{"id":4800,"date":"2021-03-31T12:00:46","date_gmt":"2021-03-31T12:00:46","guid":{"rendered":"https:\/\/www.aqbsolutions.com\/?p=4800"},"modified":"2025-07-10T08:45:49","modified_gmt":"2025-07-10T08:45:49","slug":"aws-kms-hands-on-tutorial","status":"publish","type":"post","link":"https:\/\/aqbsolutions.com\/blog\/2021\/03\/31\/aws-kms-hands-on-tutorial\/","title":{"rendered":"AWS KMS HANDS ON TUTORIAL"},"content":{"rendered":"\n
In this article, you will learn what is KMS, different types of keys in KMS.<\/p>\n\n\n\n\n\n
<\/p>\n\n\n\n
Use Cases of AWS KMS:<\/strong><\/h2><\/p>\n\n\n\n
AWS KMS is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data. The customer master keys that you create in AWS KMS are protected by hardware security modules or HSMs.<\/p>\n\n\n\n
So what are some of the features of KMS:<\/p>\n\n\n\n
\n
It is fully managed<\/li>\n\n\n\n
It is a centralized key management<\/li>\n\n\n\n
Integration with other AWS Services<\/li>\n\n\n\n
Secure and Compliant<\/li>\n<\/ul>\n\n\n\n<\/figure>\n\n\n\n
AWS KMS has been certified under multiple schemes to simplify your own compliance obligations.<\/p>\n\n\n\n
There are two types of keys that are supported by the AWS KMS service, which are Customer Master Key and Data Key. So will understand the difference between them. We will see that how do they come together and work and all of such things. I will show how you create your own Customer Master Key and how can you generate a data key as well.<\/p>\n\n\n\n
Types of Encryption:<\/strong><\/h2><\/p>\n\n\n\n
\n
Symmetric Encryption: In the case of symmetric encryption what happens is the key which you use to encrypt the data same key is used to decrypt the data as well. That\u2019s why the name is symmetric, the same key is being used for encryption and decryption.<\/li>\n\n\n\n
Asymmetric encryption: In asymmetric encryption, there are two keys. You can use the public key to encrypt the data and then there will be the private or secret key that you will use to decrypt the data.<\/li>\n<\/ul>\n\n\n\n
Master Key: A key created by AWS KMS that can only be used within the AWS KMS service. The master key is commonly used to encrypt data keys so that the encrypted key can be securely stored by your service. However, AWS KMS master key can also be used to encrypt or decrypt arbitrary chunks of data that are no greater than 4 KiB. Customer master keys are created by a customer for use by a service or application. AWS managed keys are the default keys used by AWS services that support encryption.<\/p>\n\n\n\n
Data Key: A symmetric key generated by AWS KMS for your service. Inside of your service or application, the data key is used to encrypt or decrypt data. It can be considered a resource by a service or application.<\/p>\n\n\n\n
How to Encrypt Data?<\/strong><\/h3><\/p>\n\n\n\n
\n
Use OpenSSL or AWS Encryption SDK to encrypt data using data keys outside AWS.<\/li>\n\n\n\n
Encrypt data using Plaintext data key.<\/li>\n\n\n\n
Never store Plaintext close to encrypted data by removing it from memory ASAP.<\/li>\n<\/ul>\n\n\n\n<\/figure>\n\n\n\n
How to Decrypt Data?<\/strong><\/h3><\/p>\n\n\n\n
\n
Call KMS API with the Encrypted data key<\/li>\n\n\n\n
KMS will send the Plaintext Key<\/li>\n\n\n\n
Use the Plaintext Key to decrypt the encrypted data<\/li>\n<\/ul>\n\n\n\n<\/figure>\n\n\n\n
Data Encryption: <\/strong><\/h3><\/p>\n\n\n\n
Data Encryption is vital if you have sensitive data that must not be accessed by unauthorized users.<\/p>\n\n\n\n
If you stored your data in plain text the hacker can do whatever he wants with the data and usually guys don\u2019t do good things with it. But if the data had been encrypted the hacker would have a hard time decrypting that data even if he hacked your database server. So Encryption is vital especially if you are dealing with sensitive data. And also encryption is highly recommended for a security by design architectures.<\/p>\n\n\n\n
Two main methods to implement Encryption at-rest<\/p>\n\n\n\n
\n
Client-side Encryption<\/li>\n\n\n\n
Server-side Encryption<\/li>\n<\/ul>\n\n\n\n
The first one is client-side encryption where you can encrypt your data at the client-side and send all the way to the server or any backend services like S3, EBS, Redshift etc.<\/p>\n\n\n\n
The second method is server-side encryption. In server-side encryption you let your backend services to let your data and manage those keys on your behalf.<\/p>\n\n\n\n
So in client-side encryption you encrypt the data and manage your own keys and also you can use kms as a key management infrastructure. If you don\u2019t want to use kms you can manage it by yourself.<\/p>\n\n\n\n
In server-side encryption you let AWS to manage your keys for you. Most AWS services like S3, EBS, Redshift provides server-side encryption and they also use kms behind the scenes.<\/p>\n\n\n\n
So the point I want to highlight is that kms is used in both, server-side encryption as well as in client-side encryption.<\/p>\n\n\n\n
Types of customer-managed keys:<\/strong><\/h3><\/p>\n\n\n\n
In AWS KMS there are three types Customer Managed keys.<\/p>\n\n\n\n
\n
AWS managed default CMK keys : Free<\/li>\n\n\n\n
User keys created in kms : $1 per month<\/li>\n\n\n\n
user keys imported which must be 256bit symmetric keys:$1\/month\u00a0\u00a0<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/aqbsolutions.com\/blog\/wp-content\/uploads\/2021\/03\/what-are-the-features-of-KMS-1.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/aqbsolutions.com\/blog\/wp-content\/uploads\/2021\/03\/How-Should-Data-be-Encrypted.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/aqbsolutions.com\/blog\/wp-content\/uploads\/2021\/03\/Steps-to-Decrypt-Data.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/4.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/5.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/6.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/7.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/8.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/9.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/10.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/11.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/12.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/13.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/14.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/15.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/16.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/17.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.aqbsolutions.com\/wp-content\/uploads\/2021\/03\/18.png\")
<\/figure>\n\n\n\n