General purpose
  7. Bucket name : Enter a unique name within the global namespace.
  8. Object ownership: Select ACLs enabled option and choose Object writer as the Object owner
  9. Task 3: Create an S3 bucket
  10. Leave the rest as default and click on Create Bucket.
  11. You have successfully created an S3 bucket.
  12. Task 3: Create an S3 bucket
Task 4

Task 4: Create a CloudTrail and configure it to store events in S3

↑ Top
  1. In this task, you will create a CloudTrail and configure it to store KMS activities in S3 bucket.
  2. Navigate to CloudTrail by clicking on Services in the AWS Management Console, and selecting CloudTrail under Management & Governance section.
  3. Click on the menu section (three lines) on the left side panel and click on Trails.
  4. Click on Create Trail.
  5. Under General details: Trail name : Enter whiz-kms-trails Storage location : Choose Use existing S3 bucket Trail log bucket name : Click on Browse and choose the S3 bucket that you have created earlier(i.e lab-cloudtrail-kms)
  6. Under General details:
  7. Trail name : Enter whiz-kms-trails
  8. Storage location : Choose Use existing S3 bucket
  9. Trail log bucket name : Click on Browse and choose the S3 bucket that you have created earlier(i.e lab-cloudtrail-kms)
  10. Log file SSE-KMS encryption : Uncheck Enabled
  11. Task 4: Create a CloudTrail and configure it to store events in S3
  12. Leave the rest as default and click on Next.
  13. Choose log events: Event type : Check both Management events and Data events.
  14. Choose log events:
  15. Event type : Check both Management events and Data events.
  16. Task 4: Create a CloudTrail and configure it to store events in S3
  17. Management events: API activity : Check both Read and Write
  18. Management events:
  19. API activity : Check both Read and Write
  20. Task 4: Create a CloudTrail and configure it to store events in S3
  21. Data events: Click on Switch to basic event selectors button. Click on Continue button on pop up. All current and future S3 buckets : Uncheck both Read and Write Individual bucket selection : Click on Browse and choose the S3 bucket that we have created earlier(i.e lab-cloudtrail-kms) Make sure you have checked both Read and Write next to the Browse.
  22. Data events:
  23. Click on Switch to basic event selectors button.
  24. Click on Continue button on pop up.
  25. All current and future S3 buckets : Uncheck both Read and Write
  26. Individual bucket selection : Click on Browse and choose the S3 bucket that we have created earlier(i.e lab-cloudtrail-kms)
  27. Make sure you have checked both Read and Write next to the Browse.
  28. Task 4: Create a CloudTrail and configure it to store events in S3
  29. Click on Next.
  30. Review everything and click on Create Trail.
  31. You have successfully created a CloudTrail and can find yours under Trails.
  32. Task 4: Create a CloudTrail and configure it to store events in S3
Task 5

Task 5: Uploading an object and encrypting it

↑ Top
  1. In this task, you will upload an image from our local PC and encrypt it using the KMS key we have created in Task 3.
  2. Navigate to S3 by clicking on Services in the AWS Management Console, and selecting S3 under the Storage section.
  3. Click on the S3 bucket (lab-cloudtrail-kms) we have created.
  4. Task 5: Uploading an object and encrypting it
  5. Click on the Upload button.
  6. Task 5: Uploading an object and encrypting it
  7. Click on Add files and choose a picture from your local PC and Click on the Upload button.
  8. Task 5: Uploading an object and encrypting it
  9. Click on the object which we have uploaded. Go to the Properties tab.
  10. Scroll down to Server-side encryption settings and click Edit: Encryption settings : Override bucket settings for default encryption Encryption key type : Select Server Side Encryption with AWS Key Management Service key(SSE-KMS) AWS KMS key : Select Choose from your AWS KMS keys and from the drop-down menu select the KMS key we have created i.e whiz-kms-key
  11. Scroll down to Server-side encryption settings and click Edit:
  12. Encryption settings : Override bucket settings for default encryption
  13. Encryption key type : Select Server Side Encryption with AWS Key Management Service key(SSE-KMS)
  14. AWS KMS key : Select Choose from your AWS KMS keys and from the drop-down menu select the KMS key we have created i.e whiz-kms-key
  15. Task 5: Uploading an object and encrypting it
  16. Leave everything as default and click on the Save Changes button.
  17. Click on close and you will see your uploaded picture under the objects section.
  18. Note the Last Modified time in the notepad.
Task 6

Task 6: Accessing the encrypted object

↑ Top
  1. In this task, you will try to access the encrypted object through both S3 console and Object URL.
  2. Click on the picture you have uploaded and click on Open on the top right side of your screen.
  3. Task 6: Accessing the encrypted object
  4. The picture opens in a new tab/window.
  5. What happens behind the scenes Amazon S3 sends the encrypted data key to AWS KMS. AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3. Amazon S3 decrypts the cypher text and removes the plaintext data key from memory as soon as possible.
  6. What happens behind the scenes
  7. Amazon S3 sends the encrypted data key to AWS KMS.
  8. AWS KMS decrypts the key by using the appropriate master key and sends the plaintext key back to Amazon S3.
  9. Amazon S3 decrypts the cypher text and removes the plaintext data key from memory as soon as possible.
  10. Close the tab/window that displayed your picture.
  11. Now copy the Object URL and paste it into a new tab of your browser and hit Enter.
  12. You will see a page with the message “Access denied.” And that is because by default, the public access is blocked.
  13. Task 6: Accessing the encrypted object
  14. Go back to the bucket, click on the Permissions section.
  15. Task 6: Accessing the encrypted object
  16. Under Block public access, click on Edit and uncheck Block all public access and click on Save changes.
  17. Task 6: Accessing the encrypted object
  18. In the next screen, Type confirm and click on Confirm button.
  19. Task 6: Accessing the encrypted object
  20. You have successfully edited Block Public Access settings.
  21. Now go to the Objects tab and click on your object.
  22. On the top right corner, click the Object actions drop-down menu and click on Make public using ACL.
  23. Click on Make public button.
  24. Now refresh the tab where you have pasted the Object URL earlier.
  25. You should see a message something like this.
  26. Task 6: Accessing the encrypted object
  27. This is because the picture is encrypted and you are not able to view it using the public link. If you are uploading or accessing objects encrypted by SSE-KMS, you need to use AWS Signature Version 4 for added security.
Task 7

Task 7: Monitoring KMS activity using CloudTrail Logs

↑ Top
  1. In this task, you will access and view our CloudTrail log files in the S3 bucket related to KMS encryption operations.
  2. Go back to the S3 bucket we have created and you will be able to find one more object with the name AWSLogs/.
  3. Task 7: Monitoring KMS activity using CloudTrail Logs
  4. Click on it and click on the next directory too representing your account number.
  5. Now click on the CloudTrail/ directory and click on us-east-1/.
  6. In case if you do not see any objects under CloudTrail/, please wait for 5 minutes and refresh the objects.
  7. Now click on the <year>, <month> and <date> one after the other.
  8. You will be able to see CloudTrail logs.
  9. Task 7: Monitoring KMS activity using CloudTrail Logs
  10. Click on the log file whose Last modified time is greater than the timestamp of the picture when it is uploaded.(Refer your notepad)
  11. If there is no log file whose Last modified time is greater than the timestamp of the picture when it is uploaded, wait for 5 more minutes.
  12. Click on the latest log file from the list.
  13. Click on Open.
  14. Press Ctrl+F and search for the Key Id you have saved in the notepad and the picture name you have created.
  15. If you are unable to find them, copy the object URL of the picture you have uploaded again and paste it in the browser and note down the time.
  16. Wait for some time and now search for the logs whose time is greater than that of what you just noted down.
  17. Now you will be able to find the Key ID in the log record.
  18. Encrypting an S3 bucket using AWS Key Management Service (KMS) and monitoring the activities with CloudTrail is a secure way to protect your data and track any changes or access to the bucket. Here are some points to consider for each heading:
Task 8

Task 8: Validation Test

↑ Top
  1. Once the lab steps are completed, please click on the Validate button on the left side panel.
  2. This will validate the resources in the AWS account and displays whether you have completed this lab successfully or not.
  3. Sample output :
  4. You have successfully created a KMS key and an S3 bucket.
  5. You have successfully created a CloudTrail and configured it to store events in S3.
  6. You have successfully monitored KMS activity using CloudTrail Logs in S3 bucket.
  7. Sign out of the AWS Account.
  8. You have successfully completed the lab.
  9. Once you have completed the steps, click on End Lab from the lab console.
← Back to Labs