Use Encryption Keys Like a Pro With AWS Key Management

Published:9 August 2022 - 11 min. read

Michael Nguyen Tu Image

Michael Nguyen Tu

Read more tutorials by Michael Nguyen Tu!

Meet Active Directory and Windows Server auditing, security and compliance needs with ManageEngine ADAudit Plus. Download Free Trial!

Are you looking for a way to encrypt and decrypt your data quickly? Check out AWS Key Management! This service offers high-level security for your data by allowing you to create and manage cryptographic keys. You can also control who has access to your keys and what actions they can take with them.

This tutorial, by no means, covers everything there is to know about AWS Key Management. But, it will give you a good overview of the basics of using this powerful tool.

Read on to take advantage of AWS Key Management’s security benefits!

Prerequisites

This tutorial will be a hands-on demonstration. If you’d like to follow along, be sure you have the following.

  • An AWS account with active billing. You can create an AWS account for free here. The free tier includes enough services to get you started with this tutorial.
  • You have AWS CLI installed and configured on your machine. Check out this tutorial for more information.

Creating a KMS Key Using The AWS Console

Read on if you prefer the AWS console (GUI) instead of the AWS CLI. The following section will guide you through creating a KMS key using the console.

Creating an IAM User

To get started, you must create an IAM user that you’ll use to access the AWS Key Management Service from the AWS Command Line Interface (CLI).

IAM users are separate from your AWS root account credentials. Using IAM users is considered a best practice because it allows you to have granular control over who has access to what resources in your AWS account.

Follow these steps to create an IAM user with password access for the AWS Key Management Service:

1. Sign in to the AWS Management Console as the root user.

2. Type IAM into the Find services search bar and select IAM from the results to open the IAM console. This console is where you can manage IAM users and their permissions.

Opening the IAM console
Opening the IAM console

3. Navigate to Users → Add users to add a new IAM user.

Adding a new IAM user
Adding a new IAM user

4. Do the following steps on the Add user page.

Enter a name for your new user. In this example, it’s called KMSUserConsole.

Select the Password – AWS Management Console access radio button > Autogenerated password. This option will generate a random password for your user.

Make sure the User must create a new password at next sign-in checkbox is unchecked. This action will allow you to log in as this user without having to reset the password first.

Click Next: Permissions to continue.

Adding the IAM user details
Adding the IAM user details

5. On the Set permissions page, select Attach existing policies directly. Select AdministratorAccess from the list of available policies. This policy gives the user full access to AWS, including the ability to create and manage keys.

Click Next: Tags to continue.

Setting permissions
Setting permissions

6. On the Add tags (optional) page, you can add any relevant tags to your user. For this tutorial, you will not be adding any tags. Click Next: Review to review your user’s permissions and information.

Viewing the Add tags (optional) page
Viewing the Add tags (optional) page

7. Ensure that the AdministratorAccess policy is selected and click Create user to finish creating your new IAM user.

AdministratorAccess
AdministratorAccess

8. The IAM user creation ends after a few minutes, and you will see a Success banner message.

Copy or download the password somewhere safe because you will need it to log in as this new IAM user later.

Click on the URL next to the message to navigate to the IAM user sign-in page.

Click Close to close the message window.

IAM User creation completion
IAM User creation completion

9. On the next page, enter the username and password you just generated and click Sign in to log in as your new IAM user.

Signing in as the IAM user
Signing in as the IAM user

Creating a KMS Key Using the AWS Console

Now that you’ve logged in to the AWS Management Console as your IAM user, you’re ready to create your first KMS key.

Follow these steps to create a KMS key using the AWS console.

1. Type KMS into the Find services search bar. Select Key Management Service from the results to open the KMS console.

Opening the KMS console
Opening the KMS console

2. Click on Customer managed keys in the left-hand sidebar > Create key to create a new KMS key.

Creating a new key
Creating a new key

3. Do the following on the next screen.

Key type: Select Symmetric. This type of key is for encryption and decryption and works best for most use cases.

Key usage: Select Encryption and decryption. This key usage allows you to use your key for encryption and decryption.

Keep all others settings as their default values and click Next.

Configuring keys
Configuring keys

4. Enter an Alias for your key. This alias will help you quickly identify your key in the KMS console. The alias must be between 1 and 256 characters long and can only contain alphanumeric characters, hyphens (-), and underscores (_).

The alias can not start with aws/ since this prefix is reserved for AWS-managed keys. You will get the following error message if you try to use this prefix.

Getting the aws/ is a restricted prefix error.
Getting the aws/ is a restricted prefix error.

Enter a Description for your key. This field is optional, but it’s always a good idea to include a description so you can remember the key’s usage for later.

Keep all others settings as their default values and click Next to continue.

Adding an alias
Adding an alias

5. Select the checkbox next to the user you created earlier, KMSUserConsole. This user will be the only one who has access to use this key.

Keep the Allow key administrators to delete this key unchecked since you will not want anyone to delete your key.

Click Next to continue.

Selecting key admin
Selecting key admin

Select the user you created earlier, KMSUserConsole, and click next. This action lets your user use the key in cryptographic operations, like encrypting and decrypting data.

Selecting the IAM users and roles that can access the KMS key in cryptographic operations
Selecting the IAM users and roles that can access the KMS key in cryptographic operations

7. Finally, click on the Finish button to complete the key creation process.

Completing the key creation process
Completing the key creation process

Your new KMS key will now appear in the customer-managed keys section of the KMS console. You can see information about your key, such as when the status, key ID, alias, etc.

Viewing your keys
Viewing your keys

Managing KMS Keys Using the AWS Console

Now that you’ve created a KMS key, the following sections show you about managing them using the AWS console.

Editing a KMS Key

You can edit a KMS key at any time to change its settings. To do this, follow these steps:

1. Click on the hyperlink of the key you want to edit. This action opens the key details page.

Opening the key details page.
Opening the key details page.

2. Click on the Edit button in the upper right-hand corner of the page.

Click on the Edit button.
Click on the Edit button.

3. Make any changes you want to make to the key and click Save. You must know that the only thing you can change is the description.

make to the key and click Save
make to the key and click Save

Disabling and Enabling a KMS Key

You can disable and enable a KMS key at any time. By default, all keys are enabled when they are first created. Suppose a key may have been compromised. It’s a good idea to disable the key until you investigate further.

1. Tick the checkbox next to the key you want to disable and click Key actions → Disable.

Disabling a KMS Key
Disabling a KMS Key

2. A window asks you to confirm that you want to disable the key. Click the checkbox next to Confirm that you want to disable this key and click Disable.

Confirming to disable a key
Confirming to disable a key

The key is now disabled, and you will see a message on the key details page. The status of the key will also change to Disabled, as shown below.

Viewing your key is disabled
Viewing your key is disabled

3. When your investigation is complete, you can re-enable a key, and you’re ready to start using the key again. Tick the checkbox next to the key you want to enable → Key actions → Enable.

Key actions → Enable.
Key actions → Enable.

Creating a KMS Key Using the AWS CLI

Big fan of using the AWS CLI? Good for you! You can also create a KMS key using the AWS CLI. This section will teach you how to create an IAM user with programmatic access.

After creating the user, you will store the credentials in an AWS profile. You will interact with AWS with that profile to create a KMS key.

Creating an IAM User with Programmatic Access

You need an IAM user with programmatic access to authenticate using the AWS CLI without a password. Programmatic access uses access keys, a combination of an access key ID and a secret access key to make API calls.

Follow these steps to create an IAM user with programmatic access

1. Create a new IAM user named KMSUserCli in the AWS Console. Refer to the earlier Creating an IAM User section (steps 1 to 4).

2. When you reach the Select AWS access type, select Programmatic access and click Next: Permissions.

Selecting Programmatic access
Selecting Programmatic access

3. Select Attach existing policies directly. Tick the checkbox next to AdministratorAccess and click Next: Tags.

Selecting permissions
Selecting permissions

4. Skipping adding tags and click Next: Review.

Skip adding tags
Skip adding tags

5. Finally, click Create user to create the user.

Creating an IAM user
Creating an IAM user

Once the process completes, you will see a screen similar to the one below, with your new user’s access key ID and secret access key. These are the keys that you will use to configure the AWS CLI. Be sure to store these keys in a safe place, as you cannot view them again after this page!

Don’t share those keys in public CI/CD pipelines or comments on GitHub or other public forums!

Viewing your access keys
Viewing your access keys

Configuring the AWS CLI Profile

Now that you have created an IAM user, you need to set up your AWS profile on your machine so that you can access the AWS Key Management Service using the credentials for that user.

Follow these steps to configure your AWS profile:

1. Open PowerShell or Command Prompt as an administrator.

2. Run the below command to verify if you have the AWS CLI installed. You will see something similar to the screenshot below if it is installed.

aws --version
Verify if you have the AWS CLI installed.
Verify if you have the AWS CLI installed.

3. Now, run the below command to set up your new profile.

aws configure

4. At the prompt, enter the following information.

  • AWS Access Key ID: Enter the access key ID for the IAM user you created earlier.
  • AWS Secret Access Key: Enter the secret access key for the IAM user you created earlier.
  • Default region name: Enter your preferred region. For this tutorial, you will use us-west-2.
  • Default output format: Enter JSON. Output in JSON format is easier to read.
Configuring a profile in AWS CLI
Configuring a profile in AWS CLI

Creating a KMS Key Using The AWS CLI

Now that you have an IAM user with programmatic access, you can start creating a KMS key.

Run the following command to create a new KMS key.

aws km create-key

You will see an output similar to the one below. The KeyId is the identifier of your new KMS key. Note it down as you will need it later.

Creating a KMS Key Using The AWS CLI.
Creating a KMS Key Using The AWS CLI.

Since you don’t explicitly specify a key policy, AWS KMS creates a default key policy for the new key. This policy gives full control of the key to the root user, including the ability to create AWS Identity and Access Management (IAM) users and roles.

Run the following command to retrieve the key policy of your new KMS key. Replace the --key-id argument with the actual KeyId of your new KMS key. This command returns a text document that contains the key policy of your new KMS key.

aws km get-key-policy --key-id you_KeyId_here --policy-name default --output text

The output should look something like the one below.

Retrieving the key policy of your new KMS key.
Retrieving the key policy of your new KMS key.

Managing KMS Keys Using the AWS CLI

Now that you have created a KMS key, you can learn how to manage it using the AWS CLI. This section will teach you how to list, disable, and enable a KMS key.

You can disable and enable a KMS key at any time. Disabling a KMS key is useful when you want to investigate potential misuse or if you need to stop using the key for any other reason temporarily.

1. Run the following command to disable a KMS key. Replace the –key-id argument with the actual KeyId of your KMS key. This command doesn’t have any output.

aws aws kms disable-key --key-id you_KeyId_here
Disabling a KMS key.
Disabling a KMS key.

2. To verify that the key is disabled, run the following command. The output should include the “KeyState”: “Disabled” field, as shown.

aws kms describe-key --key-id you_KeyId_here
Verifying that the key is disabled.
Verifying that the key is disabled.

3. To enable the key, run the following command. Again, this command doesn’t have any output.

aws kms enable-key --key-id you_KeyId_here
aws kms describe-key --key-id you_KeyId_here
Enabling the key.
Enabling the key.

4. Finally, run the following command to list all the KMS keys in your account. The output includes information such as the keyId and KeyArn of each key.

aws kms list-keys
Listing all the KMS keys in your account,
Listing all the KMS keys in your account,

Conclusion

In this article, you learned how to create and manage KMS keys using the AWS CLI and the AWS console. You also learned how to create an IAM user with programmatic access allowing AWS CLI to manage your KMS keys.

AWS key management skill is essential for anyone who works with AWS, especially if you are responsible for managing sensitive data. Following the steps in this article, you should now have the skills you need to start using AWS KMS.

With this newfound knowledge, why not create AWS KMS resources with AWS CloudFormation to save time and effort?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!